CrowdStrike Alert Details
Alert ID: CS-LSASS-DUMP-1003-7842 Alert Time: 2024-03-10 10:30:22 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “LSASS Memory Access – Potential Credential Dumping” MITRE ATT&CK: T1003.001 – OS Credential Dumping: LSASS Memory
Alert Details:
Detection: Process attempting to read LSASS process memory
Host: IT-WS-034 (IT Workstation) User: bjones@company.com (Brian Jones, IT Admin) Time: 10:25 EST
API Call Sequence:
OpenProcess (target: lsass.exe, PID: 568, access: PROCESS_VM_READ | PROCESS_QUERY_INFORMATION) – SUCCESS
OpenProcessToken (for SeDebugPrivilege) – SUCCESS
MiniDumpWriteDump (attempt to write LSASS memory dump) – DETECTED
CreateFile (C:\Windows\Temp\lsass.dmp) – SUCCESS (partial)
Process Details:
Process: C:\Windows\Temp\mimi.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: cmd.exe
User: bjones
Detection Logic:
Process accessing LSASS memory (highly anomalous)
MiniDumpWriteDump called on lsass.exe (definitive credential dumping)
Output file created (lsass.dmp) in Temp folder
Tool known as Mimikatz or similar
Pattern matches credential dumping
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed LSASS memory access and dump attempt
2. Process Analysis
Analyze mimi.exe
CrowdStrike Sandbox
Mimikatz credential dumper
3. User Interview
Contact bjones
Teams, Phone
User did NOT run this (account compromised)
4. Immediate Action
Terminate process, delete dump file
CrowdStrike
Process killed; lsass.dmp deleted
5. Account Remediation
Disable bjones account
Azure AD, AD
Account disabled; password reset
6. Enterprise Credential Reset
Force password reset for all users
Azure AD, AD
All user passwords reset (precaution)
Jira Incident Report
Ticket: SOC-2024-200 Summary: T1003.001 – LSASS Memory Credential Dumping via Mimikatz Status: RESOLVED Resolution: MALICIOUS – Credential Dump Attempted, All Passwords Reset Priority: P1 – CRITICAL Labels: T1003, lsass-dump, credential-dumping, mimikatz, crowdstrike Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “LSASS Memory Access – Potential Credential Dumping”.
Host: IT-WS-034 (IT, user bjones).
Process: C:\Windows\Temp\mimi.exe (Mimikatz).
Time: 2024-03-10 10:30 EST.
Technique: MITRE ATT&CK T1003.001 – OS Credential Dumping: LSASS Memory.
2. Technical Analysis:
Attack Chain:
09:30 – bjones account compromised via phishing
09:45 – Attacker logs into IT-WS-034 via RDP
10:00 – Attacker downloads Mimikatz to Temp
10:10 – Attacker runs Mimikatz with privilege::debug
10:15 – Attacker dumps LSASS memory (sekurlsa::logonpasswords)
10:20 – Dump file created (lsass.dmp)
10:25 – CrowdStrike detects
Mimikatz Commands (recovered from PowerShell history):
privilege::debug – enabled SeDebugPrivilege
sekurlsa::logonpasswords – dumped credentials from LSASS
sekurlsa::tickets /export – exported Kerberos tickets
Data Obtained:
NTLM hashes for 12 users (including 3 domain admins)
Kerberos tickets (pass-the-ticket)
Plaintext passwords for 5 users (if weak)
Impact:
Attacker obtained credentials for lateral movement
Full domain compromise potential
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
10:00-10:20 – Credential dumping
10:25 – Alert
10:27 – SOC investigates
10:28 – Process terminated, dump deleted
10:30 – Account disabled
11:00 – Enterprise-wide password reset initiated
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\mimi.exe (SHA256: a1b2c3d4…)
– C:\Windows\Temp\lsass.dmp (partial, deleted)
Processes:
– mimikatz execution
Account:
– bjones (compromised)
4. Containment Actions:
Immediate Actions:
Terminated Mimikatz process.
Deleted lsass.dmp and mimi.exe.
Isolated host.
Disabled bjones account.
Reset password.
Enterprise Remediation:
Forced password reset for ALL users (3,200+).
Reset krbtgt password (twice) to invalidate Kerberos tickets.
Enforced MFA for all users.
Host Remediation:
Reimaged IT-WS-034.
5. Root Cause Analysis:
Primary Cause: IT admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
LSASS accessible (no Credential Guard).
RDP allowed from internet.
6. Business Impact:
Operational Impact: All users required password reset (4+ hours).
Data Exposure: Hashes and tickets stolen; potential for lateral movement.
Reputational Impact: Internal; no data breach.
7. Remediation & Prevention:
Completed Actions:
Credential dumping stopped.
All passwords reset.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enabled Credential Guard and LSA Protection.
Deployed ASR rule blocking LSASS access.
8. Conclusion:
An attacker compromised an IT admin account and used Mimikatz to dump credentials from LSASS, obtaining hashes and tickets. CrowdStrike detected the LSASS access, enabling rapid containment and enterprise-wide password reset.
Closure Rationale: Credential dump attempted; all passwords reset; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 11:30 EST
End of Batch 32
Ready for your next batch of prompts whenever you are.
Batch 33: Credential Access & Lateral Movement Incident Reports
Here are the next 5 detailed SOC incident reports.