CrowdStrike Alert Details
Alert ID: CS-FILE-DELETE-1070-7842 Alert Time: 2024-03-07 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Mass File Deletion – Potential Indicator Removal” MITRE ATT&CK: T1070.004 – Indicator Removal: File Deletion
Alert Details:
Detection: Large number of files deleted from Temp and Downloads folders
Host: DEV-WS-078 (Development Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 16:15-16:30 EST
File Deletion Events (CrowdStrike File Events):
16:15:22 – Deleted: C:\Users\rpatel\Downloads\malware_tool.exe
16:15:45 – Deleted: C:\Users\rpatel\Downloads\mimikatz.exe
16:16:12 – Deleted: C:\Users\rpatel\Downloads\procdump.exe
16:16:38 – Deleted: C:\Users\rpatel\AppData\Local\Temp\script.ps1
16:17:05 – Deleted: C:\Users\rpatel\AppData\Local\Temp\output.txt
16:17:33 – Deleted: C:\Users\rpatel\Desktop\scan_results.txt
16:18:01 – Deleted: C:\Windows\Temp\beacon.exe
16:18:28 – Deleted: C:\Windows\Temp\config.ini
… (total 47 files deleted)
Process Details:
Process: cmd.exe (PID: 4789)
Command: del /f /q C:\Users\rpatel\Downloads*.exe C:\Users\rpatel\AppData\Local\Temp*.* C:\Windows\Temp*.* C:\Users\rpatel\Desktop*.txt
Parent: explorer.exe
User: rpatel
Additional Context:
Files deleted include known hacking tools (mimikatz, procdump)
Also deleted script outputs and configuration files
User rpatel had previously been flagged for suspicious activity
Detection Logic:
Mass file deletion (47 files in 15 minutes)
Files deleted are forensic evidence (malware, outputs)
Deletion from multiple locations (Downloads, Temp, Desktop)
Pattern matches attacker cleaning up after activity
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed mass file deletion
2. Process Investigation
Identify cmd.exe activity
CrowdStrike
User manually deleted files
3. User Interview
Contact rpatel
Teams, Phone
User admitted to using “hacking tools for learning”
4. Tool Analysis
Recover deleted files (if possible)
Forensics
Files overwritten, not recoverable
5. User Remediation
User counseling
Manager, HR
Policy violation documented
6. Account Monitoring
Enhanced monitoring for user
CrowdStrike
User flagged for future activity
Jira Incident Report
Ticket: SOC-2024-184 Summary: T1070.004 – Mass File Deletion of Hacking Tools Status: RESOLVED Resolution: POLICY VIOLATION – User Remediated Priority: P3 – LOW Labels: T1070, file-deletion, indicator-removal, policy-violation Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Mass File Deletion – Potential Indicator Removal”.
Host: DEV-WS-078 (Development, user rpatel).
Files Deleted: 47 files (hacking tools, outputs, configs).
Time: 2024-03-07 16:30 EST.
Technique: MITRE ATT&CK T1070.004 – Indicator Removal: File Deletion.
2. Technical Analysis:
User Activity:
User had downloaded multiple hacking tools over past week:
mimikatz.exe (credential dumper)
procdump.exe (process dumper)
various PowerShell scripts
network scanning tools
User ran tools against his own system (testing)
Generated output files (scan_results.txt, output.txt)
After finishing, user deleted all evidence
Files Deleted (47):
Downloaded executables (12) – mimikatz, procdump, etc.
PowerShell scripts (8) – enumeration scripts
Output files (15) – scan results, logs
Configuration files (5) – tool configs
Temp files (7) – various
User Intent:
User claimed “learning security for certification”
No malicious intent against company
Unauthorized use of hacking tools (policy violation)
Attempted to cover tracks by deleting evidence
Policy Violation:
Use of unauthorized hacking tools
Failure to report security testing
Attempt to conceal activities
3. Investigation Findings:
Timeline:
16:15-16:30 – File deletion
16:30 – Alert
16:32 – SOC investigates
16:35 – User interviewed
16:40 – Policy violation documented
Indicators of Compromise (IoCs):
Deleted Files:
– C:\Users\rpatel\Downloads\mimikatz.exe
– C:\Users\rpatel\Downloads\procdump.exe
– C:\Users\rpatel\AppData\Local\Temp\script.ps1
– C:\Users\rpatel\Desktop\scan_results.txt
– C:\Windows\Temp\beacon.exe
– (and 42 others)
4. Containment Actions:
Immediate Actions:
Documented policy violation.
No further action needed (user stopped).
User Remediation:
User counseled on security policy.
Required to complete security training.
Escalated to manager.
Monitoring:
Enhanced monitoring for this user.
Application control to block hacking tools.
5. Root Cause Analysis:
Primary Cause: User curiosity about security tools.
Contributing Factors:
No application control.
User unaware of policy.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (user tested on own system).
7. Remediation & Prevention:
Completed Actions:
Policy violation documented.
User educated.
Technical Controls Enhanced:
Implemented application control to block hacking tools.
Enhanced monitoring for tool downloads.
8. Conclusion:
A user downloaded and used unauthorized hacking tools, then attempted to cover tracks by deleting evidence. CrowdStrike detected the mass file deletion. The user was counseled, and application control was implemented.
Closure Rationale: Policy violation addressed; user educated; controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 17:30 EST