Compare Process Execution Arguments To LOLBAS Patterns
This playbook takes a process name and determines its presence in the LOLBAS repository. It then proceeds to compare the incident command line against known patterns of malicious commands listed in TIM by using LOLBAS feed integration. The playbook outputs results when the similarity between the analyzed command line and the malicious patterns is greater than or equal to the preconfigured StringSimilarity threshold. The playbook offers the flexibility to adjust this threshold through the use of the dedicated playbook input, 'StringSimilarityThreshold'.
LOLBAS Feed · 8 tasks · 3 inputs · 1 output
Inputs
ProcessName— The process names.Commandline— The command lines.StringSimilarityThreashold— StringSimilarity automation threshold. The automation will output only the results with a similarity score equal to or greater than the given threshold.
Outputs
SuspiciousLolbinArguments— Command-line arguments that are similar to the compared LOLBAS repository malicious command pattern.