CrowdStrike Alert Details
Alert ID: CS-MASQUERADE-1036-7842 Alert Time: 2024-02-20 09:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Process Masquerading – Suspicious Path for System Binary” MITRE ATT&CK: T1036.005 – Masquerading: Match Legitimate Name or Location
Alert Details:
Detection: Process with system binary name running from non-standard path
Host: FIN-WS-045 (Finance Department) User: bturner (Brian Turner, Accountant) Time: 09:25 EST
Process Details:
Process Name: svchost.exe
Process Path: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Expected Path: C:\Windows\System32\svchost.exe
PID: 4789
Parent Process: explorer.exe
Command Line: “C:\Users\bturner\AppData\Local\Temp\svchost.exe” -k netsvcs
File Details:
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
File Size: 156 KB
Digital Signature: None (legitimate svchost.exe is signed by Microsoft)
Creation Time: 09:20 EST
Behavior Analysis:
Process attempted to connect to 185.143.221[.]89:443
Process attempted to access lsass.exe (PID: 568) – ACCESS DENIED
Process created child process: powershell.exe (encoded command)
Detection Logic:
Process name matches legitimate system binary (svchost.exe)
Process running from user-writable path (Temp)
No digital signature (expected signed by Microsoft)
Anomalous behavior (network, lsass access)
Additional Context:
User bturner reported receiving suspicious email with attachment
Attachment opened at 09:15 EST
No legitimate reason for svchost.exe in Temp folder
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed masquerading svchost.exe from Temp folder
2. File Analysis
Analyze svchost.exe
CrowdStrike Sandbox
Malicious executable (Cobalt Strike loader)
3. Process Investigation
Terminate malicious process
CrowdStrike
Process killed
4. File Removal
Delete svchost.exe
CrowdStrike Live Response
File deleted
5. User Interview
Contact user
Teams, Phone
User opened “invoice.doc” from email
6. Email Investigation
Find source email
Proofpoint, Exchange
Email quarantined; attachment malicious
Jira Incident Report
Ticket: SOC-2024-101 Summary: T1036 – Masquerading svchost.exe Running from Temp Folder Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1036, masquerading, svchost, lolbin, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process Masquerading – Suspicious Path for System Binary”.
Host: FIN-WS-045 (Finance Department, user bturner).
Process: C:\Users\bturner\AppData\Local\Temp\svchost.exe (masquerading as svchost.exe).
Time: 2024-02-20 09:30 EST.
Technique: MITRE ATT&CK T1036.005 – Masquerading: Match Legitimate Name or Location.
2. Technical Analysis:
Attack Chain:
09:15 – User receives email from “vendor@payment-update[.]net”
09:16 – Email contains attachment “invoice.doc”
09:17 – User opens attachment (enables macros)
09:18 – Macro downloads svchost.exe from 185.143.221[.]89
09:20 – svchost.exe saved to Temp folder
09:21 – User executes file (thinks it’s legitimate)
09:22 – Malicious svchost.exe runs
09:23 – Attempts C2 connection to 185.143.221[.]89:443
09:23 – Attempts LSASS access (blocked by PPL)
09:25 – CrowdStrike alerts
Masquerading Technique:
Binary Name: svchost.exe (legitimate Windows service host)
Expected Path: C:\Windows\System32\svchost.exe
Actual Path: C:\Users\bturner\AppData\Local\Temp\svchost.exe
Signature: None (legitimate svchost.exe is signed by Microsoft)
Purpose: Evade detection by blending in with legitimate processes
Malware Analysis:
Type: Cobalt Strike loader
Capabilities:
Injects into legitimate svchost.exe (after checking path)
Attempts credential dumping (LSASS)
Establishes C2 beaconing
Downloads additional payloads
User Activity:
User expected to open invoice document
Unknowingly executed malware
3. Investigation Findings:
Timeline:
09:15 – Phishing email received
09:17 – Attachment opened
09:18-09:21 – Malware downloaded and executed
09:23 – C2 attempt (blocked)
09:25 – CrowdStrike alert
09:27 – SOC investigates
09:30 – Process terminated, file deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\svchost.exe (SHA256: a1b2c3d4…)
– invoice.doc (original macro doc) – SHA256: b2c3d4e5…
Network:
– C2: 185.143.221[.]89:443
– Download URL: http://185.143.221[.]89/svchost.exe
Email:
– Sender: vendor@payment-update[.]net
– Subject: “Invoice #7842”
4. Containment Actions:
Immediate Actions:
Terminated malicious svchost.exe process.
Deleted file from Temp folder.
Isolated host temporarily.
Blocked C2 IP at firewall.
Host Remediation:
Full scan (no other malware).
Verified no persistence installed.
No reimage needed.
User Remediation:
Password reset.
Phishing training assigned.
Reported email to security team.
5. Root Cause Analysis:
Primary Cause: User opened malicious macro-enabled document.
Contributing Factors:
Macros enabled in Office.
No ASR rule blocking Office child processes.
User lacked recent phishing training.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None (C2 blocked, LSASS access denied).
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
File deleted.
User educated.
C2 blocked.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet via GPO.
Created alert for any system binary running from non-standard path.
8. Conclusion:
A user opened a phishing email with a macro-enabled document that downloaded and executed a malicious executable masquerading as svchost.exe. CrowdStrike detected the process running from an anomalous path, enabling rapid termination before significant C2 activity.
Closure Rationale: Malicious process terminated; file deleted; user educated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-20 10:30 EST