CrowdStrike Alert Details
Alert ID: CS-MATCH-NAME-LOC-1036-7842 Alert Time: 2024-03-09 11:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Process with System Name Running from User-Writable Path” MITRE ATT&CK: T1036.005 – Masquerading: Match Legitimate Name or Location
Alert Details:
Detection: Process named “svchost.exe” running from C:\Users\Public\
Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, HR) Process: C:\Users\Public\svchost.exe (PID: 4789) Command Line: C:\Users\Public\svchost.exe -k rpcss Time: 11:25 EST
File Details:
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Digital Signature: None (legitimate svchost.exe is signed by Microsoft)
File Size: 312 KB (legitimate svchost.exe is ~45 KB)
Creation Time: 11:20 EST
Detection Logic:
Process name matches legitimate system binary (svchost.exe)
Running from user-writable path (C:\Users\Public) – anomalous
No digital signature (expected signed)
Parent process: explorer.exe (unusual for svchost.exe)
Pattern matches masquerading (malware posing as svchost.exe)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed svchost.exe from Public folder
2. File Analysis
Analyze svchost.exe
CrowdStrike Sandbox
Malicious executable (Cobalt Strike loader)
3. Process Investigation
Identify source
CrowdStrike
Downloaded via drive-by download from compromised site
4. User Interview
Contact kwilson
Teams, Phone
User visited news site, got pop-up; ran file
5. Immediate Action
Terminate process, delete file
CrowdStrike
Process killed; file removed
6. Account Remediation
Reset kwilson password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-193 Summary: T1036.005 – Malware Masquerading as svchost.exe in Public Folder Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1036, match-name-location, masquerading, svchost, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process with System Name Running from User-Writable Path”.
Host: HR-WS-023 (HR, user kwilson).
Process: C:\Users\Public\svchost.exe.
Time: 2024-03-09 11:30 EST.
Technique: MITRE ATT&CK T1036.005 – Masquerading: Match Legitimate Name or Location.
2. Technical Analysis:
Attack Chain:
11:00 – User visits news-site.com (compromised)
11:05 – Fake “Chrome update” pop-up appears
11:06 – User clicks, downloads “ChromeUpdate.exe” (actually svchost.exe)
11:10 – User runs downloaded file
11:15 – Malware copies itself to C:\Users\Public\svchost.exe
11:20 – Malware executes from new location
11:25 – CrowdStrike detects
Masquerading Details:
Name: svchost.exe (legitimate Windows service host)
Location: C:\Users\Public\ (user-writable, not system path)
Expected Location: C:\Windows\System32\
File Size: 312 KB (vs legitimate ~45 KB)
Unsigned
Malware Analysis:
Type: Cobalt Strike loader
C2: 185.143.221[.]89:443
Persistence: Scheduled task “WindowsUpdate”
User Status:
User thought it was Chrome update
Unaware of malware
3. Investigation Findings:
Timeline:
11:00 – Compromised site visited
11:06 – Fake download
11:10 – Execution
11:15 – Moved to Public folder
11:20 – Execution from Public
11:25 – Alert
11:27 – SOC investigates
11:28 – Process terminated, file deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\Public\svchost.exe (SHA256: a1b2c3d4…)
– C:\Users\kwilson\Downloads\ChromeUpdate.exe
Scheduled Task:
– “WindowsUpdate”
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated process.
Deleted malicious file.
Removed scheduled task.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User tricked by fake Chrome update.
Contributing Factors:
No application control.
User unaware of drive-by download risks.
6. Business Impact:
Operational Impact: HR workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
User educated.
Technical Controls Enhanced:
Enhanced browser isolation for high-risk sites.
Created alert for system processes from user-writable paths.
8. Conclusion:
An attacker used a malware masquerading as svchost.exe in a user-writable location to evade detection. CrowdStrike detected the anomalous path and enabled rapid removal.
Closure Rationale: Malware removed; user educated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 12:30 EST