Skip to main content

Compare Process Execution Arguments To LOLBAS Patterns

This Playbook is part of the LOLBAS Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

This playbook takes a process name and determines its presence in the LOLBAS repository. It then proceeds to compare the incident command line against known patterns of malicious commands listed in TIM by using LOLBAS feed integration. The playbook outputs results when the similarity between the analyzed command line and the malicious patterns is greater than or equal to the preconfigured StringSimilarity threshold. The playbook offers the flexibility to adjust this threshold through the use of the dedicated playbook input, 'StringSimilarityThreshold'.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • Set
  • SearchIndicator
  • StringSimilarity


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
ProcessNameThe process names.Optional
CommandlineThe command lines.Optional
StringSimilarityThreasholdStringSimilarity automation threshold. The automation will output only the results with a similarity score equal to or greater than the given threshold.0.5Optional

Playbook Outputs#

SuspiciousLolbinArgumentsCommand-line arguments that are similar to the compared LOLBAS repository malicious command pattern.unknown

Playbook Image#

Compare Process Execution Arguments To LOLBAS Patterns