Cortex XDR Remote PsExec with LOLBIN command execution alert
The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently: - Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default). - Enrich any entities and indicators from the alert and find any related campaigns. - Perform command analysis to provide insights and a verdict for the executed command. - Perform further endpoint investigation using Cortex XDR. - Checks for any malicious verdicts found to raise the severity of the alert. - Perform automatic/manual remediation response by blocking any malicious indicators found. The playbook is designed to run as a sub-playbook in "Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling". It depends on the data from the parent playbooks and cannot be used as a standalone version.
Cortex XDR by Palo Alto Networks · 19 tasks · 6 inputs · 0 outputs
Inputs
SrcIPAddress— The remote IP address that executed the process.alerts_ids— The IDs of the relevant alerts.AutoRemediation— Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic.EndpointIDs— The IDs of the victim endpoint.HighAlertsThreshold— The threshold number of additional high severity alerts.CriticalAlertsThreshold— The threshold number of additional critical severity alerts.
Commands used
setIncident
xdr-script-commands-execute