Splunk Alert Details
Alert ID: SPLUNK-SHUTDOWN-1529-7842 Alert Time: 2024-03-05 14:15:33 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Multiple System Shutdowns Detected – Potential DoS” MITRE ATT&CK: T1529 – System Shutdown/Reboot
Alert Details:
Correlated Events:
Windows Event ID 1074 (System Shutdown):
Time: 14:00-14:15 EST
Hosts: 12 servers (list below)
User: SYSTEM (via script)
Reason: “Other (Unplanned)”
Shutdown Type: Restart (or shutdown)
Affected Servers:
DC-01 (Domain Controller)
SQL-SRV-01 (Primary SQL Server)
FILESRV-01 (File Server)
EXCH-01 (Exchange Server)
WEB-SRV-01 (Web Server)
APP-SRV-01, 02, 03 (Application Servers)
BACKUP-SRV-01 (Backup Server)
MONITOR-SRV-01 (Monitoring)
LOG-SRV-01 (Log Server)
VPN-SRV-01 (VPN Gateway)
Process Creation (Event ID 4688):
Time: 13:55 EST
Process: psexec.exe (from admin workstation)
User: compromised admin account
Command: psexec \server -s shutdown /r /t 0 /f
Detection Logic:
12 critical servers shutdown/restarted in 15 minutes
Unplanned shutdowns (not maintenance window)
Initiated via psexec from compromised admin workstation
Pattern matches attacker causing denial of service
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk events
Splunk ES
Confirmed mass server shutdowns
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
psexec from compromised admin workstation
3. Immediate Action
Power on affected servers
Remote Console
All 12 servers restarted/restored
4. Admin Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Service Verification
Verify all services restored
Monitoring Tools
All services operational
Jira Incident Report
Ticket: SOC-2024-172 Summary: T1529 – Mass Server Shutdown (12 Critical Servers) Status: RESOLVED Resolution: MALICIOUS – Servers Restored Priority: P1 – CRITICAL Labels: T1529, system-shutdown, dos, splunk, compromised-admin Components: Infrastructure-Security, Incident-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Multiple System Shutdowns Detected – Potential DoS”.
Hosts: 12 critical servers (including DC, SQL, Exchange).
Action: System shutdown/restart via psexec.
Time: 2024-03-05 14:15 EST.
Technique: MITRE ATT&CK T1529 – System Shutdown/Reboot.
2. Technical Analysis:
Attack Chain:
13:30 – Admin account (bjones) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
13:50 – Attacker uses psexec to push shutdown commands
14:00-14:15 – 12 servers shutdown
14:15 – Splunk detects
Affected Servers:
Domain Controller (authentication down)
SQL Server (databases offline)
File Server (file access down)
Exchange Server (email down)
Web Server (website down)
Application Servers (3) – business apps down
Backup Server (backups interrupted)
Monitoring Server (alerts delayed)
Log Server (logging interrupted)
VPN Server (remote access down)
Impact:
Complete business disruption
No authentication possible (DC down)
No email, files, applications
Estimated downtime: 20-30 minutes
Attacker Intent:
Maximum business disruption
Chaos before potential ransomware
Prevent access to logs/monitoring
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
13:50 – psexec commands prepared
14:00-14:15 – Servers shutdown
14:15 – Splunk alert
14:17 – SOC investigates
14:18 – Admin account disabled
14:20-14:40 – Servers powered on (some took longer)
Indicators of Compromise (IoCs):
Commands:
– psexec \\server -s shutdown /r /t 0 /f
Account:
– bjones (compromised admin)
Network:
– Attacker IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Disabled compromised admin account.
Powered on all affected servers (remote console).
Verified services restored.
Blocked attacker IP at firewall.
Service Restoration:
All servers back online by 14:40.
Verified DC, SQL, Exchange, etc. operational.
Monitored for secondary issues (none).
Account Remediation:
Reset bjones password.
Enforced MFA.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had psexec access to all servers.
No alerting for mass shutdowns.
6. Business Impact:
Operational Impact: Complete business outage for 25-40 minutes.
Data Exposure: None.
Financial Impact: Significant (productivity loss, potential revenue loss).
7. Remediation & Prevention:
Completed Actions:
Servers restored.
Admin account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Restricted psexec usage (blocked).
Created alert for multiple system shutdowns.
8. Conclusion:
An attacker compromised an admin account and used psexec to shutdown 12 critical servers, causing a complete business outage. Splunk detected the mass shutdowns, enabling rapid restoration. All servers were back online within 40 minutes.
Closure Rationale: Servers restored; admin account secured; outage resolved.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 15:30 EST