CrowdStrike Alert Details
Alert ID: CS-INDICATOR-REMOVAL-1027-7842 Alert Time: 2024-03-09 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Known Malicious Tool with Altered Indicators Detected” MITRE ATT&CK: T1027.005 – Obfuscated Files or Information: Indicator Removal from Tools
Alert Details:
Detection: Mimikatz executable with modified PE characteristics (stripped of original indicators)
Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) File: C:\Users\rpatel\Downloads\legit_tool.exe SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 File Size: 845 KB (original Mimikatz is 1.2 MB)
Analysis:
File is a variant of Mimikatz (credential dumping tool)
Original PE metadata removed:
No version information
No digital signature
No original filename
PE timestamp: 1970-01-01 (nulled)
Import Address Table (IAT) obfuscated
Strings: many Mimikatz-specific strings removed or encrypted
Behavioral detection: attempts to access LSASS process
Detection Logic:
Behavioral pattern matches Mimikatz (OpenProcess on lsass.exe)
File hash not in known threat intel (new variant)
PE characteristics stripped (indicator removal)
Machine learning (ML) score: 92/100 for malware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed Mimikatz-like behavior with stripped indicators
2. File Analysis
Submit to sandbox
CrowdStrike Falcon Sandbox
Unpacked and identified as Mimikatz 2.2.0 variant
3. Process Investigation
Identify source of file
CrowdStrike
Downloaded from hacking forum via Chrome
4. User Interview
Contact rpatel
Teams, Phone
User downloaded “security testing tool” – unauthorized
5. Immediate Action
Delete file and kill process
CrowdStrike Live Response
File removed; no LSASS access occurred
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-191 Summary: T1027.005 – Stripped Mimikatz Variant (Indicator Removal) Status: RESOLVED Resolution: POLICY VIOLATION – Tool Removed Priority: P3 – LOW Labels: T1027, indicator-removal, mimikatz, crowdstrike, policy-violation Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Known Malicious Tool with Altered Indicators Detected”.
Host: ENG-WS-045 (Engineering, user rpatel).
File: C:\Users\rpatel\Downloads\legit_tool.exe (stripped Mimikatz).
Time: 2024-03-09 09:30 EST.
Technique: MITRE ATT&CK T1027.005 – Obfuscated Files or Information: Indicator Removal from Tools.
2. Technical Analysis:
File Analysis:
Original Mimikatz: 1.2 MB, with version info, signed by “Gentil Kiwi” (often self-signed)
This Variant: 845 KB, stripped of all metadata
No version information
No original filename
PE timestamp set to 0 (1970-01-01)
Import Address Table obfuscated (dynamic resolution)
Many strings encrypted (only decrypted at runtime)
Behavioral Analysis:
Attempted to open process lsass.exe (PID: 568) with PROCESS_ALL_ACCESS
Attempted to read memory of lsass.exe (blocked by PPL – Protected Process Light)
No credentials dumped
User Intent:
User downloaded “legit_tool.exe” from a hacking forum for “learning purposes”
Unaware that it was a stripped version of Mimikatz
No malicious intent against company
Policy Violation:
Unauthorized use of credential dumping tool
Violation of acceptable use policy
3. Investigation Findings:
Timeline:
09:15 – File downloaded
09:20 – User executed file
09:22 – LSASS access attempt
09:30 – CrowdStrike alert
09:32 – SOC investigates
09:35 – File deleted, user interviewed
Indicators of Compromise (IoCs):
File:
– C:\Users\rpatel\Downloads\legit_tool.exe (SHA256: a1b2c3d4…)
Behavior:
– OpenProcess on lsass.exe
– Stripped PE metadata
4. Containment Actions:
Immediate Actions:
Deleted the file.
Terminated any associated processes.
No LSASS compromise.
User Remediation:
User counseled on policy.
Required to complete security training.
5. Root Cause Analysis:
Primary Cause: User curiosity about security tools led to downloading unauthorized software.
Contributing Factors:
No application control.
User unaware of policy.
6. Business Impact:
Operational Impact: None.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Tool removed.
User educated.
Technical Controls Enhanced:
Implemented application control to block known hacking tools.
Enhanced monitoring for LSASS access attempts.
8. Conclusion:
A user downloaded a stripped version of Mimikatz that evaded signature-based detection by removing indicators. CrowdStrike’s behavioral detection identified the LSASS access attempt and enabled removal. No credentials were compromised.
Closure Rationale: Tool removed; user educated; policy violation documented.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 10:30 EST