Splunk Alert Details
Alert ID: SPLUNK-SCHTASK-1053-7842 Alert Time: 2024-02-18 11:30:45 EST Severity: HIGH (82/100) Source: Splunk Enterprise Security Rule: “Scheduled Task Created with SYSTEM Privileges” MITRE ATT&CK: T1053.005 – Scheduled Task
Alert Details:
Correlated Events:
Windows Event ID 4698 (Scheduled Task Created):
Time: 11:25 EST
Host: HR-WS-045 (HR Department)
User: SYSTEM
Task Name: “WindowsUpdateTask”
Task XML:
Event ID 4688 (Process Creation):
Time: 11:26 EST
Process: schtasks.exe
Command: schtasks /create /tn “WindowsUpdateTask” /tr “powershell -WindowStyle Hidden -Enc JABjAGwAaQ…” /ru SYSTEM /sc HOURLY
Network Connection:
Time: 11:30 EST
Process: powershell.exe
Destination: 192.168.34.56:443
Detection Logic:
Task created with SYSTEM privileges
Name mimics Windows Update
Encoded PowerShell command (reverse shell)
Created by suspicious process (not legitimate Windows Update)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed malicious scheduled task creation
2. Command Decoding
Decode PowerShell command
PowerShell, CyberChef
Reverse shell to 192.168.34.56:443
3. Immediate Action
Disable and delete task
schtasks /delete
Task removed
4. Process Investigation
Find source of task creation
CrowdStrike
PowerShell from compromised user account
5. User Remediation
Reset affected user password
Azure AD, AD
Password reset; MFA enforced
6. Threat Hunting
Check for similar tasks
Splunk, CrowdStrike
No other tasks found
Jira Incident Report
Ticket: SOC-2024-093 Summary: T1053.005 – Scheduled Task Persistence with Reverse Shell Status: RESOLVED Resolution: MALICIOUS – Task Removed Priority: P2 – MEDIUM Labels: T1053, scheduled-task, persistence, splunk, reverse-shell Components: Endpoint-Security, Persistence
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Scheduled Task Created with SYSTEM Privileges”.
Host: HR-WS-045 (HR Department).
Task: “WindowsUpdateTask” (malicious).
Time: 2024-02-18 11:30 EST.
Technique: MITRE ATT&CK T1053.005 – Scheduled Task.
2. Technical Analysis:
Attack Chain:
11:15 – User opens phishing email with malicious link
11:16 – PowerShell downloads and executes payload
11:18 – Payload enumerates system, finds user has admin rights
11:20 – PowerShell creates scheduled task with SYSTEM privileges
11:25 – Task creation logged
11:26 – schtasks command executed
11:30 – First task trigger (hourly)
11:30 – Reverse shell connects to 192.168.34.56:443
11:30 – Splunk alert triggers
Scheduled Task Details:
Name: WindowsUpdateTask (masquerading)
Trigger: Hourly (persistence)
Run As: SYSTEM (highest privileges)
Action: PowerShell encoded reverse shell
Reverse Shell Analysis:
Decoded command: reverse shell to 192.168.34.56:443
Interactive PowerShell session
C2 IP: 192.168.34.56 (internal – compromised engineering host)
User Account:
User had local admin rights (should be standard user)
Account used to create SYSTEM task
3. Investigation Findings:
Timeline:
11:15 – Phishing email opened
11:20-11:26 – Task created
11:30 – First execution, C2 connection
11:30 – Alert triggers
11:32 – SOC investigates
11:35 – Task deleted
Indicators of Compromise (IoCs):
Task:
– Name: WindowsUpdateTask
– Action: powershell -WindowStyle Hidden -Enc JABjAGwAaQ…
Network:
– C2: 192.168.34.56:443
User:
– HR user with admin rights (excessive)
4. Containment Actions:
Immediate Actions:
Deleted scheduled task via schtasks /delete.
Terminated reverse shell process.
Isolated host temporarily.
Blocked C2 IP at firewall.
User Remediation:
Removed user’s admin rights.
Reset password.
Phishing training assigned.
Host Remediation:
Full scan (no other malware).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User with admin rights clicked phishing link.
Contributing Factors:
User had excessive privileges (local admin).
No application control blocking PowerShell.
No alerting on scheduled task creation.
6. Business Impact:
Operational Impact: HR workstation offline for 1 hour.
Data Exposure: None (C2 internal, no data sent).
7. Remediation & Prevention:
Completed Actions:
Task deleted.
User admin rights removed.
C2 blocked.
Technical Controls Enhanced:
Removed admin rights from all standard users.
Created alert for any scheduled task creation.
Enhanced PowerShell logging.
8. Conclusion:
A user with admin rights clicked a phishing link, leading to the creation of a scheduled task with SYSTEM privileges running a reverse shell hourly. Splunk detected the task creation, enabling rapid removal before significant C2 activity.
Closure Rationale: Task removed; user privileges reduced; controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-18 12:30 EST