CrowdStrike Alert Details
Alert ID: CS-SYSINFO-1082-7842 Alert Time: 2024-02-25 09:30:15 EST Severity: MEDIUM (72/100) Source: CrowdStrike Falcon EDR Rule: “System Information Discovery – Reconnaissance Commands” MITRE ATT&CK: T1082 – System Information Discovery
Alert Details:
Detection: Multiple system information gathering commands executed from single process
Host: SALES-WS-045 (Sales Department) User: mwilson@company.com (Mike Wilson, Sales Rep) Time: 09:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
systeminfo.exe (PID: 4792) – Command: systeminfo
hostname.exe (PID: 4795) – Command: hostname
whoami.exe (PID: 4798) – Command: whoami /all
ipconfig.exe (PID: 4801) – Command: ipconfig /all
netstat.exe (PID: 4804) – Command: netstat -ano
tasklist.exe (PID: 4807) – Command: tasklist /v
wmic.exe (PID: 4810) – Command: wmic os get Caption,Version,CSName
wmic.exe (PID: 4813) – Command: wmic cpu get Name,NumberOfCores
wmic.exe (PID: 4816) – Command: wmic memorychip get Capacity
wmic.exe (PID: 4819) – Command: wmic logicaldisk get DeviceID,Size,FreeSpace
reg.exe (PID: 4822) – Command: reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
powershell.exe (PID: 4825) – Command: Get-WmiObject Win32_Product | Select Name,Version
Output Files Created:
C:\Users\mwilson\AppData\Local\Temp\sysinfo.txt (27 KB)
C:\Users\mwilson\AppData\Local\Temp\processes.txt (12 KB)
C:\Users\mwilson\AppData\Local\Temp\network.txt (8 KB)
Detection Logic:
14 system discovery commands executed in 2 minutes (highly unusual)
Commands output saved to files (data aggregation)
User mwilson has no history of running these commands
Pattern matches adversary initial reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed system discovery commands
2. Process Investigation
Identify source of commands
CrowdStrike
Commands run from suspicious script in Downloads
3. Script Analysis
Analyze discovery.bat
Manual review
Script collects system info for “inventory” – unauthorized
4. User Interview
Contact mwilson
Teams, Phone
User downloaded “system info tool” from internet
5. Immediate Action
Delete script and output files
CrowdStrike Live Response
Files removed
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-126 Summary: T1082 – System Information Discovery Script Executed Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Reconnaissance Priority: P3 – LOW Labels: T1082, system-discovery, reconnaissance, crowdstrike, policy-violation Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “System Information Discovery – Reconnaissance Commands”.
Host: SALES-WS-045 (Sales Department, user mwilson).
Time: 2024-02-25 09:30 EST.
Technique: MITRE ATT&CK T1082 – System Information Discovery.
2. Technical Analysis:
Reconnaissance Details:
Script: C:\Users\mwilson\Downloads\discovery.bat
Contents:
@echo off
echo === System Information === > %temp%\sysinfo.txt
systeminfo >> %temp%\sysinfo.txt
hostname >> %temp%\sysinfo.txt
whoami /all >> %temp%\sysinfo.txt
ipconfig /all >> %temp%\sysinfo.txt
netstat -ano >> %temp%\network.txt
tasklist /v >> %temp%\processes.txt
wmic os get Caption,Version,CSName >> %temp%\sysinfo.txt
wmic cpu get Name,NumberOfCores >> %temp%\sysinfo.txt
wmic memorychip get Capacity >> %temp%\sysinfo.txt
wmic logicaldisk get DeviceID,Size,FreeSpace >> %temp%\sysinfo.txt
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall >> %temp%\software.txt
powershell -Command “Get-WmiObject Win32_Product | Select Name,Version” >> %temp%\software.txt
Purpose: Collect comprehensive system information (OS, hardware, software, network, processes)
Information Collected:
OS version, install date, last boot
Hostname, domain membership
User details (whoami /all)
IP configuration, DNS servers, MAC addresses
Active network connections (netstat)
Running processes (tasklist)
CPU, RAM, disk details
Installed software list (including versions)
User Intent:
User claimed “needed system specs for software purchase”
No malicious intent identified
Unauthorized use of reconnaissance script
Data not exfiltrated
Policy Violation:
Running unauthorized scripts
Collecting system information without approval
Potential misuse of discovery tools
3. Investigation Findings:
Timeline:
09:20 – Script downloaded
09:22-09:24 – Script executed
09:25 – CrowdStrike alerts
09:27 – SOC investigates
09:30 – Script and output files deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\mwilson\Downloads\discovery.bat
– C:\Users\mwilson\AppData\Local\Temp\sysinfo.txt
– C:\Users\mwilson\AppData\Local\Temp\network.txt
– C:\Users\mwilson\AppData\Local\Temp\processes.txt
– C:\Users\mwilson\AppData\Local\Temp\software.txt
Commands:
– systeminfo, hostname, whoami, ipconfig, netstat, tasklist, wmic, reg, powershell
4. Containment Actions:
Immediate Actions:
Deleted discovery.bat and all output files.
No isolation needed (non-malicious).
User counseled on policy.
Data Protection:
Information collected remained local; not exfiltrated.
No sensitive data accessed beyond what user already had.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed unauthorized reconnaissance script.
Contributing Factors:
No application control blocking scripts.
User unaware of policy against system discovery.
6. Business Impact:
Operational Impact: None.
Security Impact: System information collected but not shared.
7. Remediation & Prevention:
Completed Actions:
Script removed.
User educated.
Policy reinforced.
Technical Controls Enhanced:
Created alert for multiple system discovery commands.
Enhanced application control policies.
8. Conclusion:
A sales user executed a script that collected extensive system information. CrowdStrike detected the reconnaissance pattern and enabled removal of the script. No data was exfiltrated, and the activity was a policy violation, not malicious.
Closure Rationale: Script removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 10:30 EST