CrowdStrike Alert Details
Alert ID: CS-APP-DISCOVERY-1010-7842 Alert Time: 2024-02-23 11:30:22 EST Severity: MEDIUM (65/100) Source: CrowdStrike Falcon EDR Rule: “Suspicious Window Enumeration – Potential Credential Theft Prep” MITRE ATT&CK: T1010 – Application Window Discovery
Alert Details:
Detection: Process enumerating open windows/titles, potentially for credential theft
Host: FIN-WS-078 (Finance Workstation) User: bturner (Brian Turner, Accountant) Time: 11:25 EST
Process Details:
Process: C:\Temp\windows_enum.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: bturner (standard user)
API Calls:
EnumWindows (enumerate all top-level windows) – 47 windows found
GetWindowText (get titles of each window) – 47 calls
GetWindowThreadProcessId (get process ID for each window)
FindWindow (search for specific window titles)
Windows/Titles Enumerated:
“QuickBooks Enterprise” – accounting software
“Microsoft Excel – Q1_Financials.xlsx” – spreadsheet
“Internet Explorer – Online Banking” – banking portal
“Outlook – Invoice” – email
“Remote Desktop Connection” – RDP session
42 additional window titles
Detection Logic:
Process enumerating all open windows (unusual for legitimate software)
Looking for financial/banking applications (targeted)
Parent process from Temp folder (suspicious)
Pattern matches credential theft preparation (form grabbing)
Additional Context:
User bturner handles financial data
Process downloaded 5 minutes prior
Similar tools used for “form grabbing” attacks
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed window enumeration tool
2. Process Analysis
Analyze windows_enum.exe
CrowdStrike Sandbox
Tool captures screenshots of financial applications
3. Immediate Action
Terminate process
CrowdStrike
Process killed
4. File Deletion
Delete windows_enum.exe
CrowdStrike Live Response
File removed
5. User Interview
Contact bturner
Teams, Phone
User downloaded “productivity tool” from email
6. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; sender blocked
Jira Incident Report
Ticket: SOC-2024-118 Summary: T1010 – Application Window Discovery Tool Targeting Financial Data Status: RESOLVED Resolution: MALICIOUS – Tool Removed Priority: P2 – MEDIUM Labels: T1010, app-discovery, window-enumeration, credential-theft, crowdstrike Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Suspicious Window Enumeration – Potential Credential Theft Prep”.
Host: FIN-WS-078 (Finance Department, user bturner).
Process: C:\Temp\windows_enum.exe.
Time: 2024-02-23 11:30 EST.
Technique: MITRE ATT&CK T1010 – Application Window Discovery.
2. Technical Analysis:
Attack Chain:
11:15 – User receives email from “productivity@tools[.]net”
11:16 – Email contains link to “Window Manager Pro”
11:17 – User downloads windows_enum.exe
11:18 – User executes file
11:19-11:24 – Tool enumerates windows, captures screenshots
11:25 – CrowdStrike detects
11:26 – SOC investigates
Tool Analysis:
Name: windows_enum.exe (masquerading as productivity tool)
SHA256: a1b2c3d4…
Capabilities:
Enumerates all open windows
Captures screenshots of financial applications
Logs window titles and process IDs to file
Attempts to send data to C2 (blocked)
Windows/Titles of Interest:
QuickBooks Enterprise (accounting data)
Excel with Q1_Financials.xlsx (financial data)
Internet Explorer – Online Banking (banking credentials)
Remote Desktop Connection (potential lateral movement)
Data Captured:
47 window titles logged
3 screenshots captured (QuickBooks, Excel, Banking)
No exfiltration before detection (C2 blocked)
3. Investigation Findings:
Timeline:
11:15 – Email received
11:17 – Tool downloaded
11:18 – Tool executed
11:19-11:24 – Enumeration
11:25 – Alert triggers
11:26 – Process terminated
11:27 – File deleted
Indicators of Compromise (IoCs):
Files:
– C:\Temp\windows_enum.exe (SHA256: a1b2c3d4…)
– C:\Temp\~windows.log (enumeration log)
– C:\Temp\~screenshot*.png (3 screenshots)
Network:
– C2 attempt (blocked)
Email:
– Sender: productivity@tools[.]net
– Subject: “Increase Your Productivity with Window Manager Pro”
4. Containment Actions:
Immediate Actions:
Terminated windows_enum.exe.
Deleted executable and generated files.
Isolated host temporarily.
Blocked sender domain at email gateway.
Data Review:
Reviewed captured data (no sensitive customer info).
Verified no exfiltration occurred.
User Remediation:
User counseled on downloading untrusted software.
Password reset as precaution.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted “productivity tool”.
Contributing Factors:
No application control blocking unknown executables.
User unaware of credential theft risks.
Email filtering allowed malicious link.
6. Business Impact:
Operational Impact: Finance user offline for 1 hour.
Data Exposure: 3 screenshots of financial data captured but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
User educated.
Email blocked.
Technical Controls Enhanced:
Implemented application control (CrowdStrike Falcon Prevent).
Created alert for window enumeration API calls.
Enhanced email filtering for productivity tool lures.
8. Conclusion:
A user downloaded a malicious tool masquerading as a productivity application. The tool enumerated open windows and captured screenshots of financial data. CrowdStrike detected the suspicious behavior and terminated the process before exfiltration.
Closure Rationale: Malicious tool removed; data contained; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 12:30 EST