Sysmon Alert Details
Alert ID: SYSMON-AUTOSTART-1547-7842
Alert Time: 2024-02-15 16:30:45 EST
Severity: HIGH (85/100)
Source: Sysmon (Event ID 13 – Registry Value Set)
Rule: “Registry Run Key Modification by Suspicious Process”
MITRE ATT&CK: T1547.001 – Boot/Logon Autostart Execution: Registry Run Keys
Alert Details:
Event ID: 13 (Registry Value Set)
Time: 16:25 EST
Host: FIN-WS-034 (Finance Department)
User: jwilliams (Jennifer Williams, Accountant)
Registry Key Details:
– Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
– Value Name: “WindowsSecurityUpdate”
– Value Type: REG_SZ
– Value Data: “C:\Windows\System32\rundll32.exe C:\ProgramData\Microsoft\Drivers\security.dll,UpdateNow”
Process Creating Registry Value:
– Process: powershell.exe (PID: 7842)
– Command Line: powershell -WindowStyle Hidden -Command “New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name WindowsSecurityUpdate -Value ‘C:\Windows\System32\rundll32.exe C:\ProgramData\Microsoft\Drivers\security.dll,UpdateNow’ -PropertyType String -Force”
– Parent: explorer.exe
Additional Sysmon Events:
– Event ID 11 (FileCreate): C:\ProgramData\Microsoft\Drivers\security.dll (16:24)
– Event ID 1 (ProcessCreate): powershell.exe (16:24)
– Event ID 3 (NetworkConnect): No network connection yet
DLL Analysis:
– security.dll is malicious
– Loaded by rundll32 at next boot
– Contains backdoor that connects to C2 when loaded
Anomaly Detection:
– Key name mimics Windows Update
– DLL in non-standard path (Drivers folder)
– Created by PowerShell (unusual for legitimate software)
– User jwilliams normally doesn’t modify registry
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed registry Run key modification
2. File Analysis
Analyze security.dll
CrowdStrike Sandbox
DLL contains backdoor; connects to C2
3. Immediate Action
Remove registry key
PowerShell, Regedit
Run key deleted
4. File Deletion
Delete malicious DLL
PowerShell
security.dll removed
5. Host Isolation
Isolate host
CrowdStrike
Host quarantined
6. User Interview
Contact user
Teams, Phone
User ran “security scanner” from email
Jira Incident Report
Ticket: SOC-2024-079
Summary: T1547 – Registry Run Key Persistence via Malicious DLL
Status: RESOLVED
Resolution: MALICIOUS – Persistence Removed
Priority: P2 – MEDIUM
Labels: T1547, autostart-execution, registry-run-keys, sysmon, persistence
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 13 (Registry Value Set).
Alert: “Registry Run Key Modification by Suspicious Process”.
Host: FIN-WS-034 (Finance Department, user jwilliams).
Time: 2024-02-15 16:30 EST.
Technique: MITRE ATT&CK T1547.001 – Boot/Logon Autostart Execution: Registry Run Keys.
2. Technical Analysis:
Attack Chain:
16:15 – User receives email with “Security Scanner” tool
16:16 – User downloads and runs scanner.exe
16:17 – scanner.exe drops security.dll to C:\ProgramData\Microsoft\Drivers\
16:18 – scanner.exe runs PowerShell to create registry Run key
16:24 – PowerShell executes
16:25 – Registry key created
16:30 – Sysmon alerts
Persistence Mechanism:
Registry Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: WindowsSecurityUpdate (masquerading)
Value Data: C:\Windows\System32\rundll32.exe C:\ProgramData\Microsoft\Drivers\security.dll,UpdateNow
Effect: At next user logon, rundll32 loads security.dll
DLL Export: UpdateNow function contains malicious code
DLL Analysis:
File: security.dll (SHA256: c3d4e5f6…)
Function: When loaded, it:
Decrypts embedded payload
Establishes reverse shell to 194.165.16[.]89:443
Downloads additional tools
Injects into explorer.exe
User Activity:
User received email about “critical security update”
Downloaded “scanner.exe” from link
Believed it was legitimate
3. Investigation Findings:
Timeline:
16:15 – Email received
16:16 – scanner.exe downloaded
16:17 – scanner.exe drops DLL
16:18 – scanner.exe runs PowerShell
16:24 – PowerShell executes
16:25 – Registry key created
16:30 – Alert triggers
16:32 – Key deleted; DLL removed
Indicators of Compromise (IoCs):
Registry:
– HKLM\…\Run\WindowsSecurityUpdate = “C:\Windows\System32\rundll32.exe C:\ProgramData\Microsoft\Drivers\security.dll,UpdateNow”
Files:
– scanner.exe (SHA256: a1b2c3d4…)
– security.dll (SHA256: c3d4e5f6…)
Network:
– C2: 194.165.16[.]89:443 (not yet connected)
4. Containment Actions:
Immediate Actions:
Deleted registry Run key.
Deleted security.dll.
Deleted scanner.exe.
Isolated host via CrowdStrike.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
Password reset.
Educated on untrusted software.
5. Root Cause Analysis:
Primary Cause: User downloaded and ran untrusted “security scanner”.
Contributing Factors:
No application control blocking unapproved software.
User had local admin rights (allowed registry modification).
No alerting on registry Run key changes (until Sysmon).
6. Business Impact:
Operational Impact: Finance workstation offline for 2 hours.
Data Exposure: None (C2 not connected).
7. Remediation & Prevention:
Completed Actions:
Persistence removed.
Host cleaned.
User educated.
C2 blocked.
Technical Controls Enhanced:
Removed local admin rights from standard users.
Enabled application control (CrowdStrike Falcon Prevent).
Enhanced registry monitoring for Run keys.
Created alert for any Run key modifications by non-system processes.
8. Conclusion:
A user downloaded a fake security scanner that installed registry Run key persistence. Sysmon detected the registry modification, enabling rapid removal before the DLL could execute at next boot. No compromise occurred.
Closure Rationale: Persistence removed; host cleaned; user educated.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-15 17:30 EST