CrowdStrike Alert Details
Alert ID: CS-PE-INJECT-1055-7842 Alert Time: 2024-03-06 11:30:22 EST Severity: CRITICAL (97/100) Source: CrowdStrike Falcon EDR Rule: “PE Injection Detected – Executable Code in Remote Process” MITRE ATT&CK: T1055.002 – Process Injection: Portable Executable Injection
Alert Details:
Detection: Malicious PE file injected into memory of legitimate process
Source Host: SALES-WS-023 (Sales Workstation) User: mwilson@company.com (Mike Wilson, Sales Rep) Target Process: notepad.exe (PID: 1245) Time: 11:25 EST
API Call Sequence:
11:25:10 – CreateProcess (created notepad.exe suspended) – SUCCESS
11:25:12 – GetThreadContext (suspended thread) – SUCCESS
11:25:15 – VirtualAllocEx (allocated memory in notepad.exe) – SUCCESS
11:25:18 – WriteProcessMemory (wrote PE headers) – SUCCESS
11:25:21 – VirtualAllocEx (allocated memory for PE sections) – SUCCESS
11:25:24 – WriteProcessMemory (wrote PE sections) – SUCCESS
11:25:27 – SetThreadContext (modified thread to point to PE entry point) – SUCCESS
11:25:30 – ResumeThread (resumed notepad.exe, now running injected PE) – SUCCESS
Source Process:
Process: C:\Users\mwilson\AppData\Local\Temp\svchost.exe (PID: 4789)
SHA256: d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3
Parent: explorer.exe
User: mwilson
Injected PE:
Type: Cobalt Strike beacon
Size: 256 KB
Entry Point: 0x1000 (within allocated memory)
Detection Logic:
Process created suspended (indicates injection)
PE headers written to remote process
Thread context modified (entry point changed)
Pattern matches PE injection (aka “process hollowing”)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed PE injection
2. Memory Analysis
Extract injected PE
CrowdStrike Falcon Memory
Cobalt Strike beacon
3. Process Investigation
Terminate injected process
CrowdStrike
notepad.exe terminated
4. Source Process Kill
Kill svchost.exe (malicious)
CrowdStrike
Process terminated
5. Host Isolation
Isolate SALES-WS-023
CrowdStrike
Host quarantined
6. Account Remediation
Disable mwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-178 Summary: T1055.002 – PE Injection (Process Hollowing) into notepad.exe Status: RESOLVED Resolution: MALICIOUS – Injected PE Removed Priority: P1 – CRITICAL Labels: T1055, pe-injection, process-hollowing, cobalt-strike, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “PE Injection Detected – Executable Code in Remote Process”.
Source Process: C:\Users\mwilson\AppData\Local\Temp\svchost.exe.
Target Process: notepad.exe (created suspended).
Injected PE: Cobalt Strike beacon.
Time: 2024-03-06 11:30 EST.
Technique: MITRE ATT&CK T1055.002 – Process Injection: Portable Executable Injection.
2. Technical Analysis:
Attack Chain:
11:00 – User clicks phishing link
11:05 – svchost.exe (malicious) downloaded to Temp
11:10 – Malware executed
11:15 – Malware enumerates system
11:20 – Decides to use process hollowing
11:25 – Creates notepad.exe suspended, injects PE
11:25 – CrowdStrike detects
Process Hollowing Technique:
Step 1: Create legitimate process in suspended state (notepad.exe)
Step 2: Allocate memory in target process
Step 3: Write malicious PE to allocated memory
Step 4: Modify thread context to point to PE entry point
Step 5: Resume thread – malicious code runs
Malicious PE:
Type: Cobalt Strike beacon
Size: 256 KB
C2: 185.143.221[.]89:443
Capabilities: Remote access, keylogging, file exfiltration
Impact:
Malicious code running inside notepad.exe
C2 connection established (blocked)
Stealthier than standalone executable
3. Investigation Findings:
Timeline:
11:00 – Phishing link clicked
11:05-11:10 – Malware downloaded and executed
11:15-11:20 – Reconnaissance
11:25 – Injection
11:25 – Alert
11:27 – SOC investigates
11:28 – notepad.exe terminated
11:29 – svchost.exe terminated
11:30 – Host isolated
Indicators of Compromise (IoCs):
Files:
– C:\Users\mwilson\AppData\Local\Temp\svchost.exe (SHA256: d4e5f6a7…)
API Calls:
– CreateProcess (suspended)
– GetThreadContext
– VirtualAllocEx (multiple)
– WriteProcessMemory (multiple)
– SetThreadContext
– ResumeThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated injected notepad.exe process.
Terminated malicious svchost.exe.
Isolated host.
Disabled mwilson account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No ASR rule blocking process hollowing.
User had local admin rights.
6. Business Impact:
Operational Impact: Sales workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Injected PE removed.
Malware terminated.
Account secured.
Technical Controls Enhanced:
Enabled ASR rule “Block process hollowing”.
Enhanced monitoring for CreateProcess with suspended flag.
8. Conclusion:
An attacker used process hollowing (PE injection) to run a Cobalt Strike beacon inside a legitimate notepad.exe process. CrowdStrike detected the injection technique and enabled rapid termination before C2 communication could complete.
Closure Rationale: Injected PE removed; malware terminated; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 12:30 EST