Compare Process Execution Arguments To LOLBAS Patterns

This playbook takes a process name and determines its presence in the LOLBAS repository. It then proceeds to compare the incident command line against known patterns of malicious commands listed in TIM by using LOLBAS feed integration. The playbook outputs results when the similarity between the analyzed command line and the malicious patterns is greater than or equal to the preconfigured StringSimilarity threshold. The playbook offers the flexibility to adjust this threshold through the use of the dedicated playbook input, 'StringSimilarityThreshold'.

LOLBAS Feed · 8 tasks · 3 inputs · 1 output

Inputs

  • ProcessName — The process names.
  • Commandline — The command lines.
  • StringSimilarityThreashold — StringSimilarity automation threshold. The automation will output only the results with a similarity score equal to or greater than the given threshold.

Outputs

  • SuspiciousLolbinArguments — Command-line arguments that are similar to the compared LOLBAS repository malicious command pattern.

Flowchart

yes yes yes Start Start Does the process name exist in TIM? Does the process name exi... Are the process names and command-lines provided as inputs? Are the process names and... Done Done Is there a similarity between the incident command-lines and a malicious LOLBAS pattern? Is there a similarity bet... Set malicious argument - Set Set malicious argument Set Search if process image is part of LOLBAS feed - SearchIndicator Search if process image i... SearchIndicator Compare incident commandline arguments with LOLBAS malicious patterns? - StringSimilarity Compare incident commandl... StringSimilarity