Splunk Alert Details
Alert ID: SPLUNK-SYSTEM-SERVICES-1569-7842
Alert Time: 2024-02-14 16:30:15 EST
Severity: HIGH (85/100)
Source: Splunk Enterprise Security
Rule: “Service Installation with Suspicious Binary Path”
MITRE ATT&CK: T1569.002 – System Services: Service Execution
Alert Details:
Correlated Events:
1. Windows Event ID 7045 (Service Installed):
– Time: 16:25 EST
– Host: DEV-WS-045
– Service Name: “Windows Update Service”
– Service Type: WIN32_OWN_PROCESS
– Start Type: Auto Start
– Service Account: LocalSystem
– Binary Path: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows\Caches\update.dll”
2. Event ID 4688 (Process Creation):
– Time: 16:25:30 EST
– Process: sc.exe
– Command: sc create “Windows Update Service” binPath= “C:\Windows\System32\svchost.exe -k C:\ProgramData\Microsoft\Windows\Caches\update.dll” start= auto
3. File Creation:
– File: C:\ProgramData\Microsoft\Windows\Caches\update.dll
– Time: 16:24 EST
– Created by: powershell.exe
Detection Logic:
– Service name mimics legitimate Windows Update
– Binary path unusual for svchost (loads DLL from non-standard location)
– DLL in user-writable path
– Service runs as SYSTEM
Additional Context:
– Host: DEV-WS-045 (developer workstation)
– User: jdoe (John Doe) logged in at time
– No Windows updates pending
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed malicious service installation
2. Service Analysis
Query service details
sc query, PowerShell
Service installed; binary path loads malicious DLL
3. DLL Analysis
Analyze update.dll
CrowdStrike Sandbox
DLL contains backdoor; connects to C2
4. Immediate Action
Stop and delete service
sc, PowerShell
Service stopped and deleted
5. Host Isolation
Isolate host
CrowdStrike
Host quarantined
6. User Interview
Contact user
Teams, Phone
User ran “system optimizer” tool from email
Jira Incident Report
Ticket: SOC-2024-075
Summary: T1569 – Malicious Service Installed for Persistence
Status: RESOLVED
Resolution: MALICIOUS – Service Removed
Priority: P2 – MEDIUM
Labels: T1569, system-services, service-installation, persistence, splunk
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security correlation.
Alert: “Service Installation with Suspicious Binary Path”.
Host: DEV-WS-045 (Development Department, user jdoe).
Time: 2024-02-14 16:30 EST.
Technique: MITRE ATT&CK T1569.002 – System Services: Service Execution.
2. Technical Analysis:
Attack Chain:
16:15 – User receives email with “System Optimizer” tool
16:16 – User downloads and runs optimizer.exe
16:18 – Optimizer.exe drops update.dll to C:\ProgramData\Microsoft\Windows\Caches\
16:20 – Optimizer.exe runs PowerShell to create service
16:25 – Service “Windows Update Service” installed
16:25:30 – Service starts automatically
16:26 – update.dll loads, connects to C2
16:30 – Splunk alert triggers
Service Details:
Name: Windows Update Service (masquerading)
Binary Path: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows\Caches\update.dll”
Account: LocalSystem (highest privileges)
Start Type: Auto (persistence)
DLL Analysis:
File: update.dll (SHA256: b2c3d4e5f6…)
Function: When loaded by svchost, it:
Decrypts embedded payload
Establishes reverse shell to 194.165.16[.]89:443
Downloads additional tools
Injects into lsass.exe (attempted, blocked by PPL)
C2 Communication:
Established at 16:26
Beacon every 60 seconds
No data exfiltration before containment
3. Investigation Findings:
Timeline:
16:15 – User runs optimizer.exe
16:18 – DLL dropped
16:20 – Service creation begins
16:25 – Service installed and started
16:26 – C2 connection
16:30 – Alert triggers
16:32 – Service stopped and deleted
16:33 – Host isolated
Indicators of Compromise (IoCs):
Service:
– Name: Windows Update Service
– Binary: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows\Caches\update.dll”
Files:
– optimizer.exe (SHA256: a1b2c3d4…)
– update.dll (SHA256: b2c3d4e5…)
Network:
– C2: 194.165.16[.]89:443
4. Containment Actions:
Immediate Actions:
Stopped and deleted malicious service.
Isolated host via CrowdStrike.
Blocked C2 IP at firewall.
Deleted update.dll and optimizer.exe.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
Password reset.
Educated on untrusted software.
5. Root Cause Analysis:
Primary Cause: User downloaded and ran untrusted “optimizer” tool.
Contributing Factors:
No application control blocking unapproved software.
User had local admin rights (allowed service creation).
No alerting on service installation (until Splunk rule).
6. Business Impact:
Operational Impact: Developer offline for 2 hours.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Service removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Removed local admin rights from standard users.
Enabled application control (CrowdStrike Falcon Prevent).
Enhanced service installation monitoring.
8. Conclusion:
A user downloaded a fake system optimizer that installed a malicious Windows service for persistence. Splunk detected the anomalous service installation, enabling rapid containment. No data loss occurred.
Closure Rationale: Service removed; host cleaned; user educated.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-14 17:30 EST
End of Batch 7
Batch 8: Execution & Persistence Incident Reports (Continued)
Here are the next 5 detailed SOC incident reports.