MDE - Host Advanced Hunting For Powershell Executions

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host PowerShell executions.

Microsoft Defender for Endpoint · 16 tasks · 6 inputs · 37 outputs

Inputs

  • DeviceName — A comma-separated list of host names to hunt.
  • FileName — A comma-separated list of file names to hunt.
  • DeviceID — A comma-separated list of device IDs to hunt.
  • FileMd5 — A comma-separated list of file MD5 hashes to hunt.
  • FileSha256 — A comma-separated list of file SHA256 hashes to hunt.
  • FileSha1 — A comma-separated list of file SHA1 hashes to hunt.

Outputs

  • MicrosoftATP.HuntProcessDetails.Result — The query results for Process Details.
  • MicrosoftATP.HuntProcessDetails.Result.parent_process — The query results for parent_process query_purposeThe query results.
  • MicrosoftATP.HuntProcessDetails.Result.grandparent_process — The query results for grandparent_process query_purpose.
  • MicrosoftATP.HuntProcessDetails.Result.process_details — The query results for process_details query_purpose.
  • MicrosoftATP.HuntProcessDetails.Result.beaconing_evidence — The query results for beaconing_evidence query_purpose.
  • MicrosoftATP.HuntProcessDetails.Result.powershell_execution_unsigned_files — The query results for powershell_execution_unsigned_files query_purpose.
  • MicrosoftATP.HuntProcessDetails.Result.process_excecution_powershell — The query results for process_excecution_powershell query_purpose.
  • MicrosoftATP.FileMachine.Machines — The Query results for getting a collection of machines with a given file SHA1 hash.
  • MicrosoftATP.FileMachine.Machines.ID — The machine ID.
  • MicrosoftATP.FileMachine.Machines.ComputerDNSName — The machine DNS name.
  • MicrosoftATP.FileMachine.Machines.FirstSeen — The first date and time the machine was observed by Microsoft Defender ATP.
  • MicrosoftATP.FileMachine.Machines.LastSeen — The last date and time the machine was observed by Microsoft Defender ATP.
  • MicrosoftATP.FileMachine.Machines.OSPlatform — The operating system platform.
  • MicrosoftATP.FileMachine.Machines.OSVersion — The operating system version.
  • MicrosoftATP.FileMachine.Machines.OSBuild — Operating system build number.
  • MicrosoftATP.FileMachine.Machines.LastIPAddress — The last IP on the machine.
  • MicrosoftATP.FileMachine.Machines.LastExternalIPAddress — The last machine IP to access the internet.
  • MicrosoftATP.FileMachine.Machines.HelathStatus — The machine health status.
  • MicrosoftATP.FileMachine.Machines.RBACGroupID — The machine RBAC group ID.
  • MicrosoftATP.FileMachine.Machines.RBACGroupName — The machine RBAC group name.
  • MicrosoftATP.FileMachine.Machines.RiskScore — The machine risk score.
  • MicrosoftATP.FileMachine.Machines.ExposureLevel — The machine exposure score.
  • MicrosoftATP.FileMachine.Machines.IsAADJoined — True if machine is AAD joined, False otherwise.
  • MicrosoftATP.FileMachine.Machines.AADDeviceID — The AAD Device ID.
  • MicrosoftATP.FileMachine.Machines.MachineTags — Set of machine tags.
  • MicrosoftATP.Machine — Results for device information.
  • MicrosoftATP.Machine.OSProcessor — The operating system processor.
  • MicrosoftATP.FileMachine — Results for File information on a device.
  • MicrosoftATP.FileMachine.File — The machine related file hash.
  • MicrosoftATP.HuntNetworkConnections.Result — The query results for Hunt Network Connections.
  • MicrosoftATP.HuntNetworkConnections.Result.external_addresses — The query results for external_addresses query_purpose.
  • MicrosoftATP.HuntNetworkConnections.Result.dns_query — The query results for dns_query query_purpose.
  • MicrosoftATP.HuntNetworkConnections.Result.encoded_commands — The query results for encoded_commands query_purpose.
  • MatchRegex — The regex found in the command line
  • Indicators — Indicators extracted from the command line
  • commandline — The command line
  • CommandlineVerdict — The command line verdict

Commands used

microsoft-atp-advanced-hunting-network-connections microsoft-atp-advanced-hunting-process-details microsoft-atp-get-file-related-machines setIncident

Flowchart

true true true true true true true Start Start Process Analysis Process Analysis Get process details by hash or filename - microsoft-atp-advanced-hunting-process-details Get process details by ha... microsoft-atp-advanced-huntin... Any events of execution or association to process? Any events of execution o... List All Related Endpoints for this file - microsoft-atp-get-file-related-machines List All Related Endpoint... microsoft-atp-get-file-relate... Check for any unsigned executions by Powershell? - microsoft-atp-advanced-hunting-process-details Check for any unsigned ex... microsoft-atp-advanced-huntin... Check for any Powershell Execution - microsoft-atp-advanced-hunting-process-details Check for any Powershell ... microsoft-atp-advanced-huntin... Was there PowerShell with Encoded command? - microsoft-atp-advanced-hunting-network-connections Was there PowerShell with... microsoft-atp-advanced-huntin... Any results? Any results? Is a file exist? Is a file exist? Done Done Update the commandline verdict tag - setIncident Update the commandline ve... setIncident Are there any more affected devices? Are there any more affect... Update the "Multi affected Devices" tag - setIncident Update the "Multi affecte... setIncident Any PowerShell executions? Any PowerShell executions? Command-Line Analysis - Command-Line Analysis Command-Line Analysis Command-Line Analysis