- Home
- Play books
- Wsmprovhost LOLBAS execution mitigation
Wsmprovhost LOLBAS execution mitigation
In this page
Playbook Description
Mitigates attacks using wsmprovhost.exe as LOLBAS by disabling WinRM, ending suspicious processes, removing persistence, handling compromised accounts, and isolating affected machines.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Lateral Movement(TA0008) | Remote Services(T1021) | Windows Remote Management(T1021.006) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Isolate(D3-Isolate) | Network Isolation(D3-NI) | - |
Playbook input type
Alert
Dependencies
Utility functions:
- utility_convertTimeToUTC
- utility_getRequiredTime
- windows_detectMaliciousProcessChain
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| StopAndQuarantineProcess.ps1 | Terminates processes by PID (decimal/hex) or by executable file path, then quarantines the executable to a forensic directory. Protects critical OS processes and the SOAR agent from termination. | ProcessIdentifiers |
| DisableWinRM.ps1 | Disables PowerShell Remoting and stops/disables the WinRM service. | - |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff, with optional RDP-only filtering by remote IP. | userName |
| FetchPersistenceEntries.ps1 | Scans for persistence mechanisms including scheduled tasks, registry Run/RunOnce keys, startup folder entries, and services to identify potential malicious persistence. | - |
Sub playbooks
- Windows Defender offline scan and monitor
Execution workflow
Investigation:
- Fetches the process tree.
- Checks the process reputation.
Decision logic:
- Proceeds to remediation based on the following conditions:
- A malicious execution flow was detected in the process tree.
- If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Terminates and quarantines the malicious process.
- Disables and logs off the user.
- Disables WinRM.
- Removes malicious and scheduled task.
- Executes the "Windows Defender quick scan" sub-playbook.
- Checks if any remediation failed.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and required next steps.
Post execution procedure
- Investigate whether the LOLBAS execution was part of a larger attack chain.
- Review WinRM configuration and re-enable only if necessary with proper restrictions.
- Audit the affected user account for unauthorized changes.
- Monitor the host for recurring alerts.
