# [MED] Security Horror Story: Accidentally exposing PII data **Source:** Snyk **Published:** 2021-10-25 **Article:** https://snyk.io/blog/security-horror-story-accidentally-exposing-pii-data/ ## Threat Profile Snyk Blog In this article Written by Brian Vermeer October 25, 2021 0 mins read Nothing beats a good horror story... especially not when you talk about software development and security. I mean, what could possibly go wrong when you develop software??? More importantly, what could possibly go wrong when you and your team are working on a small R&D type application and funding for this project is still pending... You can imagine that working with immense pressure to deliver features at lightning… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1543.003** — Windows Service ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Service install for persistence — sc.exe / new service registry write `UC_SERVICE_PERSIST` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sc.exe" AND Processes.process="*create*" AND (Processes.process="*\Users\*" OR Processes.process="*\AppData\*" OR Processes.process="*\ProgramData\*" OR Processes.process="*\Temp\*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` | append [| tstats `summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\*" AND Registry.registry_value_name="ImagePath" AND (Registry.registry_value_data="*\Users\*" OR Registry.registry_value_data="*\AppData\*" OR Registry.registry_value_data="*\Temp\*") by Registry.dest, Registry.registry_path, Registry.registry_value_data, Registry.user | `drop_dm_object_name(Registry)`] ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName =~ "sc.exe" and ProcessCommandLine has "create" | where ProcessCommandLine matches regex @"(?i)(\Users\|\AppData\|\ProgramData\|\Temp\)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName ``` ## Why this matters Severity classified as **MED** based on: 1 use case(s) fired, 1 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.