Xsiam-remote-psexec-lolbin-command-execution-playbook

Packs/Core/Playbooks/playbook-Remote_PsExec_with_Lolbin_Command_Execution_alert_README.md

@@ -0,0 +1,62 @@
+The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. 
+The playbook aims to efficiently:
+
+- Check if the execution is blocked. If not will terminate the process (Manually by default).
+- Enrich any entities and indicators from the alert and find any related campaigns.
+- Perform command analysis to provide insights and verdict for the executed command.
+- Perform further endpoint investigation using XDR.
+- Checks for any malicious verdict found to raise the severity of the alert.
+- Perform Automatic/Manual remediation response by blocking any malicious indicators found.
+
+The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.
+It depends on the data from the parent playbooks and can not be used as a standalone version.
+
+## Dependencies
+
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+
+* Threat Hunting - Generic
+* Block Indicators - Generic v3
+* Command-Line Analysis
+* Get entity alerts by MITRE tactics
+* Enrichment for Verdict
+
+### Integrations
+
+* CortexCoreIR
+
+### Scripts
+
+This playbook does not use any scripts.
+
+### Commands
+
+* extractIndicators
+* core-get-endpoints
+* core-run-script-execute-commands
+* setAlert
+* setIncident
+
+## Playbook Inputs
+
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| alerts_ids | The ID's of the relevant alerts | ${alert.id} | Optional |
+| AutoRemediation | Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic. | false | Optional |
+| LOLBASFeedLimit | LOLBAS Feed results limit | 100 | Optional |
+| EndpointIDs | The IDs of the victim endpoint | ${alert.hostip} | Optional |
+
+## Playbook Outputs
+
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+
+---
+
+![Remote PsExec with LOLBIN command execution alert](../doc_files/Remote_PsExec_with_LOLBIN_command_execution_alert.png)

Packs/Core/ReleaseNotes/3_0_9.md

@@ -0,0 +1,17 @@
+
+#### Playbooks
+
+##### New: Remote PsExec with LOLBIN command execution alert
+
+- New: The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. 
+The playbook aims to efficiently:
+
+- Check if the execution is blocked. If not will terminate the process (Manually by default).
+- Enrich any entities and indicators from the alert and find any related campaigns.
+- Perform command analysis to provide insights and verdict for the executed command.
+- Perform further endpoint investigation using XDR.
+- Checks for any malicious verdict found to raise the severity of the alert.
+- Perform Automatic/Manual remediation response by blocking any malicious indicators found.
+
+The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.
+It depends on the data from the parent playbooks and can not be used as a standalone version. (Available from Cortex XSOAR 6.10.0).

Packs/Core/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Core - Investigation and Response",
     "description": "Automates incident response",
     "support": "xsoar",
-    "currentVersion": "3.0.8",
+    "currentVersion": "3.0.9",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert.yml

@@ -3,7 +3,17 @@ version: -1
 contentitemexportablefields:
   contentitemfields: {}
 name: Cortex XDR Remote PsExec with LOLBIN command execution alert
-description: "The \"Remote PsExec-like LOLBIN Command Execution\" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. \nThe playbook aims to efficiently:\n\n- Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default).\n- Enrich any entities and indicators from the alert and find any related campaigns.\n- Perform command analysis to provide insights and a verdict for the executed command.\n- Perform further endpoint investigation using Cortex XDR.\n- Checks for any malicious verdicts found to raise the severity of the alert.\n- Perform automatic/manual remediation response by blocking any malicious indicators found.\n\nThe playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.\nIt depends on the data from the parent playbooks and cannot be used as a standalone version."
+description: |
+  The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. 
+  The playbook aims to efficiently:
+    - Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default).
+    - Enrich any entities and indicators from the alert and find any related campaigns.
+    - Perform command analysis to provide insights and a verdict for the executed command.
+    - Perform further endpoint investigation using Cortex XDR.
+    - Checks for any malicious verdicts found to raise the severity of the alert.
+    - Perform automatic/manual remediation response by blocking any malicious indicators found.
+  The playbook is designed to run as a sub-playbook in "Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling".
+  It depends on the data from the parent playbooks and cannot be used as a standalone version.
 starttaskid: "0"
 tasks:
   "0":
@@ -1092,12 +1102,6 @@ inputs:
   required: false
   description: Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic.
   playbookInputQuery:
-- key: LOLBASFeedLimit
-  value:
-    simple: "100"
-  required: false
-  description: LOLBAS Feed results limit.
-  playbookInputQuery:
 - key: EndpointIDs
   value:
     complex:

Packs/CortexXDR/Playbooks/playbook-Cortex_XDR_-_Remote_PsExec_with_LOLBIN_command_execution_alert_README.md

@@ -1,4 +1,4 @@
-V The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. 
+The "Remote PsExec-like LOLBIN Command Execution" playbook is designed to address and respond to alerts indicating suspicious activities related to remote PsExec-like LOLBIN command execution from an unsigned non-standard source. 
 The playbook aims to efficiently:
 
 - Get the alert data and check if the execution is blocked. If not will terminate the process (manually by default).
@@ -8,7 +8,7 @@ The playbook aims to efficiently:
 - Checks for any malicious verdicts found to raise the severity of the alert.
 - Perform automatic/manual remediation response by blocking any malicious indicators found.
 
-The playbook is designed to run as a sub-playbook in ‘Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling’.
+The playbook is designed to run as a sub-playbook in "Cortex XDR Incident Handling - v3 & Cortex XDR Alerts Handling".
 It depends on the data from the parent playbooks and cannot be used as a standalone version.
 
 ## Dependencies
@@ -18,9 +18,9 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 ### Sub-playbooks
 
 * Command-Line Analysis
+* Threat Hunting - Generic
 * Entity Enrichment - Generic v4
 * Cortex XDR - Endpoint Investigation
-* Threat Hunting - Generic
 * Block Indicators - Generic v3
 
 ### Integrations
@@ -30,11 +30,12 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 ### Scripts
 
 * IncreaseIncidentSeverity
+* AddEvidence
 
 ### Commands
 
-* xdr-script-commands-execute
 * setIncident
+* xdr-script-commands-execute
 
 ## Playbook Inputs
 
@@ -45,7 +46,6 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 | SrcIPAddress | The remote IP address that executed the process. | incident.xdralerts.actionremoteip | Optional |
 | alerts_ids | The IDs of the relevant alerts. | incident.xdralerts.alert_id | Optional |
 | AutoRemediation | Whether remediation will be run automatically or manually. If set to "True" - remediation will be automatic. | false | Optional |
-| LOLBASFeedLimit | LOLBAS Feed results limit. | 100 | Optional |
 | EndpointIDs | The IDs of the victim endpoint. | incident.xdralerts.endpoint_id | Optional |
 | HighAlertsThreshold | The threshold number of additional high severity alerts. | 1 | Optional |
 | CriticalAlertsThreshold | The threshold number of additional critical severity alerts. | 1 | Optional |

Packs/CortexXDR/ReleaseNotes/6_1_4.md

@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Cortex XDR Remote PsExec with LOLBIN command execution alert
+
+- Updated the playbook description

Packs/CortexXDR/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Cortex XDR by Palo Alto Networks",
     "description": "Automates Cortex XDR incident response, and includes custom Cortex XDR incident views and layouts to aid analyst investigations.",
     "support": "xsoar",
-    "currentVersion": "6.1.3",
+    "currentVersion": "6.1.4",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",