Splunk Alert Details
Alert ID: SPLUNK-SERVICE-STOP-1489-7842 Alert Time: 2024-03-03 16:30:45 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Critical Service Stopped – Potential Disruption” MITRE ATT&CK: T1489 – Service Stop
Alert Details:
Correlated Events:
Windows Event ID 7036 (Service Status Change):
Time: 16:15-16:30 EST
Host: SQL-SRV-01 (Primary SQL Server)
Service: MSSQLSERVER (SQL Server)
Action: STOPPED
Reason: “The service terminated unexpectedly”
Event ID 7036 (Additional Services):
16:16: SQL Agent – STOPPED
16:17: Windows Defender – STOPPED
16:18: Windows Firewall – STOPPED
16:19: Volume Shadow Copy – STOPPED
16:20: Backup Service – STOPPED
Process Creation (Event ID 4688):
Time: 16:14 EST
Process: sc.exe
Command: sc stop MSSQLSERVER
Command: sc stop MSSQLSERVERAGENT
Command: sc stop WinDefend
Command: sc stop MpsSvc
Command: sc stop VSS
Command: sc stop backup_service
Network Connection:
Time: 16:22 EST
Process: powershell.exe
Connection to 185.143.221[.]89:443
Detection Logic:
Multiple critical services stopped in sequence
SQL Server (database) targeted
Security services disabled (Defender, Firewall)
Backup services disabled (VSS, backup_service)
Pattern matches attacker preparing for ransomware or data destruction
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed critical services stopped
2. Process Investigation
Identify sc.exe commands
CrowdStrike Falcon
PowerShell script stopping services
3. User Interview
Contact DBA
Teams, Phone
No legitimate maintenance scheduled
4. Immediate Action
Isolate SQL server
CrowdStrike
SQL-SRV-01 quarantined
5. Service Restoration
Restart all services
PowerShell
Services restarted
6. Account Remediation
Disable compromised account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-164 Summary: T1489 – Critical Services Stopped on SQL Server Status: RESOLVED Resolution: MALICIOUS – Services Restored Priority: P1 – CRITICAL Labels: T1489, service-stop, sql-server, splunk, compromised-account Components: Endpoint-Security, Service-Monitoring
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Critical Service Stopped – Potential Disruption”.
Host: SQL-SRV-01 (Primary SQL Server).
Services Stopped: MSSQLSERVER, SQL Agent, Defender, Firewall, VSS, Backup.
Time: 2024-03-03 16:30 EST.
Technique: MITRE ATT&CK T1489 – Service Stop.
2. Technical Analysis:
Attack Chain:
15:30 – DBA account (jsmith) compromised via phishing
15:45 – Attacker logs into SQL-SRV-01 via RDP
16:00 – Attacker downloads PowerShell script
16:14-16:20 – Services stopped via sc.exe commands
16:22 – C2 connection established
16:30 – Splunk detects
Services Stopped:
MSSQLSERVER: Primary database service (critical)
MSSQLSERVERAGENT: SQL job scheduler
WinDefend: Windows Defender (security)
MpsSvc: Windows Firewall (security)
VSS: Volume Shadow Copy (backups)
backup_service: Custom backup service
Attacker Intent:
Disable database access (business disruption)
Disable security tools (avoid detection)
Disable backups (prevent recovery)
Prepare for ransomware deployment
C2 Communication:
Connected to 185.143.221[.]89:443
Downloaded additional tools (blocked)
No ransomware executed before detection
3. Investigation Findings:
Timeline:
15:30 – Account compromised
15:45 – Attacker logs in
16:00 – Script downloaded
16:14-16:20 – Services stopped
16:22 – C2 connection
16:30 – Splunk alert
16:32 – SOC investigates
16:33 – Host isolated
16:34 – Services restarted
Indicators of Compromise (IoCs):
Commands:
– sc stop MSSQLSERVER
– sc stop MSSQLSERVERAGENT
– sc stop WinDefend
– sc stop MpsSvc
– sc stop VSS
– sc stop backup_service
Network:
– C2: 185.143.221[.]89:443
Account:
– jsmith (compromised DBA)
4. Containment Actions:
Immediate Actions:
Isolated SQL-SRV-01 via CrowdStrike.
Restarted all stopped services.
Blocked C2 IP at firewall.
Disabled jsmith account.
Reset password.
Data Protection:
Verified no data encrypted or deleted.
Checked backups (intact).
Host Remediation:
Full scan (no malware found).
Verified no persistence.
5. Root Cause Analysis:
Primary Cause: DBA account compromised via phishing.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Service stop commands not monitored (until Splunk).
6. Business Impact:
Operational Impact: SQL Server offline for 20 minutes (service restart).
Data Exposure: None (services stopped, no data access).
Business Disruption: Applications dependent on SQL affected for 20 minutes.
7. Remediation & Prevention:
Completed Actions:
Services restored.
Account secured.
C2 blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved RDP behind VPN only.
Created alert for critical service stops.
Enhanced monitoring for sc.exe usage.
8. Conclusion:
An attacker compromised a DBA account and stopped critical services on the primary SQL server, including the database engine, security tools, and backup services. Splunk detected the service stop events and enabled rapid restoration before any data could be encrypted or destroyed.
Closure Rationale: Services restored; account secured; no data loss.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 17:30 EST