CrowdStrike Alert Details
Alert ID: CS-PROC-INJECT-1055-7842 Alert Time: 2024-03-06 09:30:15 EST Severity: CRITICAL (95/100) Source: CrowdStrike Falcon EDR Rule: “Process Injection Detected – Remote Thread Creation” MITRE ATT&CK: T1055 – Process Injection
Alert Details:
Detection: Process created remote thread in another process (code injection)
Source Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Target Process: explorer.exe (PID: 2341) Time: 09:25 EST
API Call Sequence:
09:25:10 – OpenProcess (target: explorer.exe, access: PROCESS_ALL_ACCESS) – SUCCESS
09:25:12 – VirtualAllocEx (allocated 4096 bytes in explorer.exe) – SUCCESS
09:25:15 – WriteProcessMemory (wrote shellcode to allocated memory) – SUCCESS
09:25:18 – CreateRemoteThread (created thread in explorer.exe at shellcode address) – SUCCESS
09:25:20 – Thread executing in explorer.exe (PID: 2341, TID: 4789)
Source Process:
Process: C:\Users\bturner\AppData\Local\Temp\update.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe (legitimate)
User: bturner
Shellcode Analysis (extracted):
4096 bytes of position-independent code
Connects to 185.143.221[.]89:443
Downloads additional payload
Injects into additional processes
Detection Logic:
Process injecting code into another process (unusual)
CreateRemoteThread to explorer.exe (common target)
Source process from Temp folder (suspicious)
Pattern matches malware injection technique
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed process injection
2. Memory Analysis
Extract injected shellcode
CrowdStrike Falcon Memory
Reverse shell to C2
3. Process Investigation
Identify source of injection
CrowdStrike
update.exe from phishing email
4. Immediate Action
Terminate malicious processes
CrowdStrike
update.exe and injected thread killed
5. Host Isolation
Isolate FIN-WS-078
CrowdStrike
Host quarantined
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-176 Summary: T1055 – Process Injection into explorer.exe from Malicious Executable Status: RESOLVED Resolution: MALICIOUS – Injection Blocked Priority: P1 – CRITICAL Labels: T1055, process-injection, create-remote-thread, crowdstrike Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Process Injection Detected – Remote Thread Creation”.
Source Process: C:\Users\bturner\AppData\Local\Temp\update.exe.
Target Process: explorer.exe (PID: 2341).
Time: 2024-03-06 09:30 EST.
Technique: MITRE ATT&CK T1055 – Process Injection.
2. Technical Analysis:
Attack Chain:
09:00 – User opens phishing email attachment
09:05 – update.exe downloaded and executed
09:10 – Malware enumerates running processes
09:15 – Selects explorer.exe as injection target
09:25 – Process injection using CreateRemoteThread
09:25 – CrowdStrike detects
Injection Details:
Method: Classic DLL injection via CreateRemoteThread
Memory Allocated: 4096 bytes in explorer.exe
Shellcode: Position-independent code (reverse shell)
C2: 185.143.221[.]89:443
Malware Analysis:
File: update.exe (SHA256: a1b2c3d4…)
Type: Cobalt Strike loader
Behavior: Injects shellcode, downloads additional payloads
Impact:
Malicious code running inside explorer.exe
Stealthier than running as separate process
C2 connection established (blocked)
3. Investigation Findings:
Timeline:
09:00 – Phishing email opened
09:05 – Malware executed
09:10-09:15 – Reconnaissance
09:25 – Injection detected
09:27 – SOC investigates
09:28 – Processes terminated
09:29 – Host isolated
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\AppData\Local\Temp\update.exe (SHA256: a1b2c3d4…)
API Calls:
– OpenProcess (explorer.exe)
– VirtualAllocEx
– WriteProcessMemory
– CreateRemoteThread
Network:
– C2: 185.143.221[.]89:443
4. Containment Actions:
Immediate Actions:
Terminated update.exe process.
Terminated injected thread in explorer.exe.
Scanned explorer.exe memory (clean after thread termination).
Isolated host.
Disabled bturner account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User executed malware from phishing email.
Contributing Factors:
No application control blocking unknown executables.
User had local admin rights.
6. Business Impact:
Operational Impact: Finance workstation offline for 2 hours.
Data Exposure: None (C2 blocked).
7. Remediation & Prevention:
Completed Actions:
Malware removed.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enabled ASR rule “Block process injections”.
Enhanced monitoring for CreateRemoteThread.
Implemented application control.
8. Conclusion:
An attacker used process injection to hide malicious code inside explorer.exe, evading detection. CrowdStrike detected the remote thread creation and enabled rapid termination before significant C2 communication.
Closure Rationale: Injection blocked; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-06 10:30 EST