MDE - Host Advanced Hunting For Powershell Executions
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook uses the Microsoft Defender For Endpoint Advanced Hunting feature to hunt for host PowerShell executions.
Microsoft Defender for Endpoint · 16 tasks · 6 inputs · 37 outputs
Inputs
DeviceName— A comma-separated list of host names to hunt.FileName— A comma-separated list of file names to hunt.DeviceID— A comma-separated list of device IDs to hunt.FileMd5— A comma-separated list of file MD5 hashes to hunt.FileSha256— A comma-separated list of file SHA256 hashes to hunt.FileSha1— A comma-separated list of file SHA1 hashes to hunt.
Outputs
MicrosoftATP.HuntProcessDetails.Result— The query results for Process Details.MicrosoftATP.HuntProcessDetails.Result.parent_process— The query results for parent_process query_purposeThe query results.MicrosoftATP.HuntProcessDetails.Result.grandparent_process— The query results for grandparent_process query_purpose.MicrosoftATP.HuntProcessDetails.Result.process_details— The query results for process_details query_purpose.MicrosoftATP.HuntProcessDetails.Result.beaconing_evidence— The query results for beaconing_evidence query_purpose.MicrosoftATP.HuntProcessDetails.Result.powershell_execution_unsigned_files— The query results for powershell_execution_unsigned_files query_purpose.MicrosoftATP.HuntProcessDetails.Result.process_excecution_powershell— The query results for process_excecution_powershell query_purpose.MicrosoftATP.FileMachine.Machines— The Query results for getting a collection of machines with a given file SHA1 hash.MicrosoftATP.FileMachine.Machines.ID— The machine ID.MicrosoftATP.FileMachine.Machines.ComputerDNSName— The machine DNS name.MicrosoftATP.FileMachine.Machines.FirstSeen— The first date and time the machine was observed by Microsoft Defender ATP.MicrosoftATP.FileMachine.Machines.LastSeen— The last date and time the machine was observed by Microsoft Defender ATP.MicrosoftATP.FileMachine.Machines.OSPlatform— The operating system platform.MicrosoftATP.FileMachine.Machines.OSVersion— The operating system version.MicrosoftATP.FileMachine.Machines.OSBuild— Operating system build number.MicrosoftATP.FileMachine.Machines.LastIPAddress— The last IP on the machine.MicrosoftATP.FileMachine.Machines.LastExternalIPAddress— The last machine IP to access the internet.MicrosoftATP.FileMachine.Machines.HelathStatus— The machine health status.MicrosoftATP.FileMachine.Machines.RBACGroupID— The machine RBAC group ID.MicrosoftATP.FileMachine.Machines.RBACGroupName— The machine RBAC group name.MicrosoftATP.FileMachine.Machines.RiskScore— The machine risk score.MicrosoftATP.FileMachine.Machines.ExposureLevel— The machine exposure score.MicrosoftATP.FileMachine.Machines.IsAADJoined— True if machine is AAD joined, False otherwise.MicrosoftATP.FileMachine.Machines.AADDeviceID— The AAD Device ID.MicrosoftATP.FileMachine.Machines.MachineTags— Set of machine tags.MicrosoftATP.Machine— Results for device information.MicrosoftATP.Machine.OSProcessor— The operating system processor.MicrosoftATP.FileMachine— Results for File information on a device.MicrosoftATP.FileMachine.File— The machine related file hash.MicrosoftATP.HuntNetworkConnections.Result— The query results for Hunt Network Connections.MicrosoftATP.HuntNetworkConnections.Result.external_addresses— The query results for external_addresses query_purpose.MicrosoftATP.HuntNetworkConnections.Result.dns_query— The query results for dns_query query_purpose.MicrosoftATP.HuntNetworkConnections.Result.encoded_commands— The query results for encoded_commands query_purpose.MatchRegex— The regex found in the command lineIndicators— Indicators extracted from the command linecommandline— The command lineCommandlineVerdict— The command line verdict
Commands used
microsoft-atp-advanced-hunting-network-connections
microsoft-atp-advanced-hunting-process-details
microsoft-atp-get-file-related-machines
setIncident