Recipes
Overview
Section titled “Overview”Recipes are pre-built, multi-step workflows that chain multiple Fleet skills together to accomplish a common task from start to finish. Each recipe encodes a proven methodology, ensuring consistent, thorough results every time.
When your request matches a known recipe, Fleet follows the established workflow automatically. You do not need to reference recipes by name. Simply describe what you want to accomplish, and Fleet determines whether a recipe applies.
Recipes cover four major categories: AIR operations, forensic analysis, malware analysis, and threat intelligence.
AIR Operations Recipes
Section titled “AIR Operations Recipes”Endpoint Triage
Section titled “Endpoint Triage”Assess an endpoint’s security posture through AIR. Fleet connects to the specified endpoint, gathers system information, reviews recent activity, and produces a security assessment with findings and recommended next steps.
Linux Quick Triage
Section titled “Linux Quick Triage”Rapid security assessment of a Linux endpoint. Fleet performs filesystem timeline analysis, checks for rootkits, reviews system configurations, identifies suspicious processes, and flags anomalies. Produces a prioritized findings report.
interACT Session
Section titled “interACT Session”Establish and manage a remote command session on a AIR endpoint. Fleet guides you through connecting to the endpoint, executing commands, and interpreting results. Useful for live response during active incidents.
File Transfer
Section titled “File Transfer”Transfer files to or from AIR endpoints. Fleet handles the file transfer process through interACT, managing the connection, transfer, and verification steps.
Investigation Results
Section titled “Investigation Results”Retrieve and analyze evidence collected for a specific case in AIR. Fleet accesses the Investigation Hub data, reviews DRONE findings, and provides a summary of key findings with recommendations for further investigation.
Evidence Acquisition
Section titled “Evidence Acquisition”Collect forensic evidence from AIR endpoints. Fleet triggers acquisition using the appropriate profile, monitors task progress, and notifies you when collection is complete. Supports both built-in and custom acquisition profiles.
Incident Response
Section titled “Incident Response”Full incident response workflow from detection to containment. Fleet coordinates across multiple AIR capabilities: endpoint assessment, evidence acquisition, triage rule deployment, endpoint isolation, and finding documentation. Produces an IR summary with timeline, findings, containment actions taken, and recommended next steps.
Forensic Analysis Recipes
Section titled “Forensic Analysis Recipes”Filesystem Timeline
Section titled “Filesystem Timeline”Reconstruct the file modification history of a system for incident scoping. Fleet analyzes filesystem metadata to build a chronological timeline of changes, categorizes modifications by type and location, and flags suspicious patterns such as executables in temporary directories, modified authentication configurations, hidden files, and SUID/SGID changes.
EVTX Analysis
Section titled “EVTX Analysis”Analyze Windows Event Log files for attack indicators. Fleet parses EVTX files, extracts security-relevant events (authentication attempts, privilege escalation, process creation, service changes, scheduled tasks), identifies suspicious patterns (brute-force attempts, lateral movement, persistence mechanisms, log tampering), correlates related events by session, and produces a timeline with risk assessment.
PCAP Triage
Section titled “PCAP Triage”Analyze network captures for command-and-control communication and data exfiltration. Fleet performs protocol breakdown, extracts DNS queries, HTTP requests, and TLS metadata, identifies beacon patterns and unusual connections, exports transferred objects, and produces a structured analysis report with IOCs and threat assessment.
Steganography Detection
Section titled “Steganography Detection”Detect hidden data embedded within image files. Fleet analyzes images using multiple detection methods: LSB (Least Significant Bit) analysis, EOF (End of File) marker inspection, known steganography tool signature detection, and entropy analysis across image regions. Attempts extraction of any detected hidden content and reports confidence levels for each method.
Malware Analysis Recipes
Section titled “Malware Analysis Recipes”PE Static Analysis
Section titled “PE Static Analysis”Comprehensive static analysis of Windows PE executables. Fleet performs file identification and hashing, PE header analysis, section inspection with entropy measurement, import and export analysis, string extraction and classification, packer detection, capability identification, MITRE ATT&CK mapping, and IOC extraction. Produces a structured threat assessment report.
Document Analysis
Section titled “Document Analysis”Investigate Office and PDF documents for embedded threats. Fleet extracts and deobfuscates macros, identifies auto-execution triggers, detects embedded objects and external template references, analyzes URLs and network indicators, extracts metadata, and assesses social engineering tactics. Produces a complete analysis with the deobfuscated attack chain and IOCs.
Shellcode Decode
Section titled “Shellcode Decode”Decode and analyze obfuscated shellcode payloads. Fleet identifies the encoding scheme (XOR, rolling XOR, Base64, custom ciphers), writes a decryption script, decodes the shellcode, disassembles it, identifies its purpose (downloader, reverse shell, stager, full payload), extracts IOCs, maps techniques to MITRE ATT&CK, and generates detection rules for both encoded and decoded forms.
.NET Deobfuscation
Section titled “.NET Deobfuscation”Strip obfuscation from .NET assemblies to reveal true functionality. Fleet identifies the obfuscation method (SmartAssembly and similar protectors), locates string decryption routines, decompiles the assembly to C# source code, analyzes the deobfuscated functionality, extracts IOCs, and generates detection rules for both obfuscated and clean variants.
Packed Malware Comparison
Section titled “Packed Malware Comparison”Compare packed and unpacked variants of the same malware to reveal what packing conceals. Fleet performs packing detection on each variant, runs full static analysis on both, generates a side-by-side comparison table (imports, strings, entropy, API calls, size, timestamps), identifies capabilities in the unpacked variant, maps to MITRE ATT&CK, and generates a YARA rule detecting both forms.
Ransomware Triage
Section titled “Ransomware Triage”Assess a ransomware sample’s encryption scheme and evaluate decryption feasibility. Fleet identifies cryptographic imports and constants, analyzes the key management scheme (symmetric vs. hybrid, local vs. server-side keys, per-file vs. global key), identifies file targeting patterns, analyzes the ransom note, searches for available decryptors, rates decryption feasibility, generates detection rules, and produces an IR decision matrix (decrypt vs. restore vs. negotiate).
Credential Stealer Profiling
Section titled “Credential Stealer Profiling”Map the targeted applications and credential stores of an information stealer. Fleet identifies the API hashing algorithm used for dynamic resolution, resolves API hashes, extracts and classifies targeted paths (browsers, cryptocurrency wallets, FTP/email/VPN clients, gaming platforms), analyzes the C2 protocol, creates a target matrix table, generates detection rules, and produces a threat advisory with mitigation recommendations.
PowerShell Investigation
Section titled “PowerShell Investigation”Deobfuscate and trace PowerShell-based attacks. Fleet decodes encoded commands (Base64, string concatenation, variable substitution, Invoke-Expression chains), traces the full execution chain, analyzes exfiltration protocols, researches associated CVEs, maps to MITRE ATT&CK, generates detection rules (Sigma for PowerShell logging, YARA for scripts, osquery for vulnerability indicators), and produces an IR playbook.
Threat Intelligence Recipes
Section titled “Threat Intelligence Recipes”Observable Extraction
Section titled “Observable Extraction”Extract and enrich indicators of compromise from any source. Fleet processes URLs, documents, text, or files to extract all observables, enriches them with reputation data and risk scores, and produces structured output in multiple formats (markdown report, scored text report, STIX 2.1 bundle, or YARA rules).
APT Report Processing
Section titled “APT Report Processing”Convert a threat intelligence report into a complete, actionable intelligence package. Fleet extracts all observables from the report, converts them to STIX 2.1 format, enriches IOCs against threat intelligence sources, maps TTPs to the MITRE ATT&CK matrix, searches for supplementary advisories, generates detection rules (Sigma, YARA, osquery), and produces an executive threat briefing ready for distribution to SOC and IR teams.
Detection from Scenario
Section titled “Detection from Scenario”Build detection rules from a described attack scenario. Fleet analyzes the attack stages, maps each to specific MITRE ATT&CK techniques, generates a Sigma rule per stage, validates all rules, converts to Splunk SPL and Microsoft Sentinel KQL, designs a correlation meta-rule chaining all stages, tests against provided sample logs, and documents each rule with coverage analysis, false positive scenarios, required log sources, and tuning guidance.
YARA Fix and Validate
Section titled “YARA Fix and Validate”Debug, fix, and validate broken YARA rules. Fleet reads the rule, identifies syntax errors, explains what the rule is trying to detect and why the syntax is broken, fixes the rule, validates compilation, scans files to test for matches, and suggests improvements to make the rule more effective.