CrowdStrike Alert Details
Alert ID: CS-WORM-USB-1091-7842
Alert Time: 2024-02-12 14:15:33 EST
Severity: HIGH (88/100)
Source: CrowdStrike Falcon EDR
Rule: “Replication Through Removable Media – Worm Behavior”
MITRE ATT&CK: T1091 – Replication Through Removable Media
Alert Details:
Detection: Worm-like file replication to USB devices
Host: ENG-WS-078 (Engineering)
User: npatel (Neha Patel, Engineer)
Time: 14:10-14:15 EST
Process Tree:
– explorer.exe (PID: 3421)
– cmd.exe (PID: 4567)
– copy.exe (PID: 4589)
– Writing to E:\ (USB Drive)
File Activity:
– Source: C:\Windows\Temp\svchost.exe (SHA256: a1b2c3d4e5f6…)
– Destination: E:\System Volume Information\svchost.exe
– Source: C:\Users\npatel\Documents\*.doc
– Destination: E:\Backup\Documents\ (hidden folder)
USB Device Details:
– Device: Kingston DataTraveler (VID: 0951, PID: 1666)
– Serial: 001CC0EC3466B881A43903C3
– First Seen: 2024-02-12 14:05
– Capacity: 32GB
Malware Analysis:
– svchost.exe: Worm with network propagation capabilities
– Behavior:
– Copies itself to all removable drives
– Creates hidden folders with document copies
– Modifies autorun.inf on USB drives
– Attempts network propagation via SMB
Additional Context:
– User normally does not use USB devices
– Device plugged in immediately after user returned from conference
– No approved USB device in engineering policy
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike detection
CrowdStrike Falcon Console
Confirmed worm replication to USB
2. Immediate Containment
Isolate host and block USB
CrowdStrike, Network Isolation
Host quarantined; USB port disabled
3. Physical Security
Dispatch to user location
Security Team
USB device confiscated
4. Malware Analysis
Analyze worm sample
CrowdStrike Sandbox, Any.Run
Worm can spread via USB and network SMB
5. User Interview
Interview user about USB
HR, Security
User received USB at conference; plugged in out of curiosity
6. Threat Hunting
Check for spread to other hosts
CrowdStrike Search, Splunk
No other hosts infected; USB blocked
Jira Incident Report
Ticket: SOC-2024-062
Summary: T1091 – USB Worm Replication via Removable Media
Status: RESOLVED
Resolution: MALICIOUS – Worm Contained
Priority: P1 – HIGH
Labels: T1091, removable-media, worm, usb, crowdstrike, engineering
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Replication Through Removable Media – Worm Behavior”.
Host: ENG-WS-078 (Engineering Department, user npatel).
Time: 2024-02-12 14:15 EST.
Technique: MITRE ATT&CK T1091 – Replication Through Removable Media.
2. Technical Analysis:
Infection Chain:
14:05 – User plugs in USB device from conference
14:06 – USB contains autorun.inf (disabled by policy)
14:07 – Worm executes from C:\Windows\Temp\svchost.exe
14:08 – Worm copies itself to USB hidden folder
14:09 – Worm begins copying documents to USB
14:10 – Worm attempts SMB propagation (blocked)
14:15 – CrowdStrike detects and alerts
Worm Analysis:
File: svchost.exe (masquerading as Windows process)
SHA256: a1b2c3d4e5f6…
Capabilities:
Copies itself to all removable drives
Creates hidden folders (System Volume Information, Backup)
Copies documents (.doc, .xls, .pdf) from user profile
Modifies autorun.inf for future infections
Attempts network propagation via SMB (port 445)
Downloads additional payload from C2 (blocked)
USB Device Analysis:
Source: USB drive given at “Industry Tech Conference 2024”
Contents: Conference materials + hidden worm
Likely Intent: Target companies attending conference
**Device serial tracked for future blocking
Network Propagation Attempts:
Scanned local subnet for port 445
Attempted connections to 3 file servers (blocked by firewall)
No successful lateral movement
3. Investigation Findings:
Timeline:
14:05 – User plugs in conference USB
14:06-14:10 – Worm executes, copies files
14:15 – CrowdStrike alert triggers
14:16 – Host isolated
14:18 – Security dispatched
14:22 – USB confiscated
Data Exposure:
47 documents copied to USB before detection
Document types: engineering specs, CAD files, project plans
No sensitive PII or financial data
USB recovered before leaving premises
Indicators of Compromise (IoCs):
Files:
– svchost.exe (SHA256: a1b2c3d4e5f6…)
– C:\Windows\Temp\svchost.exe
– E:\System Volume Information\svchost.exe
USB:
– VID: 0951, PID: 1666
– Serial: 001CC0EC3466B881A43903C3
Network:
– SMB scanning to port 445
4. Containment Actions:
Immediate Actions (14:15-14:22 EST):
Host isolated via CrowdStrike network containment.
USB port disabled via Group Policy emergency push.
Device confiscated by security.
User interviewed; HR notified.
Endpoint Remediation:
Worm processes terminated.
Malicious files removed.
Host re-imaged from clean backup.
USB Analysis:
Forensic image created.
Device destroyed after analysis.
5. Root Cause Analysis:
Primary Cause: User plugged in untrusted USB device from conference.
Contributing Factors:
Conference USB given to all attendees (supply chain risk).
User curiosity overcame security training.
No technical control blocking USB autorun (already disabled).
6. Business Impact:
Operational Impact: Engineering workstation offline for 4 hours.
Data Exposure: 47 documents copied but recovered.
Financial Impact: Minimal.
7. Remediation & Prevention:
Completed Actions:
Host remediated.
USB confiscated and destroyed.
User re-trained.
Conference organizers notified.
Technical Controls Enhanced:
Enhanced CrowdStrike detection for worm behavior.
Blocked all USB devices from untrusted sources via Device Control.
Deployed USB scanning kiosks for conference materials.
8. Conclusion:
This incident involved a USB worm distributed at an industry conference. The worm executed when an employee plugged in the device, copying documents and attempting network propagation. Rapid detection and containment prevented spread, and the USB was recovered.
Closure Rationale: Worm contained; USB recovered; user educated.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 16:00 EST