Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook handles masquerading alerts based on MITRE T1036 technique. An attacker might leverage Microsoft Windows well-known image names to run malicious processes without being caught.
An attacker is attempting to masquerade as standard windows images by using a trusted name to execute malicious code.
Investigate the executed process image and verify if it is malicious using:
- XDR trusted signers
- VT trusted signers
- VT detection rate
- NSRL DB
The playbook's first response action is a containment plan which is based on the initial data provided within the alert. In that phase, the playbook will execute:
- Auto block indicators
- Auto file quarantine
- Manual endpoint isolation
When the playbook proceeds, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed.
This phase will execute the following containment actions:
- Manual block indicators
- Manual file quarantine
- Auto endpoint isolation
And the following eradication actions:
- Manual process termination
- Manual file deletion
- Manual reset of the user’s password
- Click on the Incident Response icon on the left menu.
- Under Automation click on Incident Configuration.
- Select Playbook Triggers on the left panel.
- Click on New Trigger.
- Choose a trigger name e.g. Masquerading Response.
- Under Playbook To Run, select T1036 - Masquerading playbook.
- Add trigger description - optional.
- Create a filter for the playbook trigger.
- Click on 'select field'.
- Choose 'Mitre ATT&CK Technique'.
- Fill the value with 'T1036' and select all.
- Click Create.
- Note that the playbook triggers are executed according to its order. Consider changing the trigger position for the execution order as intended. If not, other trigger may override the new trigger.
Before executing the playbook, review the inputs and change the default values, if needed.
Important playbook inputs you should pay attention to:
- FileRemediation: Under the second phase of the playbook remediation, there are two sub-playbooks:
- Containment Plan
- Eradication Plan
One playbook can quarantine a file and the other can delete it. Since both can be executed together, this playbook input allows you to decide which response action the playbook should execute.
- AutoContainment: Whether to execute the following response actions automatically or manually:
- Block indicators
- Quarantine file
- Disable user
- HostAutoContainment: Whether to execute Endpoint Isolation automatically or manually.
In this playbook the remediation plan happens in two different phases:
- At an early stage of the playbook execution, the Containment Plan sub-playbook is being used for File quarantine and Block indicators.
- At a later stage, the playbook executes the Endpoint Investigation Plan, which searches for additional activity on the alerted endpoint. In this phase, based on the results of the Endpoint Investigation Plan playbook, both Containment and Eradication Plan sub-playbooks are being executed.
This playbook uses the following sub-playbooks, integrations, and scripts.
- Endpoint Investigation Plan
- Containment Plan
- Eradication Plan
- Enrichment for Verdict
- Handle False Positive Alerts
- Recovery Plan
This playbook does not use any integrations.
This playbook does not use any scripts.
|FileRemediation||Can be 'Quarantine' or 'Delete'.||Quarantine||Required|
|AutoCloseAlert||Whether to close the alert automatically or manually, after an analyst's review.||false||Optional|
|AutoRecovery||Whether to execute the Recovery playbook.||false||Optional|
|AutoContainment||Whether to execute automatically or manually the containment plan tasks:|
* Block indicators
* Quarantine file
* Disable user
|HostAutoContainment||Whether to execute endpoint isolation automatically or manually based on the Endpoint Investigation findings.||true||Optional|
There are no outputs for this playbook.