From c7d66949e656ad167a391b64c4ef307c5d766f17 Mon Sep 17 00:00:00 2001 From: OmriItzhak Date: Thu, 18 Apr 2024 11:54:23 +0300 Subject: [PATCH 1/7] added a new conditional task --- ...59_-_Command_and_Scripting_Interpreter.yml | 63 ++++++++++++++++--- 1 file changed, 53 insertions(+), 10 deletions(-) diff --git a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml index 7517401a4b42..ad7fcb762b8c 100644 --- a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml +++ b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml @@ -23,7 +23,7 @@ tasks: { "position": { "x": 1140, - "y": -90 + "y": -260 } } note: false @@ -54,7 +54,7 @@ tasks: { "position": { "x": 1140, - "y": 95 + "y": -105 } } note: false @@ -116,7 +116,7 @@ tasks: { "position": { "x": 1140, - "y": 600 + "y": 400 } } note: false @@ -396,7 +396,7 @@ tasks: brand: "" nexttasks: '#default#': - - "55" + - "60" "yes": - "57" separatecontext: false @@ -415,7 +415,7 @@ tasks: { "position": { "x": 1140, - "y": 740 + "y": 540 } } note: false @@ -647,7 +647,7 @@ tasks: { "position": { "x": 1140, - "y": 420 + "y": 220 } } note: false @@ -1157,7 +1157,7 @@ tasks: { "position": { "x": 1140, - "y": 230 + "y": 30 } } note: false @@ -1425,6 +1425,46 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false + "60": + id: "60" + taskid: 395af71d-9832-46a5-853a-e51948b9f62a + type: condition + task: + id: 395af71d-9832-46a5-853a-e51948b9f62a + version: -1 + name: Is the CMD defined? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "16" + "yes": + - "55" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: commandline.original + iscontext: true + continueonerrortype: "" + view: |- + { + "position": { + "x": 720, + "y": 720 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false view: |- { "linkLabelsPosition": { @@ -1433,14 +1473,17 @@ view: |- "28_43_yes": 0.43, "34_29_#default#": 0.25, "48_27_yes": 0.62, - "48_49_#default#": 0.47 + "48_49_#default#": 0.47, + "56_16_#default#": 0.46, + "60_16_#default#": 0.22, + "60_55_yes": 0.55 }, "paper": { "dimensions": { - "height": 4235, + "height": 4405, "width": 1510, "x": 450, - "y": -90 + "y": -260 } } } From a09c16810c30a74a946d4aa419db98b9e127f9b7 Mon Sep 17 00:00:00 2001 From: OmriItzhak Date: Thu, 18 Apr 2024 12:26:03 +0300 Subject: [PATCH 2/7] RN and task description --- .../playbook-T1059_-_Command_and_Scripting_Interpreter.yml | 1 + Packs/Core/ReleaseNotes/3_0_25.md | 6 ++++++ Packs/Core/pack_metadata.json | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 Packs/Core/ReleaseNotes/3_0_25.md diff --git a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml index ad7fcb762b8c..ce7614feefad 100644 --- a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml +++ b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml @@ -1433,6 +1433,7 @@ tasks: id: 395af71d-9832-46a5-853a-e51948b9f62a version: -1 name: Is the CMD defined? + description: Checks the existence of a command line parameter. type: condition iscommand: false brand: "" diff --git a/Packs/Core/ReleaseNotes/3_0_25.md b/Packs/Core/ReleaseNotes/3_0_25.md new file mode 100644 index 000000000000..c2ea379fd209 --- /dev/null +++ b/Packs/Core/ReleaseNotes/3_0_25.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### T1059 - Command and Scripting Interpreter + +Added a new conditional task to verify the existence of a command line parameter. \ No newline at end of file diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index f4d6f7f17b54..82bbd89c10f0 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "3.0.24", + "currentVersion": "3.0.25", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 9b70897fcb3dffb7e8441660215cc43e6a996c0a Mon Sep 17 00:00:00 2001 From: Content Bot Date: Thu, 18 Apr 2024 09:34:46 +0000 Subject: [PATCH 3/7] Bump pack from version Core to 3.0.26. --- Packs/Core/ReleaseNotes/3_0_26.md | 6 ++++++ Packs/Core/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/Core/ReleaseNotes/3_0_26.md diff --git a/Packs/Core/ReleaseNotes/3_0_26.md b/Packs/Core/ReleaseNotes/3_0_26.md new file mode 100644 index 000000000000..c2ea379fd209 --- /dev/null +++ b/Packs/Core/ReleaseNotes/3_0_26.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### T1059 - Command and Scripting Interpreter + +Added a new conditional task to verify the existence of a command line parameter. \ No newline at end of file diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index 82bbd89c10f0..33e75bb38b4b 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "3.0.25", + "currentVersion": "3.0.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", From 5690d0d7985afd1e08037c9828927940ebfd275b Mon Sep 17 00:00:00 2001 From: OmriItzhak Date: Thu, 18 Apr 2024 16:15:12 +0300 Subject: [PATCH 4/7] change the task location --- ...59_-_Command_and_Scripting_Interpreter.yml | 79 +++++++++++++++---- 1 file changed, 62 insertions(+), 17 deletions(-) diff --git a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml index ce7614feefad..fa2b4bafbe62 100644 --- a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml +++ b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml @@ -1425,38 +1425,83 @@ tasks: quietmode: 0 isoversize: false isautoswitchedtoquietmode: false - "60": - id: "60" - taskid: 395af71d-9832-46a5-853a-e51948b9f62a + "61": + id: "61" + taskid: 6c95fc1f-ffd0-4de4-818f-41e07987c215 type: condition task: - id: 395af71d-9832-46a5-853a-e51948b9f62a + id: 6c95fc1f-ffd0-4de4-818f-41e07987c215 version: -1 name: Is the CMD defined? - description: Checks the existence of a command line parameter. type: condition iscommand: false brand: "" nexttasks: '#default#': - - "16" + - "62" "yes": - - "55" + - "47" separatecontext: false conditions: - label: "yes" condition: - - - operator: isExists + - - operator: isNotEmpty + left: + value: + simple: Core.DynamicAnalysis.internals.attributes.content + iscontext: true + - operator: isNotEmpty + left: + value: + simple: Core.DynamicAnalysis.internals.attributes.scriptblock_text + iscontext: true + - operator: isNotEmpty left: value: - simple: commandline.original + simple: Core.DynamicAnalysis.internals.attributes.original_command_line + iscontext: true + - operator: isNotEmpty + left: + value: + simple: alert.targetprocesscmd iscontext: true continueonerrortype: "" view: |- { "position": { - "x": 720, - "y": 720 + "x": 1140, + "y": 220 + } + } + note: false + timertriggers: [] + ignoreworker: false + skipunavailable: false + quietmode: 0 + isoversize: false + isautoswitchedtoquietmode: false + "62": + id: "62" + taskid: 77940295-f899-43d3-8b41-40fef01d6993 + type: title + task: + id: 77940295-f899-43d3-8b41-40fef01d6993 + version: -1 + name: No CMD Parameters found + type: title + iscommand: false + brand: "" + description: '' + nexttasks: + '#none#': + - "29" + separatecontext: false + continueonerrortype: "" + view: |- + { + "position": { + "x": 170, + "y": 440 } } note: false @@ -1476,15 +1521,15 @@ view: |- "48_27_yes": 0.62, "48_49_#default#": 0.47, "56_16_#default#": 0.46, - "60_16_#default#": 0.22, - "60_55_yes": 0.55 + "61_47_yes": 0.5, + "61_62_#default#": 0.52 }, "paper": { "dimensions": { - "height": 4405, - "width": 1510, - "x": 450, - "y": -260 + "height": 4385, + "width": 1790, + "x": 170, + "y": -240 } } } From ba4723f8bd23968ba1f41d61850af31943b66373 Mon Sep 17 00:00:00 2001 From: OmriItzhak Date: Sun, 21 Apr 2024 10:20:18 +0300 Subject: [PATCH 5/7] added task description --- .../playbook-T1059_-_Command_and_Scripting_Interpreter.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml index fa2b4bafbe62..10e879d66111 100644 --- a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml +++ b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml @@ -1433,6 +1433,7 @@ tasks: id: 6c95fc1f-ffd0-4de4-818f-41e07987c215 version: -1 name: Is the CMD defined? + description: Checks the existence of the command line parameters. type: condition iscommand: false brand: "" From f3f9428ea6ef59617903c5e1d0701f4f325aa6ac Mon Sep 17 00:00:00 2001 From: OmriItzhak Date: Sun, 21 Apr 2024 15:10:29 +0300 Subject: [PATCH 6/7] validation error fix --- ...T1059_-_Command_and_Scripting_Interpreter.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml index 10e879d66111..f8504d4e5a30 100644 --- a/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml +++ b/Packs/Core/Playbooks/playbook-T1059_-_Command_and_Scripting_Interpreter.yml @@ -23,7 +23,7 @@ tasks: { "position": { "x": 1140, - "y": -260 + "y": -240 } } note: false @@ -54,7 +54,7 @@ tasks: { "position": { "x": 1140, - "y": -105 + "y": -85 } } note: false @@ -116,7 +116,7 @@ tasks: { "position": { "x": 1140, - "y": 400 + "y": 590 } } note: false @@ -396,7 +396,7 @@ tasks: brand: "" nexttasks: '#default#': - - "60" + - "55" "yes": - "57" separatecontext: false @@ -415,7 +415,7 @@ tasks: { "position": { "x": 1140, - "y": 540 + "y": 730 } } note: false @@ -647,7 +647,7 @@ tasks: { "position": { "x": 1140, - "y": 220 + "y": 410 } } note: false @@ -1146,7 +1146,7 @@ tasks: brand: "" nexttasks: '#none#': - - "47" + - "61" scriptarguments: alert_ids: complex: @@ -1157,7 +1157,7 @@ tasks: { "position": { "x": 1140, - "y": 30 + "y": 50 } } note: false From a0af878d524ac95e3d28070627015f814022d6d9 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Wed, 24 Apr 2024 07:38:31 +0000 Subject: [PATCH 7/7] Bump pack from version Core to 3.0.27. --- Packs/Core/ReleaseNotes/3_0_27.md | 6 ++++++ Packs/Core/pack_metadata.json | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 Packs/Core/ReleaseNotes/3_0_27.md diff --git a/Packs/Core/ReleaseNotes/3_0_27.md b/Packs/Core/ReleaseNotes/3_0_27.md new file mode 100644 index 000000000000..c2ea379fd209 --- /dev/null +++ b/Packs/Core/ReleaseNotes/3_0_27.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### T1059 - Command and Scripting Interpreter + +Added a new conditional task to verify the existence of a command line parameter. \ No newline at end of file diff --git a/Packs/Core/pack_metadata.json b/Packs/Core/pack_metadata.json index 33e75bb38b4b..34371350b5e7 100644 --- a/Packs/Core/pack_metadata.json +++ b/Packs/Core/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Core - Investigation and Response", "description": "Automates incident response", "support": "xsoar", - "currentVersion": "3.0.26", + "currentVersion": "3.0.27", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",