Sysmon Alert Details
Alert ID: SYSMON-RENAME-UTIL-1036-7842 Alert Time: 2024-03-09 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “Suspicious Process Name – System Utility Renamed” MITRE ATT&CK: T1036.003 – Masquerading: Rename System Utilities
Alert Details:
Event ID: 1 (Process Creation) Time: 14:10 EST Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant)
Process Tree:
explorer.exe (PID: 2341)
svchost.exe (PID: 4789)
Path: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Command Line: “C:\Users\bturner\AppData\Local\Temp\svchost.exe” -k netsvcs
Original Name: cmd.exe (renamed to svchost.exe)
File Details:
File: C:\Users\bturner\AppData\Local\Temp\svchost.exe
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
File is actually cmd.exe (renamed)
Verified by comparing hash with known cmd.exe hash (after extraction)
Detection Logic:
Process named “svchost.exe” running from Temp folder (anomalous)
File hash matches cmd.exe (system utility)
Process name does not match actual executable (renamed)
Parent process is explorer.exe (unusual for svchost.exe)
Pattern matches masquerading (rename system utility to evade detection)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon event
Splunk, Sysmon Logs
Confirmed renamed cmd.exe as svchost.exe
2. Process Investigation
Identify source of renamed file
CrowdStrike Falcon
File dropped by malicious script from phishing email
3. User Interview
Contact bturner
Teams, Phone
User opened “invoice.doc” with macro
4. Immediate Action
Terminate process, delete file
CrowdStrike
Process killed; file removed
5. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; attachment malicious
6. Account Remediation
Reset bturner password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-192 Summary: T1036.003 – Renamed cmd.exe to svchost.exe for Masquerading Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1036, rename-utilities, masquerading, sysmon, phishing Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1.
Alert: “Suspicious Process Name – System Utility Renamed”.
Host: FIN-WS-078 (Finance, user bturner).
Process: C:\Users\bturner\AppData\Local\Temp\svchost.exe (actually cmd.exe).
Time: 2024-03-09 14:15 EST.
Technique: MITRE ATT&CK T1036.003 – Masquerading: Rename System Utilities.
2. Technical Analysis:
Attack Chain:
13:45 – User opens phishing email with “invoice.doc”
13:46 – Macro executes, downloads script
13:50 – Script copies cmd.exe to Temp as svchost.exe
14:00 – Script executes renamed cmd.exe with parameters
14:10 – Process runs; Sysmon detects
Masquerading Technique:
Original: C:\Windows\System32\cmd.exe
Renamed: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Purpose: To appear as a legitimate svchost.exe process
Command: Used to launch PowerShell (encoded) for C2
Malicious Activity:
The renamed cmd.exe launched PowerShell with encoded command
PowerShell attempted to connect to 185.143.221[.]89:443 (blocked)
No further compromise
User Status:
User unaware; clicked attachment
3. Investigation Findings:
Timeline:
13:45 – Phishing email opened
13:46-13:50 – Malware drops renamed cmd.exe
14:00 – Execution
14:10 – Sysmon alert
14:12 – SOC investigates
14:13 – Process terminated
14:14 – File deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\svchost.exe (renamed cmd.exe)
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated process.
Deleted renamed executable.
Isolated host temporarily.
Reset user password.
Enforced MFA.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: Phishing email with malicious macro.
Contributing Factors:
Macros enabled.
User had local admin rights.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block process creations originating from PSExec and WMI”.
Enhanced monitoring for renamed system utilities.
8. Conclusion:
An attacker used a renamed cmd.exe (masquerading as svchost.exe) to evade detection. Sysmon identified the process name mismatch and enabled rapid termination.
Closure Rationale: Process terminated; file removed; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 15:30 EST