Remote PsExec with LOLBIN command execution alert

The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. The playbook aims to efficiently: - Check if the execution is blocked. If not will terminate the process (Manually by default). - Enrich any entities and indicators from the alert and find any related campaigns. - Perform command analysis to provide insights and verdict for the executed command. - Perform further endpoint investigation using XDR. - Checks for any malicious verdict found to raise the severity of the alert. - Perform Automatic/Manual remediation response by blocking any malicious indicators found. The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’. It depends on the data from the parent playbooks and can not be used as a standalone version.

Core · 20 tasks · 4 inputs · 0 outputs

Inputs

  • alerts_ids — The ID's of the relevant alerts
  • AutoRemediation — Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic.
  • LOLBASFeedLimit — LOLBAS Feed results limit
  • EndpointIDs — The IDs of the victim endpoint

Commands used

core-get-endpoints core-run-script-execute-commands extractIndicators setAlert setIncident

Flowchart

Yes yes yes Malicious Start Start Enrichment Enrichment Is it blocked? Is it blocked? Should auto terminate process? Should auto terminate pro... Command-Line Analysis - Command-Line Analysis Command-Line Analysis Command-Line Analysis Raise incident severity - setAlert Raise incident severity setAlert Remediation Remediation Should auto block indicators? Should auto block indicat... Done Done Investigation & Analysis Investigation & Analysis Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Found additional alerts or suspicious command line? Found additional alerts o... Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Terminate suspicious process - core-run-script-execute-commands Terminate suspicious process core-run-script-execute-commands Waiting for manual remediation Waiting for manual remedi... Set Command-Line Verdict to Layout - setIncident Set Command-Line Verdict ... setIncident Enrichment for Verdict - Enrichment for Verdict Enrichment for Verdict Enrichment for Verdict Get entity alerts by MITRE tactics - Get entity alerts by MITRE tactics Get entity alerts by MITR... Get entity alerts by MITRE ta... Get endpoint ID - core-get-endpoints Get endpoint ID core-get-endpoints Extract source IP address indicator - extractIndicators Extract source IP address... extractIndicators