CrowdStrike Alert Details
Alert ID: CS-THREAD-HIJACK-1055-7842 Alert Time: 2024-03-06 16:30:45 EST Severity: CRITICAL (96/100) Source: CrowdStrike Falcon EDR Rule: “Thread Hijacking Detected – APC Injection Variation” MITRE ATT&CK: T1055.003 – Process Injection: Thread Execution Hijacking
Alert Details:
Detection: Attacker suspended a thread and redirected its execution
Source Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, HR) Target Process: explorer.exe (PID: 2341) Target Thread: TID 1245 (explorer.exe UI thread) Time: 16:25 EST
API Call Sequence:
16:25:10 – OpenThread (target: explorer.exe thread 1245) – SUCCESS
16:25:12 – SuspendThread (suspended target thread) – SUCCESS
16:25:15 – VirtualAllocEx (allocated memory in explorer.exe) – SUCCESS
16:25:18 – WriteProcessMemory (wrote shellcode to allocated memory) – SUCCESS
16:25:21 – SetThreadContext (modified thread’s instruction pointer to shellcode) – SUCCESS
16:25:24 – ResumeThread (resumed thread, now executing shellcode) – SUCCESS
Source Process:
Process: C:\Users\kwilson\AppData\Local\Temp\office_update.exe (PID: 4789)
SHA256: e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4
Parent: explorer.exe
User: kwilson
Shellcode Analysis:
2048 bytes
Connects to 185.143.221[.]89:4443
Downloads additional payload
Creates persistence via registry
Detection Logic:
Thread suspended and resumed quickly (unusual)
Thread context modified (instruction pointer changed)
Memory allocated and written in target process
Pattern matches thread execution hijacking
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed thread hijacking
2. Memory Analysis
Extract shellcode
CrowdStrike Falcon Memory
Reverse shell payload
3. Process Investigation
Terminate malicious process
CrowdStrike
office_update.exe killed
4. Thread Restoration
Restore original thread context
CrowdStrike
explorer.exe thread restored
5. Host Isolation
Isolate HR-WS-023
CrowdStrike
Host quarantined
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-179 Summary: T1055.003 – Thread Execution Hijacking in explorer.exe Status: RESOLVED Resolution: MALICIOUS – Thread Restored Priority: P1 – CRITICAL Labels: T1055, thread-hijacking, execution-hijacking, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Thread Hijacking Detected – APC Injection Variation”.
Source Process: C:\Users\kwilson\AppData\Local\Temp\office_update.exe.
Target Process: explorer.exe (PID: 2341), Thread 1245.
Time: 2024-03-06 16:30 EST.
Technique: MITRE ATT&CK T1055.003 – Process Injection: Thread Execution Hijacking.
2. Technical Analysis:
Attack Chain:
16:00 – User opens “HR document” from email
16:05 – office_update.exe downloaded and executed
16:10 – Malware enumerates threads
16:15 – Selects explorer.exe UI thread as target
16:25 – Thread hijacking
16:25 – CrowdStrike detects
Thread Hijacking Technique:
Step 1: Open target thread
Step 2: Suspend thread
Step 3: Allocate memory in target process
Step 4: Write shellcode to allocated memory
Step 5: Modify thread context (set instruction pointer to shellcode)
Step 6: Resume thread – shellcode executes
Shellcode Analysis:
Size: 2048 bytes
Function: Reverse shell to 185.143.221[.]89:4443
Persistence: Adds registry Run key “WindowsUpdate”
Impact:
explorer.exe UI thread hijacked
Shellcode executed in context of explorer.exe
C2 connection attempted (blocked)
3. Investigation Findings:
Timeline:
16:00 – Email opened
16:05 – Malware executed
16:10-16:15 – Thread enumeration
16:25 – Hijacking
16:25 – Alert
16:27 – SOC investigates
16:28 – Malicious process terminated
16:29 – Thread restored
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\office_update.exe (SHA256: e5f6a7b8…)
API Calls:
– OpenThread
– SuspendThread
– VirtualAllocEx
– WriteProcessMemory
– SetThreadContext
– ResumeThread
Network:
– C2: 185.143.221[.]89:4443
4. Containment Actions:
Immediate Actions:
Terminated office_update.exe.
Restored original thread context (set instruction pointer back).
Removed registry persistence.
Isolated host.
Disabled kwilson account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User opened malicious document from phishing email.
Contributing Factors:
No application control.
User had local admin rights.
6. Business Impact:
Operational Impact: HR workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Thread restored.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enhanced monitoring for thread suspension/resume.
Enabled ASR rule “Block thread hijacking attempts”.
8. Conclusion:
An attacker used thread execution hijacking to run shellcode inside explorer.exe’s UI thread, a sophisticated evasion technique. CrowdStrike detected the thread suspension and context modification, enabling rapid restoration.
Closure Rationale: Thread restored; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 17:30 EST