Remote PsExec with LOLBIN command execution alert
The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently: - Check if the execution is blocked. If not will terminate the process (Manually by default). - Enrich any entities and indicators from the alert and find any related campaigns. - Perform command analysis to provide insights and verdict for the executed command. - Perform further endpoint investigation using XDR. - Checks for any malicious verdict found to raise the severity of the alert. - Perform Automatic/Manual remediation response by blocking any malicious indicators found. The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’. It depends on the data from the parent playbooks and can not be used as a standalone version.
Core · 20 tasks · 4 inputs · 0 outputs
Inputs
alerts_ids— The ID's of the relevant alertsAutoRemediation— Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic.LOLBASFeedLimit— LOLBAS Feed results limitEndpointIDs— The IDs of the victim endpoint
Commands used
core-get-endpoints
core-run-script-execute-commands
extractIndicators
setAlert
setIncident