[KL] P003 "Suspicious child process from wmiprvse.exe"
Before using the playbook, you must do the following in KUMA:
- Configure the enrichment rule settings for the event enrichment that has the Event type selected as the Source kind setting. Specify the AttackerUserID value in the Target field.
- Configure enrichment in KUMA to get Windows Event Log.
The [KL] P003 "Suspicious child process from wmiprvse.exe" predefined playbook allows you detect pairs of parent and child processes that deviate from the norm and must be viewed as suspicious.
The alert that triggers the playbook is created according to the R297_Suspicious child process from wmiprvse.exe correlation rule. This rule helps to detect the launch of suspicious processes on behalf of wmiprvse.exe.
The Trigger section of the playbook contains the following expression:
[.OriginalEvents[] | .ExternalID == "R297"] | any
During execution, this playbook launches the following response actions:
- Responding through Active Directory, and then blocks the account of the attacker.
- Terminating the process on the device that is registered in the alert.
- Running a malware scan, and then a full scan is performed on the device where the alert is detected.
By default, network drives are not scanned, to avoid overloading the system. If you want to scan the network drives, you have to duplicate this playbook, and then set the
allowScanNetworkDrivesparameter totruein the Algorithm section.
The Algorithm section of the playbook contains the following sequence of response actions:
{
"dslSpecVersion": "1.0.0",
"version": "1",
"responseActionsSpecVersion": "1",
"executionFlow": [
{
"responseAction": {
"function": {
"type": "blockLDAPAccount",
"assets": "${[ alert.Assets[] | select(.Type == \"user\" and .IsAttacker) | .ID]}"
},
"onError": "stop"
}
},
{
"split": {
"input": "${ [alert.OriginalEvents[] | [select(.DestinationProcessName != null and .DestinationProcessName != \"\")][] | .DestinationProcessName] }",
"onError": "stop",
"steps": [
{
"responseAction": {
"function": {
"type": "killProcess",
"params": {
"path": "${ .[0] }"
},
"assets": "${[ alert.Assets[] | select(.Type == \"host\") | .ID]}"
}
}
}
]
}
},
{
"responseAction": {
"function": {
"type": "avScan",
"params": {
"scope": {
"area": "full",
"allowScanNetworkDrives": false
},
"wait": false
},
"assets": "${[ alert.Assets[] | select(.Type == \"host\") | .ID]}"
},
"onError": "stop"
}
}
]
}
If an error occurs during the execution of any response action, the playbook is terminated.
