- Home
- Play books
- Bitdefender - Trusted binary investigation and containment
Bitdefender - Trusted binary investigation and containment
In this page
Playbook Description
This playbook automates the end-to-end response for suspicious binaries. It retrieves process metadata, analyzes command-line arguments, and verifies file path and URL reputations. Once threats are confirmed, it triggers automated defenses such as killing malicious processes, adding files to blocklists, and running full system scans. It concludes by quarantining files and isolating compromised hosts to prevent lateral movement.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Execution(TA0002) | Command and Scripting Interpreter (T1059) | PowerShell(T1059.001) |
MITRE D3FEND mapping
| Tactics | Techniques |
|---|---|
| Isolate(D3-Isolate) | D3-NI |
| Evict(D3-Evict) | D3-PE |
Playbook input type
Alert
Prerequisites
Need license with plan - Business Security Enterprise.
Playbook creation input
connectionName - Connection name of Bitdefender.
Dependencies
Extensions - Bitdefender
- bitdefender_addFileToQuarantineTask
- bitdefender_killProcess
- bitdefender_createIsolateEndpoint
- bitdefender_addToBlocklist
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_fileReputation
- virustotal_calculateRiskScore
Utility functions
- windows_commandLineAnalysis
- bitdefender_buildBlockRule
- utility_extractMaliciousEntitiesByRiskScore
- utility_convertToString
- utility_getRequiredTime
- utility_validateResponses
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| GetFileHash.ps1 | This script retrieves the hash of a specified file using the given algorithm. | FilePaths, Algorithm |
Connections
- VirusTotal connection: Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
- Bitdefender connection: Need to connect Bitdefender using API Key.
Sub playbooks
Bitdefender - Scan task execution
VirusTotal - URL reputation check
Execution workflow
Investigation:
- Analyzes the command line and fetches the URL or file path.
- If a URL or file path exists, get its reputation using VirusTotal.
- Fetches the involved process details from the log.
Decision logic:
- If file path or URL risk score is high, it might be malicious, so proceeds with remediation.
Remediation:
- Checks the IP reputation and if remote IP is involved, blocks the malicious IP.
- Kills the process and its parent process.
- Quarantines the process file.
- Adds the malicious file path to blocklist.
- Runs full scan for the endpoint and check the risk score.
- Isolates the host if risk score is high.
- Notifies the users.
Post execution procedure
Steps to revert false positives:
- Remove file from blocklist.
- Remove the host from isolation.
- Remove the file from quarantine.
