CrowdStrike Alert Details
Alert ID: CS-WORM-USB-1091-7842
Alert Time: 2024-02-12 14:15:33 EST
Severity: HIGH (88/100)
Source: CrowdStrike Falcon EDR
Rule: “Replication Through Removable Media – Worm Behavior”
MITRE ATT&CK: T1091 – Replication Through Removable Media
Alert Details:
Detection: Worm-like file replication to USB devices
Host: ENG-WS-078 (Engineering)
User: npatel (Neha Patel, Engineer)
Time: 14:10-14:15 EST
Process Tree:
– explorer.exe (PID: 3421)
– cmd.exe (PID: 4567)
– copy.exe (PID: 4589)
– Writing to E:\ (USB Drive)
File Activity:
– Source: C:\Windows\Temp\svchost.exe (SHA256: a1b2c3d4e5f6…)
– Destination: E:\System Volume Information\svchost.exe
– Source: C:\Users\npatel\Documents\*.doc
– Destination: E:\Backup\Documents\ (hidden folder)
USB Device Details:
– Device: Kingston DataTraveler (VID: 0951, PID: 1666)
– Serial: 001CC0EC3466B881A43903C3
– First Seen: 2024-02-12 14:05
– Capacity: 32GB
Malware Analysis:
– svchost.exe: Worm with network propagation capabilities
– Behavior:
– Copies itself to all removable drives
– Creates hidden folders with document copies
– Modifies autorun.inf on USB drives
– Attempts network propagation via SMB
Additional Context:
– User normally does not use USB devices
– Device plugged in immediately after user returned from conference
– No approved USB device in engineering policy
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify CrowdStrike detection | CrowdStrike Falcon Console | Confirmed worm replication to USB |
| 2. Immediate Containment | Isolate host and block USB | CrowdStrike, Network Isolation | Host quarantined; USB port disabled |
| 3. Physical Security | Dispatch to user location | Security Team | USB device confiscated |
| 4. Malware Analysis | Analyze worm sample | CrowdStrike Sandbox, Any.Run | Worm can spread via USB and network SMB |
| 5. User Interview | Interview user about USB | HR, Security | User received USB at conference; plugged in out of curiosity |
| 6. Threat Hunting | Check for spread to other hosts | CrowdStrike Search, Splunk | No other hosts infected; USB blocked |
Jira Incident Report
Ticket: SOC-2024-062
Summary: T1091 – USB Worm Replication via Removable Media
Status: RESOLVED
Resolution: MALICIOUS – Worm Contained
Priority: P1 – HIGH
Labels: T1091, removable-media, worm, usb, crowdstrike, engineering
Components: Endpoint-Security, Malware-Response
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: CrowdStrike Falcon EDR.
- Alert: “Replication Through Removable Media – Worm Behavior”.
- Host: ENG-WS-078 (Engineering Department, user npatel).
- Time: 2024-02-12 14:15 EST.
- Technique: MITRE ATT&CK T1091 – Replication Through Removable Media.
2. Technical Analysis:
- Infection Chain:
14:05 – User plugs in USB device from conference
14:06 – USB contains autorun.inf (disabled by policy)
14:07 – Worm executes from C:\Windows\Temp\svchost.exe
14:08 – Worm copies itself to USB hidden folder
14:09 – Worm begins copying documents to USB
14:10 – Worm attempts SMB propagation (blocked)
14:15 – CrowdStrike detects and alerts
- Worm Analysis:
- File: svchost.exe (masquerading as Windows process)
- SHA256: a1b2c3d4e5f6…
- Capabilities:
- Copies itself to all removable drives
- Creates hidden folders (System Volume Information, Backup)
- Copies documents (.doc, .xls, .pdf) from user profile
- Modifies autorun.inf for future infections
- Attempts network propagation via SMB (port 445)
- Downloads additional payload from C2 (blocked)
- USB Device Analysis:
- Source: USB drive given at “Industry Tech Conference 2024”
- Contents: Conference materials + hidden worm
- Likely Intent: Target companies attending conference
- **Device serial tracked for future blocking
- Network Propagation Attempts:
- Scanned local subnet for port 445
- Attempted connections to 3 file servers (blocked by firewall)
- No successful lateral movement
3. Investigation Findings:
- Timeline:
14:05 – User plugs in conference USB
14:06-14:10 – Worm executes, copies files
14:15 – CrowdStrike alert triggers
14:16 – Host isolated
14:18 – Security dispatched
14:22 – USB confiscated
- Data Exposure:
- 47 documents copied to USB before detection
- Document types: engineering specs, CAD files, project plans
- No sensitive PII or financial data
- USB recovered before leaving premises
- Indicators of Compromise (IoCs):
Files:
– svchost.exe (SHA256: a1b2c3d4e5f6…)
– C:\Windows\Temp\svchost.exe
– E:\System Volume Information\svchost.exe
USB:
– VID: 0951, PID: 1666
– Serial: 001CC0EC3466B881A43903C3
Network:
– SMB scanning to port 445
4. Containment Actions:
- Immediate Actions (14:15-14:22 EST):
- Host isolated via CrowdStrike network containment.
- USB port disabled via Group Policy emergency push.
- Device confiscated by security.
- User interviewed; HR notified.
- Endpoint Remediation:
- Worm processes terminated.
- Malicious files removed.
- Host re-imaged from clean backup.
- USB Analysis:
- Forensic image created.
- Device destroyed after analysis.
5. Root Cause Analysis:
- Primary Cause: User plugged in untrusted USB device from conference.
- Contributing Factors:
- Conference USB given to all attendees (supply chain risk).
- User curiosity overcame security training.
- No technical control blocking USB autorun (already disabled).
6. Business Impact:
- Operational Impact: Engineering workstation offline for 4 hours.
- Data Exposure: 47 documents copied but recovered.
- Financial Impact: Minimal.
7. Remediation & Prevention:
Completed Actions:
Host remediated.
USB confiscated and destroyed.
User re-trained.
Conference organizers notified.
Technical Controls Enhanced:
Enhanced CrowdStrike detection for worm behavior.
Blocked all USB devices from untrusted sources via Device Control.
Deployed USB scanning kiosks for conference materials.
8. Conclusion:
This incident involved a USB worm distributed at an industry conference. The worm executed when an employee plugged in the device, copying documents and attempting network propagation. Rapid detection and containment prevented spread, and the USB was recovered.
Closure Rationale: Worm contained; USB recovered; user educated.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-12 16:00 EST