Splunk Alert Details
Alert ID: SPLUNK-CREATE-ACCT-1136-7842
Alert Time: 2024-02-16 11:30:45 EST
Severity: HIGH (85/100)
Source: Splunk Enterprise Security
Rule: “Local User Account Created on Multiple Systems”
MITRE ATT&CK: T1136.001 – Create Account: Local Account
Alert Details:
Correlated Events:
1. Windows Event ID 4720 (User Account Created):
– Time: 11:15-11:25 EST
– Host: Multiple (12 workstations)
– Account Created: “support_user”
– Created By: SYSTEM (via script)
– Event Count: 12 occurrences
2. Windows Event ID 4724 (Password Set):
– Time: 11:16-11:26 EST
– Same hosts
– Account: support_user
– Password set (complex, known to attacker)
3. Windows Event ID 4732 (User Added to Group):
– Time: 11:17-11:27 EST
– Account: support_user added to “Administrators” group
– On all 12 hosts
Detection Logic:
– Same account name created on multiple workstations within 10 minutes
– Account added to local Administrators group
– Created by SYSTEM (scripted)
– No change management ticket for user creation
Affected Hosts:
– Sales: 5 workstations
– Marketing: 3 workstations
– Engineering: 4 workstations
Additional Context:
– Account named “support_user” (common for attackers)
– No legitimate IT project for local account creation
– Script source identified as scheduled task
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed local account creation on 12 hosts
2. Account Remediation
Delete local accounts
PowerShell, Remote Management
support_user deleted from all hosts
3. Script Investigation
Find source of account creation
CrowdStrike, SCCM
Scheduled task “SystemMaintenance” created accounts
4. Malware Analysis
Analyze task script
CrowdStrike Sandbox
Script created local admin accounts for persistence
5. Host Remediation
Scan and clean affected hosts
CrowdStrike, Defender
All 12 hosts cleaned; no other malware found
6. Threat Hunting
Check for other accounts
Splunk, AD
No other unauthorized accounts found
Jira Incident Report
Ticket: SOC-2024-083
Summary: T1136 – Local Admin Accounts Created on 12 Workstations
Status: RESOLVED
Resolution: MALICIOUS – Accounts Deleted
Priority: P2 – MEDIUM
Labels: T1136, create-account, local-account, persistence, splunk
Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security correlation.
Alert: “Local User Account Created on Multiple Systems”.
Account Created: support_user (local admin on 12 workstations).
Time: 2024-02-16 11:30 EST.
Technique: MITRE ATT&CK T1136.001 – Create Account: Local Account.
2. Technical Analysis:
Attack Chain:
11:00 – Attacker compromises one workstation via phishing
11:05 – Attacker uses compromised host to deploy scheduled task via Group Policy
11:10 – Scheduled task “SystemMaintenance” created on all domain workstations
11:15 – Task executes on 12 workstations
11:15-11:17 – Creates support_user with password
11:17-11:27 – Adds user to local Administrators group
11:30 – Splunk correlation triggers
Account Details:
Username: support_user
Password: Complex (known to attacker)
Privileges: Local Administrator on each host
Purpose: Persistence and lateral movement
Scheduled Task Analysis:
Name: SystemMaintenance
Action: PowerShell script embedded in task
Script: Created local user, added to Administrators group
Trigger: One-time execution (now disabled)
Scope:
12 workstations affected
No servers affected
No domain accounts created
3. Investigation Findings:
Timeline:
11:00 – Initial compromise (phishing)
11:05 – Attacker deploys scheduled task via GPO
11:10 – Task propagates to workstations
11:15-11:27 – Accounts created
11:30 – Alert triggers
11:32 – SOC investigates
11:35 – Accounts deleted from all hosts
Indicators of Compromise (IoCs):
Account:
– support_user (local on 12 hosts)
Scheduled Task:
– Name: SystemMaintenance
– Action: PowerShell script
Network:
– Initial compromise IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Deleted support_user from all 12 hosts via PowerShell.
Removed scheduled task “SystemMaintenance” from all hosts.
Isolated initially compromised host.
Blocked attacker IP.
Host Remediation:
Scanned all 12 hosts (no other malware).
No reimage needed.
User Remediation:
Users of affected workstations notified.
Passwords reset as precaution.
5. Root Cause Analysis:
Primary Cause: Initial workstation compromise via phishing.
Contributing Factors:
Group Policy allowed scheduled task deployment from any workstation.
No monitoring for local account creation.
Local admin rights already present on workstations.
6. Business Impact:
Operational Impact: 12 workstations offline for 2 hours.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Accounts deleted.
Scheduled task removed.
Initial host cleaned.
Technical Controls Enhanced:
Restricted GPO deployment to authorized admin workstations.
Created SIEM alert for any local account creation.
Implemented LAPS (Local Administrator Password Solution) for unique local admin passwords.
8. Conclusion:
An attacker compromised a single workstation and used Group Policy to create local admin accounts on 12 workstations for persistence. Splunk detected the anomalous account creation, enabling rapid removal before the accounts could be used.
Closure Rationale: Accounts deleted; scheduled task removed; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-16 12:30 EST