- Home
- Play books
- Windows Explorer masquerading mitigation
Windows Explorer masquerading mitigation
In this page
Playbook Description
Mitigates Windows Explorer masquerading attacks by analyzing process execution, blocking malicious activity, disabling persistence mechanisms, and handling compromised accounts. It also terminates unauthorized remote connections, and notifies security teams immediately.
MITRE ATT&CK mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Defense Evasion(TA0005) | Masquerading(T1036) | - |
| Execution(TA0002) | Command and Scripting Interpreter(T1059) | PowerShell(T1059.001) |
MITRE D3FEND mapping
| Tactics | Techniques | Sub-techniques |
|---|---|---|
| Isolate(D3-Isolate) | Network Isolation(D3-NI) | - |
| Evict(D3-Evict) | Process Eviction(D3-PE) | - |
Playbook input type
Alert
Playbook creation input
- connectionName - Provide the VirusTotal connection name for executing the VirusTotal APIs.
Dependencies
Extensions - VirusTotal
- virustotal_ipReputation
- virustotal_calculateRiskScore
Utility functions:
- utility_getRequiredTime
- windows_detectMaliciousProcessChain
- utility_convertTimeToUTC
- utility_extractMaliciousEntitiesByRiskScore
- utility_buildSearchCriteria
- utility_extractFieldFromList
- utility_sendMail
Scripts
| Script Name | Description | Arguments |
|---|---|---|
| StopAndQuarantineProcess.ps1 | Terminates processes by PID (decimal/hex) or by executable file path, then quarantines the executable to a forensic directory. Protects critical OS processes and the SOAR agent from termination. | ProcessIdentifiers |
| BlockIP.ps1 | Creates or updates Windows Firewall rules to block network traffic to/from one or more IP addresses. Uses consolidated rules (SOAR_AutoBlock_IP_Inbound / SOAR_AutoBlock_IP_Outbound) — new IPs are merged into an existing rule rather than creating a rule per IP. Validates IP format, checks firewall profile status, and reports per-IP results. | IpString, Direction |
| GetExternalConnections.ps1 | Lists all established non-loopback TCP connections with their local/remote addresses, ports, PIDs, and unique remote IP summary. | - |
| TerminateSession.ps1 | Logs off one or more user sessions using logoff, with optional RDP-only filtering by remote IP. | UserNames |
| FetchPersistenceEntries.ps1 | Scans for persistence mechanisms including scheduled tasks, registry Run/RunOnce keys, startup folder entries, and services to identify potential malicious persistence. | - |
Connections
VirusTotal connection - Need to connect with VirusTotal API and fetch access key to check the malware IP/URL/File details.
Sub playbooks
- Windows - File enrichment
Execution workflow
Investigation:
- Fetches the process tree.
- Checks for malicious process reputation.
- Builds the search criteria.
- Retrieves all results based on the search criteria.
- Retrieves the process names based on the same search criteria.
- Builds the log details.
- Executes the "Windows - File enrichment" sub-playbook.
Decision logic:
- Proceeds to remediation based on the following conditions:
- The file or process reputation indicates high risk.
- The file or process reputation indicates medium or higher risk.
- If suspicious but not confirmed malicious, sends a notification for manual review and stops further actions.
- If no malicious indicators are confirmed, the playbook ends with no further actions.
Remediation:
- Terminates the malicious process.
- Terminates the user session.
- Checks and removes persistence.
- Retrieves external connections.
- Checks the IP reputation in batch.
- Calculates the risk score in batch.
- Identifies malicious entities based on their risk scores.
- Checks the malicious IPs.
- Blocks the IPs.
- Validates that all remediation actions are completed successfully.
- Builds the notification email with remediation details and findings.
- Sends a notification email regarding the actions taken and next step required.
Post execution procedure
- Verify that the masquerading process has been completely terminated on the affected hostname.
- Scan the endpoint for additional indicators of compromise.
- Investigate the infection vector and check for dropped payloads.
- Review other endpoints for similar masquerading processes.
- Strengthen application whitelisting policies.
