Return the Memory Dump File Script - Administrator Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-28
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Run files using the D2Winpmem automation to return memory dump file to War Room when investigating malware.

You can run files using the D2Winpmem automation, which returns the memory dump file to the War Room. Useful when dealing with any type of malware.

  1. Go to the Automations page and search for D2Winpmem automation.

  2. Click Copy Script.

  3. In the //+winpmem/winpmem_2.0.1.exe line in the script, change it to the file you want to run. For example, //+New-collectorD2/New-collectorD2.bat

  4. In the var exename = 'winpmem_2.0.1.exe'; line write the file you want to execute.

  5. In the var dumpFile add the file you want to run.

    //+New-collectorD2/New-collectorD2.bat
							try {
							if (env.OS !== 'windows') {
							throw ('script can only run on Windows');
							}
							var arch = wmi_query('select OSArchitecture from win32_operatingsystem')[0].OSArchitecture;
							var exename = 'Testd2.bat';
							var dumpFile = env.TEMP+ '\\New-collectorD2.bat';
							var output = execute('cmd /c dir /s ' + env.TEMP , 30); // 10 minutes timeout
							pack(output);
							if (output.Success) {
							pack_file(dumpFile);
							del(dumpFile);
							}  else {
							throw output.Error;
							}
							} catch (ex) {
						      pack('Winpmem failed: ' + ex);
							}

  6. Click Save.