CrowdStrike Alert Details
Alert ID: CS-PROCESS-HOLLOW-1055-7842 Alert Time: 2024-03-07 09:30:15 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “Process Hollowing Detected – Code Injection into Suspended Process” MITRE ATT&CK: T1055.012 – Process Injection: Process Hollowing
Alert Details:
Detection: Legitimate process created in suspended state, memory unmapped, and replaced with malicious code
Source Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Time: 09:25 EST
Process Creation Events:
09:25:10 – CreateProcess (target: C:\Windows\System32\svchost.exe, flags: CREATE_SUSPENDED) – SUCCESS
09:25:12 – NtUnmapViewOfSection (unmapped original svchost.exe code from memory) – SUCCESS
09:25:15 – VirtualAllocEx (allocated new memory at base address) – SUCCESS
09:25:18 – WriteProcessMemory (wrote malicious PE headers) – SUCCESS
09:25:21 – WriteProcessMemory (wrote malicious PE sections) – SUCCESS
09:25:24 – SetThreadContext (modified entry point to point to malicious code) – SUCCESS
09:25:27 – ResumeThread (resumed process, now running malicious code) – SUCCESS
Source Process:
Process: C:\Users\bturner\Downloads\invoice_pdf.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: bturner
Hollowed Process:
Original: C:\Windows\System32\svchost.exe (legitimate)
New: Malicious Cobalt Strike beacon
PID: 4792
Command Line: “C:\Windows\System32\svchost.exe -k netsvcs” (appears legitimate)
Detection Logic:
Process created with CREATE_SUSPENDED flag (unusual for svchost.exe)
NtUnmapViewOfSection called (removes original code)
Memory reallocated and written to
Thread context modified (entry point changed)
Pattern matches classic process hollowing
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed process hollowing
2. Memory Analysis
Extract hollowed process memory
CrowdStrike Falcon Memory
Cobalt Strike beacon
3. Process Investigation
Terminate hollowed process
CrowdStrike
svchost.exe (malicious) terminated
4. Source Process Kill
Kill invoice_pdf.exe
CrowdStrike
Process terminated
5. Host Isolation
Isolate FIN-WS-078
CrowdStrike
Host quarantined
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-181 Summary: T1055.012 – Process Hollowing: svchost.exe Replaced with Cobalt Strike Status: RESOLVED Resolution: MALICIOUS – Hollowed Process Terminated Priority: P1 – CRITICAL Labels: T1055, process-hollowing, svchost, cobalt-strike, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process Hollowing Detected – Code Injection into Suspended Process”.
Source Process: C:\Users\bturner\Downloads\invoice_pdf.exe.
Hollowed Process: svchost.exe (PID: 4792).
Time: 2024-03-07 09:30 EST.
Technique: MITRE ATT&CK T1055.012 – Process Injection: Process Hollowing.
2. Technical Analysis:
Attack Chain:
09:00 – User opens phishing email with “invoice.pdf.exe”
09:05 – invoice_pdf.exe executed
09:10 – Malware enumerates system processes
09:15 – Decides to hollow svchost.exe
09:25 – Process hollowing execution
09:25 – CrowdStrike detects
Process Hollowing Technique:
Step 1: Create legitimate svchost.exe in suspended state
Step 2: Unmap original code from memory (NtUnmapViewOfSection)
Step 3: Allocate new memory at same base address
Step 4: Write malicious PE (Cobalt Strike) to allocated memory
Step 5: Modify thread context to point to malicious entry point
Step 6: Resume thread – malicious code runs
Result: Process appears as svchost.exe but runs malware
Malicious PE:
Type: Cobalt Strike beacon
Size: 312 KB
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
Stealth Advantages:
Process name is legitimate (svchost.exe)
Command line is legitimate (-k netsvcs)
No suspicious DLLs loaded
Harder to detect with basic process monitoring
3. Investigation Findings:
Timeline:
09:00 – Phishing email opened
09:05 – invoice_pdf.exe executed
09:10-09:15 – Reconnaissance
09:25 – Process hollowing
09:25 – Alert
09:27 – SOC investigates
09:28 – Hollowed process terminated
09:29 – Source process terminated
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\Downloads\invoice_pdf.exe (SHA256: a1b2c3d4…)
API Calls:
– CreateProcess (CREATE_SUSPENDED)
– NtUnmapViewOfSection
– VirtualAllocEx
– WriteProcessMemory (multiple)
– SetThreadContext
– ResumeThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated hollowed svchost.exe process.
Terminated invoice_pdf.exe.
Isolated host.
Disabled bturner account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User executed malware from phishing email.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: Finance workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Hollowed process terminated.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enabled ASR rule “Block process hollowing”.
Enhanced monitoring for CREATE_SUSPENDED flag.
Implemented application control.
8. Conclusion:
An attacker used process hollowing to replace a legitimate svchost.exe process with a Cobalt Strike beacon, making detection difficult. CrowdStrike detected the hollowing technique and enabled rapid termination before C2 communication.
Closure Rationale: Hollowed process terminated; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 10:30 EST