CrowdStrike Alert Details
Alert ID: CS-NATIVE-API-1106-7842
Alert Time: 2024-02-14 09:30:22 EST
Severity: HIGH (85/100)
Source: CrowdStrike Falcon EDR
Rule: “Direct Syscall Detection – Evasion Technique”
MITRE ATT&CK: T1106 – Native API
Alert Details:
Detection: Process using direct system calls (syscall) to bypass user-mode hooks
Host: DEV-WS-089 (Development Department)
User: alexchen (Alex Chen, Developer)
Time: 09:25 EST
Process Details:
– Process: update_helper.exe (PID: 4578)
– Path: C:\Users\alexchen\Downloads\update_helper.exe
– Parent: explorer.exe
API Behavior:
– Process invoked NtCreateThreadEx directly via syscall (skipping ntdll.dll hooks)
– Process invoked NtAllocateVirtualMemory directly (unusual for legitimate software)
– Process attempted to open LSASS process handle (NtOpenProcess)
Syscall Events:
1. 09:25:12 – NtAllocateVirtualMemory (allocated 0x1000 bytes in remote process)
2. 09:25:15 – NtProtectVirtualMemory (changed memory to PAGE_EXECUTE_READWRITE)
3. 09:25:18 – NtCreateThreadEx (created thread in svchost.exe)
4. 09:25:20 – NtOpenProcess (target: lsass.exe – ACCESS_DENIED)
Detection Logic:
– Direct syscalls indicate attempt to bypass EDR user-mode hooks
– Pattern matches “Hell’s Gate” or “Halos Gate” syscall techniques
– Targeting LSASS suggests credential dumping attempt
Additional Context:
– File downloaded 5 minutes prior from suspicious URL
– No digital signature
– User reports downloading “tool for performance testing”
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike detection
CrowdStrike Falcon Console
Confirmed direct syscall usage and LSASS access attempt
2. Process Analysis
Analyze update_helper.exe
CrowdStrike Falcon Sandbox
Malware using direct syscalls to dump credentials; packed with custom crypter
3. Memory Dump
Capture and analyze process memory
Velociraptor
Found injected shellcode and credential dumping routines
4. Network Check
Check for outbound connections
CrowdStrike, Firewall Logs
No successful C2 connections (blocked)
5. User Interview
Contact user
Teams, Phone
User downloaded “system optimizer” from forum; unaware it was malicious
6. Remediation
Remove malware, reimage host
CrowdStrike, SCCM
Malware removed; host reimaged
Jira Incident Report
Ticket: SOC-2024-071
Summary: T1106 – Direct Syscall Malware Attempting Credential Dumping
Status: RESOLVED
Resolution: MALICIOUS – Credential Dumping Attempt Blocked
Priority: P2 – MEDIUM
Labels: T1106, native-api, direct-syscall, credential-dumping, crowdstrike
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR (direct syscall detection).
Alert: “Direct Syscall Detection – Evasion Technique”.
Host: DEV-WS-089 (Development Department, user alexchen).
Time: 2024-02-14 09:30 EST.
Technique: MITRE ATT&CK T1106 – Native API.
2. Technical Analysis:
Malware Details:
File: update_helper.exe (downloaded from forum)
SHA256: a1b2c3d4e5f67890…
Type: Custom-packed credential dumper using direct syscalls
Evasion: Direct syscalls (NtCreateThreadEx, NtAllocateVirtualMemory) bypass EDR user-mode hooks
Behavior:
Injected shellcode into svchost.exe
Attempted to open LSASS process handle (ACCESS_DENIED due to PPL)
Attempted to dump credentials from memory (failed)
No C2 communication (firewall blocked)
Syscall Technique:
Used “Hell’s Gate” technique to locate syscall numbers dynamically
Executed syscalls directly from process memory (not ntdll.dll)
Evades EDR hooks placed in ntdll.dll
User Activity:
User downloaded “performance optimizer” from a developer forum
Believed it was legitimate; no malicious intent
3. Investigation Findings:
Timeline:
09:20 – File downloaded from forum
09:22 – User executes update_helper.exe
09:23 – Malware injects into svchost.exe
09:24 – Attempts to open LSASS (blocked)
09:25 – CrowdStrike detects direct syscalls
09:30 – Alert triggers
09:32 – Host isolated
Indicators of Compromise (IoCs):
File:
– update_helper.exe (SHA256: a1b2c3d4e5f6…)
Network:
– No C2 (attempts blocked)
Process:
– Direct syscalls (NtCreateThreadEx, NtAllocateVirtualMemory, NtProtectVirtualMemory, NtOpenProcess)
4. Containment Actions:
Immediate Actions:
Isolated host via CrowdStrike.
Terminated malicious processes.
Blocked any outbound connections (none existed).
Host Remediation:
Removed update_helper.exe and injected code.
Reimaged host as precaution.
User Education:
User counseled on downloading untrusted software.
Reminded of software policy.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted software from forum.
Contributing Factors:
No application control blocking unapproved software.
User lacked awareness of malware risks.
LSASS Protected Process Light (PPL) prevented credential dump.
6. Business Impact:
Operational Impact: Developer workstation offline for 3 hours.
Data Exposure: None (LSASS access blocked).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Host reimaged.
User educated.
Technical Controls Enhanced:
Implemented application control (CrowdStrike Falcon Prevent) to block unapproved executables.
Enhanced PowerShell logging.
LSASS PPL already enabled (protected).
8. Conclusion:
A developer downloaded and executed malware that used direct syscalls to evade EDR hooks and attempt credential dumping. CrowdStrike detected the anomalous API usage, and LSASS PPL prevented credential access. No compromise occurred.
Closure Rationale: Malware removed; user educated; application control enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-14 11:00 EST