CrowdStrike Alert Details
Alert ID: CS-LSASS-DUMP-1003-7842 Alert Time: 2024-02-20 10:30:45 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “LSASS Process Access – Potential Credential Dumping” MITRE ATT&CK: T1003.001 – OS Credential Dumping: LSASS Memory
Alert Details:
Detection: Suspicious process attempting to access LSASS memory
Host: IT-WS-034 (IT Department) User: msmith (Mike Smith – IT Admin) Time: 10:25 EST
Process Details:
Process: C:\Temp\mimikatz.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent Process: cmd.exe (PID: 2341)
User: msmith (admin privileges)
API Calls:
OpenProcess (target: lsass.exe, PID: 568) – SUCCESS
MiniDumpWriteDump (attempt to write memory dump) – DETECTED
CreateFile (C:\Temp\lsass.dmp) – SUCCESS
WriteFile (writing dump file) – DETECTED and BLOCKED
Detection Logic:
Mimikatz.exe detected by hash (known credential dumping tool)
LSASS process access is highly anomalous for non-system processes
Memory dump creation is definitive credential dumping behavior
Process blocked before dump completion
Additional Context:
User msmith is IT admin with legitimate privileges
User reported suspicious email earlier
Account may be compromised
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed mimikatz execution and LSASS access
2. Process Termination
Kill mimikatz process
CrowdStrike
Process terminated
3. File Deletion
Delete mimikatz.exe and lsass.dmp
CrowdStrike Live Response
Files deleted
4. User Verification
Contact msmith
Teams, Phone
User did not run mimikatz; account compromised
5. Account Remediation
Disable account, reset password
Azure AD, AD
Account disabled; password reset
6. Investigation
Determine compromise source
CrowdStrike, Phishing Logs
User clicked phishing link earlier
Jira Incident Report
Ticket: SOC-2024-105 Summary: T1003 – Credential Dumping Attempt via Mimikatz on Admin Workstation Status: RESOLVED Resolution: MALICIOUS – Dumping Blocked Priority: P1 – CRITICAL Labels: T1003, credential-dumping, lsass, mimikatz, crowdstrike, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “LSASS Process Access – Potential Credential Dumping”.
Host: IT-WS-034 (IT Department, user msmith).
Process: C:\Temp\mimikatz.exe.
Time: 2024-02-20 10:30 EST.
Technique: MITRE ATT&CK T1003.001 – OS Credential Dumping: LSASS Memory.
2. Technical Analysis:
Attack Chain:
09:30 – User receives phishing email “IT Security Alert”
09:31 – User clicks link, enters credentials on fake login page
09:32 – Attacker logs in from IP 45.134.225[.]78
09:35 – Attacker RDPs to IT-WS-034 using msmith credentials
09:40 – Attacker downloads mimikatz to C:\Temp\
09:45 – Attacker executes mimikatz
09:46 – Mimikatz attempts to open LSASS process (success)
09:46 – Mimikatz attempts to dump LSASS memory to file
09:46 – CrowdStrike detects and blocks
09:47 – Process terminated
Mimikatz Commands Executed:
privilege::debug (enable SeDebugPrivilege)
sekurlsa::logonpasswords (dump credentials)
Dump file partially written before block
Data Exfiltrated:
Partial LSASS dump (approximately 10% written)
No credentials fully extracted before block
No network exfiltration of dump file
Account Status:
msmith had Domain Admin privileges
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
09:30 – Phishing email opened
09:31 – Credentials compromised
09:35-09:40 – Attacker RDP access
09:45 – Mimikatz executed
09:46 – LSASS access detected
09:47 – Process terminated
09:50 – Account disabled
Indicators of Compromise (IoCs):
Files:
– C:\Temp\mimikatz.exe (SHA256: a1b2c3d4…)
– C:\Temp\lsass.dmp (partial)
Network:
– Attacker IP: 45.134.225[.]78
Account:
– msmith (compromised)
4. Containment Actions:
Immediate Actions:
Terminated mimikatz process.
Deleted mimikatz.exe and lsass.dmp.
Disabled msmith account.
Blocked attacker IP at firewall.
Terminated all active sessions.
Account Remediation:
Reset msmith password.
Enforced MFA.
Removed from Domain Admins (excessive).
Host Remediation:
Full scan (no other malware).
Verified no persistence installed.
No reimage needed.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
User had excessive privileges (Domain Admin).
RDP allowed from internet.
6. Business Impact:
Operational Impact: IT admin offline for 2 hours.
Security Impact: Partial LSASS dump, but no credentials fully extracted.
Data Exposure: None confirmed.
7. Remediation & Prevention:
Completed Actions:
Credential dumping blocked.
Malicious tools removed.
Account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved RDP behind VPN only.
Implemented Credential Guard and LSA Protection.
Created alert for any LSASS access attempts.
8. Conclusion:
An attacker compromised an IT admin via phishing and attempted to dump credentials using Mimikatz. CrowdStrike detected the LSASS access and blocked the dump before completion. The account was secured, and no credentials were exfiltrated.
Closure Rationale: Credential dumping blocked; account secured; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 11:30 EST
End of Batch 13
Ready for your next batch of prompts whenever you are.
Batch 14: Credential Access & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.