CrowdStrike Alert Details
Alert ID: CS-APC-INJECT-1055-7842 Alert Time: 2024-03-06 10:30:22 EST Severity: CRITICAL (95/100) Source: CrowdStrike Falcon EDR Rule: “APC Injection Detected – QueueUserAPC to Alertable Thread” MITRE ATT&CK: T1055.004 – Process Injection: Asynchronous Procedure Call
Alert Details:
Detection: APC (Asynchronous Procedure Call) queued to thread in another process
Source Host: DEV-WS-089 (Development Workstation) User: rpatel@company.com (Raj Patel, Engineer) Target Process: svchost.exe (PID: 1245) Target Thread: TID 2345 (alertable state) Time: 10:25 EST
API Call Sequence:
10:25:10 – OpenThread (target: svchost.exe thread 2345) – SUCCESS
10:25:12 – QueueUserAPC (target thread, APC routine at shellcode address) – SUCCESS
10:25:15 – Thread enters alertable state (WaitForSingleObjectEx), APC executes
Source Process:
Process: C:\Windows\Temp\msupdate.exe (PID: 4789)
SHA256: f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5
Parent: explorer.exe
User: rpatel
APC Routine:
Address: 0x7f1a2b3c (in memory allocated by source process)
Code: Shellcode (512 bytes) downloaded from C2
Detection Logic:
APC queued to thread in another process (unusual)
Target thread in alertable state (required for APC execution)
APC routine address in memory allocated by suspicious process
Pattern matches APC injection technique
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed APC injection
2. Memory Analysis
Extract APC shellcode
CrowdStrike Falcon Memory
Reverse shell payload
3. Process Investigation
Terminate malicious process
CrowdStrike
msupdate.exe killed
4. APC Removal
Clear APC queue
CrowdStrike
APC removed from target thread
5. Host Isolation
Isolate DEV-WS-089
CrowdStrike
Host quarantined
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-180 Summary: T1055.004 – APC Injection into svchost.exe Thread Status: RESOLVED Resolution: MALICIOUS – APC Removed Priority: P1 – CRITICAL Labels: T1055, apc-injection, queueuserapc, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “APC Injection Detected – QueueUserAPC to Alertable Thread”.
Source Process: C:\Windows\Temp\msupdate.exe.
Target Process: svchost.exe (PID: 1245), Thread 2345.
Time: 2024-03-06 10:30 EST.
Technique: MITRE ATT&CK T1055.004 – Process Injection: Asynchronous Procedure Call.
2. Technical Analysis:
Attack Chain:
10:00 – User downloads fake update from pop-up
10:05 – msupdate.exe executed
10:10 – Malware enumerates threads in alertable state
10:15 – Finds svchost.exe thread waiting (alertable)
10:20 – Allocates memory in svchost.exe, writes shellcode
10:25 – Queues APC to target thread
10:25 – APC executes when thread enters alertable state
10:25 – CrowdStrike detects
APC Injection Technique:
Requirement: Target thread must be in alertable state (waiting on WaitForSingleObjectEx, SleepEx, etc.)
Method: QueueUserAPC adds APC to thread’s queue
Execution: When thread enters alertable state, it executes queued APCs
Advantage: No new thread created, harder to detect
Shellcode Analysis:
Size: 512 bytes
Function: Reverse shell to 185.143.221[.]89:443
Persistence: Creates WMI event subscription
Impact:
Shellcode executed in svchost.exe (SYSTEM context)
C2 connection attempted (blocked)
Persistence established (WMI)
3. Investigation Findings:
Timeline:
10:00 – Fake update downloaded
10:05 – Malware executed
10:10-10:15 – Thread enumeration
10:20 – Memory allocation
10:25 – APC queued
10:25 – Alert
10:27 – SOC investigates
10:28 – Malicious process terminated
10:29 – APC removed from queue
10:30 – WMI subscription deleted
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\msupdate.exe (SHA256: f6a7b8c9…)
API Calls:
– OpenThread
– QueueUserAPC
– VirtualAllocEx
– WriteProcessMemory
WMI:
– Root\Subscription:__EventFilter (deleted)
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated msupdate.exe.
Removed APC from target thread queue.
Deleted WMI event subscription.
Deleted shellcode from svchost.exe memory.
Isolated host.
Disabled rpatel account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed fake update.
Contributing Factors:
No application control.
User had local admin rights.
WMI allowed (no restrictions).
6. Business Impact:
Operational Impact: Development workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
APC removed.
Malware terminated.
WMI subscription deleted.
Account secured.
Technical Controls Enhanced:
Blocked unsigned executables.
Enhanced monitoring for QueueUserAPC.
Restricted WMI event subscriptions.
8. Conclusion:
An attacker used APC injection to execute shellcode in a svchost.exe thread, a sophisticated evasion technique that doesn’t create new threads. CrowdStrike detected the APC queuing and enabled rapid removal before C2 communication could complete.
Closure Rationale: APC removed; malware terminated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 11:30 EST
End of Batch 28
Ready for your next batch of prompts whenever you are.
Batch 29: Defense Evasion & Process Injection Incident Reports
Here are the next 5 detailed SOC incident reports.