Support

Support for business applications

Kaspersky XDR Expert

Threat response

Playbooks

Predefined playbooks

[KL] P001 "Creation of executable files by office applications"

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

[KL] P001 "Creation of executable files by office applications"

May 15, 2024

ID 271609

Get as PDF

This playbook contains the Responding through KASAP response action, and can be used only as a template. If you want to launch the playbook, click the Duplicate and edit button. In the Edit playbook window that opens, in the Algorithm section, specify the KASAP group ID for the groupId parameter.

Before using the playbook, you must configure enrichment in KUMA to get Windows Event Log.

By default, the playbook launches the response actions for all users in the alert. If you want the playbook to launch the response actions only for the victim account, you can do the following:

  1. In KUMA, configure the enrichment rule settings. For the event enrichment that has the Event type selected as the Source kind setting, specify the VictimUserID value in the Target field.
  2. In the Algorithm section of the playbook, specify and .IsVictim in the assets parameter, as shown below:

    "assets": "${[ alert.Assets[] | select(.Type == \"user\" and .IsVictim) | .ID]}".

The [KL] P001 "Creation of executable files by office applications" predefined playbook allows you to prevent an attacker from using office applications, for example, to perform a phishing attack when a user opens an infected document, and then the document creates an executable file and executes it.

The alert that triggers the playbook is created according to the Creation of executable files by office applications correlation rule. This rule helps to detect the creation of files with suspicious extensions such as scripts and executable files on behalf of office applications.

The Trigger section of the playbook contains the following expression:

[.OriginalEvents[] | .ExternalID == "R350"] | any

During execution, this playbook launches the following response actions:

  1. Responding through Active Directory, and then resetting the passwords of both the attacker and the victim accounts.

    If an error occurs during the execution of the response action, the playbook is terminated.

  2. Responding through KASAP, and then assigning an information security course to the account.

    If an error occurs during the execution of the response action, the execution of the playbook will continue.

The Algorithm section of the playbook contains the following sequence of response actions:

{

"dslSpecVersion": "1.0.0",

"version": "1",

"responseActionsSpecVersion": "1",

"executionFlow": [

{

"responseAction": {

"function": {

"type": "resetLDAPPassword",

"assets": "${[ alert.Assets[] | select(.Type == \"user\") | .ID]}"

},

"onError": "stop"

}

},

{

"responseAction": {

"function": {

"type": "assignKasapGroup",

"assets": "${[ alert.Assets[] | select(.Type == \"user\") | .ID]}",

"params": {

"groupId": "SET KASAP GROUP ID"

}

},

"onError": "continue"

}

}

]

}

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.