Remote PsExec with LOLBIN command execution alert
This Playbook is part of the Core - Investigation and Response Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently:
- Check if the execution is blocked. If not will terminate the process (Manually by default).
- Enrich any entities and indicators from the alert and find any related campaigns.
- Perform command analysis to provide insights and verdict for the executed command.
- Perform further endpoint investigation using XDR.
- Checks for any malicious verdict found to raise the severity of the alert.
- Perform Automatic/Manual remediation response by blocking any malicious indicators found.
The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’. It depends on the data from the parent playbooks and can not be used as a standalone version.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Threat Hunting - Generic
- Block Indicators - Generic v3
- Command-Line Analysis
- Get entity alerts by MITRE tactics
- Enrichment for Verdict
Integrations#
- CortexCoreIR
Scripts#
This playbook does not use any scripts.
Commands#
- extractIndicators
- core-get-endpoints
- core-run-script-execute-commands
- setAlert
- setIncident
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| alerts_ids | The ID's of the relevant alerts | ${alert.id} | Optional |
| AutoRemediation | Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic. | false | Optional |
| LOLBASFeedLimit | LOLBAS Feed results limit | 100 | Optional |
| EndpointIDs | The IDs of the victim endpoint | ${alert.hostip} | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
