LOLBAS Feed Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 6.9.0 and later.
This playbook takes a process name and determines its presence in the LOLBAS repository. It then proceeds to compare the incident command line against known patterns of malicious commands listed in TIM by using LOLBAS feed integration. The playbook outputs results when the similarity between the analyzed command line and the malicious patterns is greater than or equal to the preconfigured StringSimilarity threshold. The playbook offers the flexibility to adjust this threshold through the use of the dedicated playbook input, 'StringSimilarityThreshold'.
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
This playbook does not use any integrations.
This playbook does not use any commands.
|ProcessName||The process names.||Optional|
|Commandline||The command lines.||Optional|
|StringSimilarityThreashold||StringSimilarity automation threshold. The automation will output only the results with a similarity score equal to or greater than the given threshold.||0.5||Optional|
|SuspiciousLolbinArguments||Command-line arguments that are similar to the compared LOLBAS repository malicious command pattern.||unknown|