T1036 - Masquerading
Core - Investigation and Response Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
This playbook handles masquerading alerts based on MITRE T1036 technique. An attacker might leverage Microsoft Windows well-known image names to run malicious processes without being caught.
Attacker's Goals:
An attacker is attempting to masquerade as standard windows images by using a trusted name to execute malicious code.
Investigative Actions:
Investigate the executed process image and verify if it is malicious using:
- XDR trusted signers
- VT trusted signers
- VT detection rate
- NSRL DB
Response Actions
The playbook's first response action is a containment plan which is based on the initial data provided within the alert. In that phase, the playbook will execute:
- Auto block indicators
- Auto file quarantine
- Manual endpoint isolation
When the playbook proceeds, it checks for additional activity using the Endpoint Investigation Plan playbook, and another phase, which includes containment and eradication, is executed.
This phase will execute the following containment actions:
- Manual block indicators
- Manual file quarantine
- Auto endpoint isolation
And the following eradication actions:
- Manual process termination
- Manual file deletion
- Manual reset of the user’s password
External resources:
Possible Microsoft process masquerading
#
How to use this playbook#
Create a new playbook trigger- Click on the Incident Response icon on the left menu.
- Under Automation click on Incident Configuration.
- Select Playbook Triggers on the left panel.
- Click on New Trigger.
- Choose a trigger name e.g. Masquerading Response.
- Under Playbook To Run, select T1036 - Masquerading playbook.
- Add trigger description - optional.
- Create a filter for the playbook trigger.
- Click on 'select field'.
- Choose 'Mitre ATT&CK Technique'.
- Fill the value with 'T1036' and select all.
- Click Create.
- Note that the playbook triggers are executed according to its order. Consider changing the trigger position for the execution order as intended. If not, other trigger may override the new trigger.
Click Save.
#
Playbook inputsBefore executing the playbook, review the inputs and change the default values, if needed.
Important playbook inputs you should pay attention to:
- FileRemediation: Under the second phase of the playbook remediation, there are two sub-playbooks:
- Containment Plan
- Eradication Plan
One playbook can quarantine a file and the other can delete it. Since both can be executed together, this playbook input allows you to decide which response action the playbook should execute.
- AutoContainment: Whether to execute the following response actions automatically or manually:
- Block indicators
- Quarantine file
- Disable user
- HostAutoContainment: Whether to execute Endpoint Isolation automatically or manually.
#
Playbook remediation planIn this playbook the remediation plan happens in two different phases:
- At an early stage of the playbook execution, the Containment Plan sub-playbook is being used for File quarantine and Block indicators.
- At a later stage, the playbook executes the Endpoint Investigation Plan, which searches for additional activity on the alerted endpoint. In this phase, based on the results of the Endpoint Investigation Plan playbook, both Containment and Eradication Plan sub-playbooks are being executed.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- Endpoint Investigation Plan
- Containment Plan
- Eradication Plan
- Enrichment for Verdict
- Handle False Positive Alerts
- Recovery Plan
#
IntegrationsThis playbook does not use any integrations.
#
ScriptsThis playbook does not use any scripts.
#
Commands- closeInvestigation
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
FileRemediation | Can be 'Quarantine' or 'Delete'. | Quarantine | Required |
AutoCloseAlert | Whether to close the alert automatically or manually, after an analyst's review. | false | Optional |
AutoRecovery | Whether to execute the Recovery playbook. | false | Optional |
AutoContainment | Whether to execute automatically or manually the containment plan tasks: * Block indicators * Quarantine file * Disable user | Optional | |
HostAutoContainment | Whether to execute endpoint isolation automatically or manually based on the Endpoint Investigation findings. | true | Optional |
#
Playbook OutputsThere are no outputs for this playbook.