ATD - Detonate File

Detonates a File using the McAfee Advanced Threat Defense sandbox.

Advanced Threat Defense supports the following File Types:

32-bit Portable Executables (PE)files; 64-bit PE+files exe, sys, dll, com, scr, cpl, ocx, cgi.

Microsoft Office Suite documents:

doc, dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar.

Just Systems Ichitaro documents:

jtd, jtdc.

Adobe

pdf, swf.

Compressed files:

gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar.

Android application package:

apk, Java, JAR, CLASS, Java Script, Java bin files.

Image files:

jpeg, png, gif.

Other file types:

cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

  • Set

Commands

  • atd-file-upload
  • atd-get-report
  • atd-check-status

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
FileThe file to detonate. The file is taken from the context.NoneFileOptional
IntervalHow often the polling command should run (in minutes).1-Optional
TimeoutHow much time to wait before a timeout occurs (in minutes).15-Optional

Playbook Outputs


PathDescriptionType
ATD.Task.taskIdThe task ID of the sample uploaded.string
ATD.Task.jobIdThe job ID of the sample uploaded.string
ATD.Task.messageIdThe message ID relevant to the sample uploaded.string
ATD.Task.srcIpThe source IPv4 address.string
ATD.Task.destIpThe destination IPv4 address.string
ATD.Task.MD5The MD5 hash of the sample uploaded.string
ATD.Task.SHA1The SHA1 hash of the sample uploaded.string
ATD.Task.SHA256The SHA256 hash of the sample uploaded.string
File.NameThe filename (only in case of report type=json).string
File.TypeThe file type. For example, "PE" (only in case of report type=json).string
File.SizeThe file size (only in case of report type=json).number
File.MD5The MD5 hash of the file (only in case of report type=json).string
File.SHA1The SHA1 hash of the file (only in case of report type=json).string
File.SHA256The SHA256 hash of the file (only in case of report type=json).string
File.EntryIDThe entry ID of the sample.string
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
File.Malicious.DescriptionThe reason for the vendor to make the decision that the file is malicious.string
DBotScore.IndicatorThe indicator that was tested (only in case of report type=json).string
DBotScore.TypeThe type of the indicator (only in case of report type=json).string
DBotScore.VendorThe vendor used to calculate the score (only in case of report type=json).string
DBotScore.ScoreThe actual score (only in case of report type=json).number
IP.AddressThe IP addresses's relevant to the sample.string
InfoFile.EntryIDThe EntryID of the report file.string
InfoFile.ExtensionThe extension of the report file.string
InfoFile.NameThe name of the report file.string
InfoFile.InfoThe info of the report file.string
InfoFile.SizeThe size of the report file.number
InfoFile.TypeThe type of the report file.string
FileThe file object.unknown
File.MaliciousThe file malicious object.unknown
DBotScoreThe DBotScore object.unknown
InfoFileThe report file object.unknown

Playbook Image


Detonate_File_McAfee_ATD