08-02-2018 02:06 PM - edited 02-20-2020 09:05 PM
Is it possible to get the complete command line arguments from the AMP event?
We have an encrypted (base64) powershell command that was executed on our network, but AMP truncated the input. Without the entire command we can't recreate the issue.
Partial input:
C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -e JABzAD0A.........................................
Thanks-
08-03-2018 07:24 AM
Lang,
You can use the AMP API to pull the full information. Go into your dashboard if you do not yet have an API key and you can establish one under Accounts > API Credentials. You will need Two Step Verification enabled on your account to enable Command Line Capture for your API key. Once you have your Client ID and API Key (both provided when you set up the API Credential, go to the computers page and pull the GUID for the computer with the event you're looking for. With that information, you should be able to run the following command from CLI to pull the events for that connector.
curl -X GET -H 'accept: application/json' -H 'content-type:application/json' --compressed -H 'Accept-Encoding: gzip, deflate' -u <insert_client_ID_here> 'https://api.amp.cisco.com/v1/events?connector_guid=<insert_connector_GUID_here>'
Once you run this command, it will prompt you for the password. Enter the API key as the password. The output will contain the last 30 days of events from that connector. You can search through the output for the IOC event and should be able to find the full command line capture.
Thanks,
Matt
08-08-2018 04:33 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide