- Home
- Play books
- Unauthorized exploitation tool containment
Unauthorized exploitation tool containment
In this page
Playbook Description
This playbooks contains the use of unauthorized exploitation tools. It checks the file reputation, validates user privileges and behavior, evaluates risk score, and terminates and quarantines malicious processes. It also analyzes process trees, conducts scans using Defender, blocks malicious IPs, and even logs off the user and removes persistence to remediate the attack.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Discovery(TA0007) | Account Discovery(T1087) | Domain Account(T1087.002) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Evict(D3-Evict) | Process Eviction(D3-PE) | Process Termination(D3-PT) |
| Evict(D3-Evict) | Credential Eviction(D3-CE) | Account Locking(D3-AL) |
Playbook input type
Alert
Prerequisites
- PowerShell 3.0+
- Script Execution Policy
- Provide credentials with domain/local admin privileges.
- Microsoft Defender should be enabled.
- Connections:
- VirusTotal connection - Create a connection for VirusTotal using API key (required for IPreputation checks).
- Windows Credentials - Go to Settings -> Devices -> Windows Devices. Provide/update the credentials of the respective Windows device with admin privileges.
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs.
Dependencies
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_calculateRiskScore
Utility functions:
- utility_convertTimeToUTC
- utility_getRequiredTime windows_detectMaliciousUser windows_detectMaliciousProcessChain
- utility_extractMaliciousEntitiesByRiskScore
- utility_convertToString
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| FetchUserDetails.ps1 | Fetches detailed user information (password expiry, group memberships, admin status) for both domain (AD) and local users | Name |
| StopAndQuarantineProcess.ps1 | # Terminates processes by PID (decimal/hex) or by executable file path, then quarantines the executable to a forensic directory. # Protects critical OS processes and the SOAR agent from termination. | ProcessIdentifiers |
| GetExternalConnections.ps1 Description: Lists all established non-loopback TCP connections with their local/remote addresses, ports, PIDs, and unique remote IPsummary. | Lists all established non-loopback TCP connections with their local/remote addresses, ports, PIDs, and unique remote IPsummary. | - |
| BlockIP.ps1 | Creates or updates Windows Firewall rules to block network traffic to/from one or more IPaddresses. Uses consolidated rules (SOAR_AutoBlock_IP_Inbound / SOAR_AutoBlock_IP_Outbound) — new IPs are merged into an existing rule rather than creating a rule per IP. Validates IPformat, checks firewall profile status, and reports per-IPresults. | IpString, Direction |
| StopProcess.ps1 | Stops processes by PID or file path. Supports hex PIDs and comma-separated inputs. Skips protected PowerShell executables. | ProcessIdentifiers |
| FetchPersistenceEntries.ps1 | Scans for persistence mechanisms including scheduled tasks, registry Run/RunOnce keys, startup folder entries, and services to identify potential malicious persistence. | - |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff , with optional RDP-only filtering by remote IP. | UserNames |
Connections
VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
Sub playbooks
- Windows - File enrichment
- Windows Defender quick scan
Execution workflow
Investigation:
- Executes the "Windows - File enrichment" sub-playbook.
- Retrieves user privileges.
- Validates the user.
- Retrieves the user risk score.
Decision logic:
- Proceeds to remediation based on the following conditions:
- The user has administrator privileges.
- The file or process reputation indicates high risk.
- The file or process reputation indicates medium or higher risk.
- The user is flagged as malicious based on behavior analysis.
- If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Terminates and quarantines the process.
- Retrieves the process tree.
- Checks the malicious low.
- Checks for malicious processes.
- Terminates the process.
- Executes the "Windows Defender quick scan" sub-playbook.
- Retrieves the external connections.
- Checks the IPreputations in batch.
- Calculates the risk score in batch.
- Identifies malicious entities based on their risk scores.
- Checks the malicious IPs.
- Blocks the IPs.
- Logs off the user.
- Removes persistence.
- Validates if all remediation actions are completed successfully.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Review the quarantined exploitation tool for further forensic analysis.
- Investigate whether the tool was used to access sensitive data or escalate privileges.
- Check for any additional indicators of compromise on the affected host.
- Review blocked IPaddresses to ensure no legitimate traffic was affected.
- Confirm that the affected user is notified about the actions taken.
