Splunk Alert Details
Alert ID: SPLUNK-SYSTEM-PROCESS-1543-7842
Alert Time: 2024-02-16 15:45:22 EST
Severity: HIGH (88/100)
Source: Splunk Enterprise Security
Rule: “Windows Service Created with Unusual Binary Path”
MITRE ATT&CK: T1543.003 – Create or Modify System Process: Windows Service
Alert Details:
Correlated Events:
1. Windows Event ID 7045 (Service Installed):
– Time: 15:40 EST
– Host: FIN-SRV-089 (Finance Server)
– Service Name: “Windows Defender Advanced Threat Protection”
– Service Type: WIN32_OWN_PROCESS
– Start Type: Auto Start
– Service Account: LocalSystem
– Binary Path: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll”
2. Event ID 4688 (Process Creation):
– Time: 15:39 EST
– Process: sc.exe
– Command: sc create “Windows Defender Advanced Threat Protection” binPath= “C:\Windows\System32\svchost.exe -k C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll” start= auto
3. File Creation:
– File: C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll
– Time: 15:38 EST
– Created by: powershell.exe
Detection Logic:
– Service name mimics legitimate Windows Defender
– Binary path unusual for svchost (loads DLL from non-standard path)
– DLL in user-writable path (ProgramData)
– Service runs as SYSTEM
– Created shortly after suspicious PowerShell execution
Additional Context:
– Server: FIN-SRV-089 (critical financial server)
– No legitimate Windows updates scheduled
– PowerShell executed from user context (compromised admin account)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed malicious service creation
2. Service Analysis
Query service details
sc query, PowerShell
Service installed; binary path loads malicious DLL
3. DLL Analysis
Analyze defender_update.dll
CrowdStrike Sandbox
DLL contains backdoor; connects to C2
4. Immediate Action
Stop and delete service
sc, PowerShell
Service stopped and deleted
5. Host Isolation
Isolate server
CrowdStrike
Server quarantined
6. Account Investigation
Identify compromised account
Azure AD, CrowdStrike
Admin account credentials compromised via phishing
Jira Incident Report
Ticket: SOC-2024-084
Summary: T1543 – Malicious Windows Service Created on Finance Server
Status: RESOLVED
Resolution: MALICIOUS – Service Removed
Priority: P1 – CRITICAL
Labels: T1543, system-process, windows-service, persistence, splunk
Components: Endpoint-Security, Server-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security correlation.
Alert: “Windows Service Created with Unusual Binary Path”.
Host: FIN-SRV-089 (Critical Finance Server).
Service: “Windows Defender Advanced Threat Protection” (malicious).
Time: 2024-02-16 15:45 EST.
Technique: MITRE ATT&CK T1543.003 – Create or Modify System Process: Windows Service.
2. Technical Analysis:
Attack Chain:
15:30 – Admin account (jsmith) compromised via phishing
15:32 – Attacker RDPs to FIN-SRV-089 from 45.134.225[.]78
15:35 – PowerShell downloads defender_update.dll from 185.143.221[.]89
15:38 – DLL saved to C:\ProgramData\Microsoft\Windows Defender\Platform\
15:39 – sc.exe creates service with DLL load
15:40 – Service starts automatically
15:40 – DLL loads, connects to C2
15:45 – Splunk alert triggers
Service Details:
Name: Windows Defender Advanced Threat Protection (masquerading)
Binary Path: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll”
Account: LocalSystem (highest privileges)
Start Type: Auto (persistence across reboots)
DLL Analysis:
File: defender_update.dll (SHA256: b2c3d4e5f6…)
Function: When loaded by svchost, it:
Decrypts embedded payload
Establishes reverse shell to 194.165.16[.]89:443
Downloads additional tools (Mimikatz, etc.)
Scans for financial data
C2 Communication:
Established at 15:40
Beacon every 60 seconds
No data exfiltration before containment
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:32 – Attacker RDPs to server
15:35-15:38 – DLL downloaded
15:39 – Service created
15:40 – Service starts; C2 connects
15:45 – Alert triggers
15:46 – SOC investigates
15:48 – Service stopped and deleted
15:49 – Host isolated
Indicators of Compromise (IoCs):
Service:
– Name: Windows Defender Advanced Threat Protection
– Binary: C:\Windows\System32\svchost.exe -k “C:\ProgramData\Microsoft\Windows Defender\Platform\defender_update.dll”
Files:
– defender_update.dll (SHA256: b2c3d4e5…)
Network:
– C2: 194.165.16[.]89:443
– Download URL: http://185.143.221[.]89/update.dll
Account:
– jsmith (compromised admin)
4. Containment Actions:
Immediate Actions:
Stopped and deleted malicious service.
Isolated server via CrowdStrike.
Deleted defender_update.dll.
Blocked C2 IP at firewall.
Terminated attacker RDP session.
Account Remediation:
Reset jsmith’s password.
Enforced MFA for admin account.
Audited all admin activity.
Server Remediation:
Full scan (no other malware).
Verified no data exfiltration.
No reimage needed (malware removed).
5. Root Cause Analysis:
Primary Cause: Admin account credentials compromised via phishing.
Contributing Factors:
No MFA on admin account.
RDP allowed from internet (should be VPN only).
No application control blocking unknown DLLs.
6. Business Impact:
Operational Impact: Finance server offline for 2 hours.
Data Exposure: None (C2 blocked after 8 minutes).
7. Remediation & Prevention:
Completed Actions:
Service removed.
Host cleaned.
Admin account secured.
C2 blocked.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved RDP behind VPN only.
Implemented application control (CrowdStrike Falcon Prevent).
Enhanced service creation monitoring.
8. Conclusion:
An attacker compromised an admin account and created a malicious Windows service on a critical finance server. Splunk detected the anomalous service creation within 5 minutes, enabling rapid containment. No data exfiltration occurred.
Closure Rationale: Service removed; admin account secured; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 16:30 EST