CrowdStrike Alert Details
Alert ID: CS-CODE-SIGN-EVASION-1553-7842 Alert Time: 2024-03-10 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Unsigned or Maliciously Signed Driver Loaded” MITRE ATT&CK: T1553.002 – Subvert Trust Controls: Code Signing
Alert Details:
Detection: Driver loaded with invalid/forged digital signature
Host: DC-01 (Domain Controller) User: SYSTEM File: C:\Windows\System32\drivers\legit.sys SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Time: 16:25 EST
Signature Analysis:
Certificate Issuer: “Microsoft Corporation” (forged)
Certificate Subject: “Microsoft Windows”
Signature status: Invalid (certificate not trusted, chain broken)
Signature timestamp: 2025-01-01 (future date, anomalous)
Driver was not signed by legitimate Microsoft certificate
Detection Logic:
Driver loaded with invalid digital signature
Attempts to use forged Microsoft certificate
Kernel-mode driver (critical)
Pattern matches attacker using stolen or forged certificates to load malicious drivers
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed unsigned driver with forged signature
2. File Analysis
Analyze legit.sys
CrowdStrike Sandbox
Rootkit driver with kernel-level capabilities
3. Process Investigation
Identify source
CrowdStrike
Driver dropped by attacker with admin privileges
4. Immediate Action
Block driver load, quarantine driver
CrowdStrike
Driver blocked; system reboot required
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. System Restore
Restore from clean backup
Veeam
DC restored to pre-infection state
Jira Incident Report
Ticket: SOC-2024-199 Summary: T1553.002 – Malicious Driver with Forged Microsoft Signature Status: RESOLVED Resolution: MALICIOUS – Driver Removed, DC Restored Priority: P1 – CRITICAL Labels: T1553, code-signing, driver, rootkit, crowdstrike Components: Endpoint-Security, Kernel-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Unsigned or Maliciously Signed Driver Loaded”.
Host: DC-01 (Domain Controller).
File: C:\Windows\System32\drivers\legit.sys (forged signature).
Time: 2024-03-10 16:30 EST.
Technique: MITRE ATT&CK T1553.002 – Subvert Trust Controls: Code Signing.
2. Technical Analysis:
Attack Chain:
15:30 – Domain admin account (jwilson) compromised
15:45 – Attacker logs into DC
16:00 – Attacker drops legit.sys driver
16:05 – Driver loaded (kernel-mode)
16:10 – Rootkit active, hides processes, files
16:25 – CrowdStrike detects (signature validation failure)
Driver Analysis:
Name: legit.sys (masquerading as legitimate)
Signature: Forged Microsoft certificate (not issued by MS)
Capabilities: Rootkit – hides files, processes, registry keys; provides backdoor
Persistence: Loaded at boot (kernel driver)
Impact:
Kernel-level compromise of domain controller
Rootkit active for ~20 minutes before detection
Could hide other malicious activity
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:45 – Attacker logs in
16:00 – Driver dropped
16:05 – Driver loaded
16:25 – Alert
16:27 – SOC investigates
16:28 – Driver load blocked (future loads prevented)
16:30 – DC isolated
17:00 – DC restored from backup
Indicators of Compromise (IoCs):
Files:
– C:\Windows\System32\drivers\legit.sys (SHA256: a1b2c3d4…)
Signature:
– Forged Microsoft certificate
4. Containment Actions:
Immediate Actions:
Isolated DC-01.
Blocked driver loading (via driver signature enforcement policy).
Disabled compromised admin account.
Reset passwords.
System Remediation:
Restored DC from clean pre-infection backup.
Verified no persistence remained.
5. Root Cause Analysis:
Primary Cause: Admin account compromised, allowing attacker to load kernel driver.
Contributing Factors:
Driver signature enforcement not enabled (test signing allowed).
Admin had ability to load drivers.
6. Business Impact:
Operational Impact: DC offline for 1.5 hours.
Data Exposure: Potential; rootkit could have hidden data theft.
7. Remediation & Prevention:
Completed Actions:
Driver removed.
DC restored.
Admin account secured.
Technical Controls Enhanced:
Enforced driver signature enforcement (disallowed test signing).
Enabled Hypervisor-protected Code Integrity (HVCI).
Monitored for driver loading events.
8. Conclusion:
An attacker loaded a malicious kernel driver with a forged Microsoft signature, compromising the domain controller at the kernel level. CrowdStrike detected the invalid signature and enabled rapid restoration.
Closure Rationale: Driver removed; DC restored; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 18:00 EST