Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks

May 09, 2024
3 minutes

Organizations face increasingly sophisticated cyberattacks in today's rapidly evolving threat landscape. Attackers leverage common tools and living-Off-the-Land binaries (LOLBins) to blend in with typical network traffic. Defenders struggle to differentiate between benign and malicious actions in logs.

To help improve detection and reduce false positives, Cortex XDR uses analytics rules to generate alerts for suspicious behavior involving an unsigned PsExec-like remote execution of a LOLBin command. Once an alert is generated, a short and critical window exists to review and analyze it, enrich relevant information, and produce indicators of compromise (IOCs) to mitigate the event.

The Cortex XDR - Remote PsExec with LOLBin command execution alert playbook enables organizations to automate and expedite alert handling.

The Playbook

This playbook is part of the Cortex XDR content pack. It offers a comprehensive solution to improve and simplify the difficult task of collecting vital information, examining, and analyzing alerts associated with remote command line execution. These alerts can be especially challenging to identify because they may look like legitimate commands.

When an alert triggers the playbook, it starts by checking if the command execution was blocked by XDR, and if not, it will run a command to terminate the suspicious process activity. This provides an automated and immediate response action in case the process is not blocked.

Fig 1: Auto-termination of suspicious processes
Fig 1: Auto-termination of suspicious processes



Next, using any available integrations, it gathers information and enriches entities such as file hashes and IP addresses related to the alert to provide more details about the detected action.

After enriching the alert entities, the playbook continues to investigate and analyze all the gathered information to try and decide whether the alert is a false positive or requires further actions from the analyst.

Investigation & Analysis

During this stage of the investigation, the command line used in the suspicious execution is analyzed to determine if it contains any other malicious parameters, such as obfuscated network parameters, antimalware scan interface (AMSI) evasion techniques, or obfuscated base64.

Additionally, an endpoint investigation is conducted to identify any related alerts and logs that may be linked to the incident. This information can help the analyst gain a better understanding of the situation as a whole.

Based on the results uncovered during this stage, the severity of the incident may be updated. Furthermore, any evidence that is discovered is tagged and documented in the incident report for future reference.

Fig 2: Investigation and analysis portion of the playbook
Fig 2: Investigation and analysis portion of the playbook



Finally, during the remediation stage, if the alert is classified as malicious, an auto-remediation will block all found indicators or wait for an analyst to review the findings and perform it manually according to the playbook's configuration.

Fig 3: Auto-remediation based on alert classification
Fig 3: Auto-remediation based on alert classification



By adopting this playbook, organizations can equip their analysts with a streamlined and automated process, ensuring efficient handling of these alerts while minimizing complexity.

These updates are now available via our Cortex Marketplace for Cortex XSOAR and Cortex XSIAM, as part of the Core - Investigation and Response content pack.

Ready for a test-drive? Request a demo today!


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.