CrowdStrike Alert Details
Alert ID: CS-DLL-INJECT-1055-7842 Alert Time: 2024-03-06 14:15:33 EST Severity: CRITICAL (96/100) Source: CrowdStrike Falcon EDR Rule: “DLL Injection Detected – LoadLibrary Remote Thread” MITRE ATT&CK: T1055.001 – Process Injection: Dynamic-link Library Injection
Alert Details:
Detection: Process forcing target process to load malicious DLL
Source Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Target Process: svchost.exe (PID: 568) Time: 14:10 EST
API Call Sequence:
14:10:10 – OpenProcess (target: svchost.exe, access: PROCESS_ALL_ACCESS) – SUCCESS
14:10:12 – VirtualAllocEx (allocated memory in svchost.exe for DLL path) – SUCCESS
14:10:15 – WriteProcessMemory (wrote “C:\Windows\Temp\crypt.dll” to allocated memory) – SUCCESS
14:10:18 – GetProcAddress (got address of LoadLibraryA in kernel32.dll) – SUCCESS
14:10:20 – CreateRemoteThread (target: svchost.exe, start: LoadLibraryA, param: DLL path) – SUCCESS
14:10:22 – LoadLibraryA called in svchost.exe, loading C:\Windows\Temp\crypt.dll
14:10:25 – Malicious DLL loaded in svchost.exe
Source Process:
Process: C:\Users\alexchen\Downloads\installer.exe (PID: 4789)
SHA256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1
Parent: explorer.exe
User: alexchen
Malicious DLL:
Path: C:\Windows\Temp\crypt.dll
SHA256: c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
Function: Exports legitimate crypt functions + backdoor
Detection Logic:
CreateRemoteThread with LoadLibraryA address (classic DLL injection)
Target svchost.exe (critical system process)
DLL from Temp folder (suspicious)
Pattern matches malware persistence via DLL injection
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed DLL injection into svchost.exe
2. DLL Analysis
Analyze crypt.dll
CrowdStrike Sandbox
Backdoor with C2 capabilities
3. Process Investigation
Terminate malicious thread
CrowdStrike
Remote thread killed; DLL unloaded
4. File Removal
Delete malicious DLL
CrowdStrike Live Response
crypt.dll deleted
5. Host Isolation
Isolate ENG-WS-045
CrowdStrike
Host quarantined
6. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-177 Summary: T1055.001 – DLL Injection into svchost.exe Status: RESOLVED Resolution: MALICIOUS – DLL Removed Priority: P1 – CRITICAL Labels: T1055, dll-injection, loadlibrary, svchost, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “DLL Injection Detected – LoadLibrary Remote Thread”.
Source Process: C:\Users\alexchen\Downloads\installer.exe.
Target Process: svchost.exe (PID: 568).
DLL: C:\Windows\Temp\crypt.dll.
Time: 2024-03-06 14:15 EST.
Technique: MITRE ATT&CK T1055.001 – Process Injection: Dynamic-link Library Injection.
2. Technical Analysis:
Attack Chain:
13:30 – User downloads “software installer” from torrent site
13:45 – Executes installer.exe
13:50 – Installer drops crypt.dll to Temp folder
14:00 – Installer enumerates processes, targets svchost.exe
14:10 – DLL injection via CreateRemoteThread + LoadLibraryA
14:10 – Malicious DLL loads in svchost.exe
14:15 – CrowdStrike detects
Injection Details:
Method: Classic DLL injection using LoadLibraryA
Target: svchost.exe (runs as SYSTEM)
DLL Path: C:\Windows\Temp\crypt.dll
Result: Malicious code running in SYSTEM context
Malicious DLL Analysis:
File: crypt.dll (SHA256: c3d4e5f6…)
Exports: Legitimate crypt functions (to avoid errors)
Backdoor: Hidden thread connects to 185.143.221[.]89:443
Capabilities: Reverse shell, keylogging, file access
Impact:
Attacker gained SYSTEM access via svchost.exe
C2 connection established (blocked)
3. Investigation Findings:
Timeline:
13:30 – Installer downloaded
13:45 – Executed
13:50 – DLL dropped
14:00 – Process enumeration
14:10 – Injection
14:15 – Alert
14:17 – SOC investigates
14:18 – Thread terminated
14:19 – DLL deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\installer.exe (SHA256: b2c3d4e5…)
– C:\Windows\Temp\crypt.dll (SHA256: c3d4e5f6…)
API Calls:
– OpenProcess (svchost.exe)
– VirtualAllocEx
– WriteProcessMemory
– GetProcAddress (LoadLibraryA)
– CreateRemoteThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated remote thread in svchost.exe.
Unloaded malicious DLL from svchost.exe.
Deleted crypt.dll and installer.exe.
Isolated host.
Disabled alexchen account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted software.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: Engineering workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
DLL removed.
Injection stopped.
Account secured.
Technical Controls Enhanced:
Enabled application control.
Enhanced monitoring for LoadLibrary remote threads.
Blocked unsigned DLLs from loading in system processes.
8. Conclusion:
An attacker used DLL injection to load a malicious backdoor into svchost.exe, gaining SYSTEM access. CrowdStrike detected the injection and enabled rapid removal before significant damage.
Closure Rationale: DLL removed; injection stopped; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 15:30 EST