Before using the playbook, you must do the following in KUMA:
The [KL] P003 "Suspicious child process from wmiprvse.exe" predefined playbook allows you detect pairs of parent and child processes that deviate from the norm and must be viewed as suspicious.
The alert that triggers the playbook is created according to the R297_Suspicious child process from wmiprvse.exe correlation rule. This rule helps to detect the launch of suspicious processes on behalf of wmiprvse.exe.
The Trigger section of the playbook contains the following expression:
[.OriginalEvents[] | .ExternalID == "R297"] | any
During execution, this playbook launches the following response actions:
By default, network drives are not scanned, to avoid overloading the system. If you want to scan the network drives, you have to duplicate this playbook, and then set the allowScanNetworkDrives parameter to true in the Algorithm section.
The Algorithm section of the playbook contains the following sequence of response actions:
{
"dslSpecVersion": "1.1.0",
"version": "1",
"actionSpecVersion": "1",
"executionFlow": [
{
"action": {
"function": {
"type": "blockLDAPAccount",
"assets": "${[ alert.Assets[] | select(.Type == \"user\" and .IsAttacker) | .ID]}"
},
"onError": "stop"
}
},
{
"loop": {
"input": "${ [alert.OriginalEvents[] | [select(.DestinationProcessName != null and .DestinationProcessName != \"\")][] | .DestinationProcessName] }",
"onError": "stop",
"steps": [
{
"action": {
"function": {
"type": "killProcess",
"params": {
"path": "${ .[0] }"
},
"assets": "${[ alert.Assets[] | select(.Type == \"host\") | .ID]}"
}
}
}
]
}
},
{
"action": {
"function": {
"type": "avScan",
"params": {
"scope": {
"area": "full",
"allowScanNetworkDrives": false
},
"wait": false
},
"assets": "${[ alert.Assets[] | select(.Type == \"host\") | .ID]}"
},
"onError": "stop"
}
}
]
}
If an error occurs during the execution of any response action, the playbook is terminated.
Page top