content icon indicating copy to clipboard operation
content copied to clipboard

Published 20 hours ago verified publisher icon demisto

Command analysis update

Open Ni-Knight opened this issue 9 months ago • 27 comments

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

  • [ ] In Progress
  • [x] Ready
  • [ ] In Hold - (Reason for hold)

Related Issues

fixes: https://jira-dc.paloaltonetworks.com/browse/CIAC-13351

Description

Updating the script to support mshta us well as some social engineering aspects and a few minor upgrades to the code.

Must have

  • [ ] Tests
  • [ ] Documentation

Ni-Knight avatar Feb 27 '25 09:02 Ni-Knight

Coverage

Coverage Report
FileStmtsMissCoverMissing
Packs/CommonScripts/Scripts/CommandLineAnalysis
   CommandLineAnalysis.py35511567%259, 270, 292–297, 304, 328, 348–350, 353, 355, 376, 380, 387, 389, 406–407, 409–410, 412–417, 419–420, 422, 448, 461–462, 482–486, 494–495, 497, 499–501, 503–506, 508–510, 513–514, 516–517, 519–520, 522, 554, 561, 577, 596, 974, 978, 998–999, 1001–1005, 1034–1036, 1038–1039, 1049, 1051–1055, 1057–1064, 1066–1068, 1070–1071, 1184–1189, 1212, 1303–1306, 1309, 1313–1315, 1318, 1320, 1329
TOTAL35511567% 

Tests Skipped Failures Errors Time
12 0 :zzz: 0 :x: 0 :fire: 3.301s :stopwatch:

github-actions[bot] avatar Feb 27 '25 09:02 github-actions[bot]

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Mar 04 '25 18:03 CLAassistant

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.42.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 06 '25 12:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.43.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 07 '25 09:04 content-bot

@melamedbn Doc review completed.

ShirleyDenkberg avatar Apr 07 '25 12:04 ShirleyDenkberg

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.44.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 14 '25 11:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.45.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 14 '25 14:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.46.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 17 '25 14:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.47.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 21 '25 08:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.48.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 23 '25 11:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.49.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 24 '25 07:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.50.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 24 '25 11:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.51.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar Apr 28 '25 10:04 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.52.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 04 '25 15:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.53.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 05 '25 10:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.54.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 06 '25 14:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.55.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 11 '25 08:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.56.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 11 '25 11:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.57.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 12 '25 08:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.58.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 13 '25 13:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.59.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 13 '25 17:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.60.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 14 '25 09:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.61.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 14 '25 16:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.62.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 15 '25 08:05 content-bot

This PR was automatically updated by a GitHub Action

  • CommonScripts pack version was bumped to 1.19.63.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

content-bot avatar May 16 '25 08:05 content-bot

@Ni-Knight Invalid double encoded command: powershell -EncodedCommand U0dWc2JHOGdWMjl5YXpsMGN5QmxiblJsY2kxcFptbHNaU0JwYmlCdmJpQmxjbVJmYkdGemN6bHpZVzVrWldGelpTQjFjMlZ5YVpFME5UUTJNVEV3TnpjMk9ETTJOakl3TVRjMk5ERTRNVFl5TkE9PQ== The script is stuck in the decoding phase. We need it to exist the loop once no valid base64 is found.

Reversed Powershell llehsrewop.exe -nop -w hidden Mentioned reversed powershell in the findings but the score given was 0

MacOS osascript -e 'tell application Finder to duplicate POSIX file "/tmp/secret.txt" to POSIX file "/tmp/secret_copy.txt"' Detected but didn't added the expected score (25)

melamedbn avatar Jun 09 '25 18:06 melamedbn

Resolved issues mentioned

Ni-Knight avatar Jun 19 '25 14:06 Ni-Knight

Validate summary

Verdict: PR can be force merged from validate perspective? ✅

content-bot avatar Jun 24 '25 08:06 content-bot