CrowdStrike Alert Details
Alert ID: CS-SCREEN-CAPTURE-1113-7842 Alert Time: 2024-02-27 11:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Screen Capture Activity Detected – Potential Surveillance” MITRE ATT&CK: T1113 – Screen Capture
Alert Details:
Detection: Process capturing screenshots repeatedly
Host: EXEC-WS-001 (CEO’s Laptop) User: cjohnson@company.com (CEO) Time: 11:15-11:30 EST
Process Details:
Process: C:\Windows\Temp\capture.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: cjohnson
API Calls:
CreateDC (create device context for screen)
BitBlt (copy screen to memory) – 47 calls
CreateFile (save to disk) – 47 files created
GdipSaveImageToFile (save as PNG)
Files Created:
C:\Users\cjohnson\AppData\Local\Temp\screens\screen_001.png (11:15)
C:\Users\cjohnson\AppData\Local\Temp\screens\screen_002.png (11:16)
… (continuing every 60 seconds)
C:\Users\cjohnson\AppData\Local\Temp\screens\screen_047.png (11:29)
Detection Logic:
Process capturing screenshots every 60 seconds
47 screenshots in 15 minutes
Process from Temp folder (suspicious)
CEO would have no legitimate need for screen capture
Pattern matches surveillance/monitoring
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed screen capture activity
2. Process Analysis
Analyze capture.exe
CrowdStrike Sandbox
Surveillance tool that captures screenshots and saves locally
3. User Contact
Call CEO immediately
Phone
CEO did NOT run this tool (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
EXEC-WS-001 quarantined
5. File Removal
Delete capture.exe and screenshot folder
CrowdStrike Live Response
Tool and 47 screenshots deleted
6. Account Remediation
Disable CEO account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-138 Summary: T1113 – Screen Capture Surveillance on CEO Laptop Status: RESOLVED Resolution: MALICIOUS – Surveillance Stopped Priority: P1 – CRITICAL Labels: T1113, screen-capture, surveillance, crowdstrike, executive-targeting Components: Endpoint-Security, Privacy
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Screen Capture Activity Detected – Potential Surveillance”.
Host: EXEC-WS-001 (CEO’s Laptop).
Process: C:\Windows\Temp\capture.exe.
Files: 47 screenshots captured.
Time: 2024-02-27 11:30 EST.
Technique: MITRE ATT&CK T1113 – Screen Capture.
2. Technical Analysis:
Attack Chain:
10:30 – CEO’s credentials compromised via spearphishing
10:45 – Attacker logs into CEO’s laptop via RDP
11:00 – Attacker downloads capture.exe to Temp folder
11:05 – Attacker executes capture.exe
11:15-11:30 – Tool captures screenshots every 60 seconds
11:30 – CrowdStrike detects
Tool Analysis:
Name: capture.exe (custom surveillance tool)
SHA256: a1b2c3d4…
Capabilities:
Captures full screen every 60 seconds
Saves as PNG in screens folder
Logs timestamp with each capture
No network exfiltration (stages locally)
Screenshots Captured (47):
Email content (confidential communications)
Documents being viewed (strategic plans)
Calendar (meetings, schedule)
Browser tabs (research, banking)
All screen activity over 15 minutes
Attacker Intent:
Monitor CEO’s activities in real-time
Capture sensitive information as it appears on screen
Later exfiltrate screenshot archive
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
11:00-11:15 – Tool deployed
11:15-11:30 – 47 screenshots captured
11:30 – CrowdStrike alert
11:31 – SOC investigates
11:32 – Host isolated
11:33 – Tool and screenshots deleted
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\capture.exe (SHA256: a1b2c3d4…)
– C:\Users\cjohnson\AppData\Local\Temp\screens\*.png (47 files)
Account:
– cjohnson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated CEO’s laptop via CrowdStrike.
Terminated capture.exe process.
Deleted tool and all screenshot files.
Disabled CEO account.
Reset password.
Enforced MFA.
Data Protection:
Screenshots contained sensitive information.
No exfiltration occurred (files local only).
All screenshots deleted.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: CEO credentials compromised via spearphishing.
Contributing Factors:
No MFA on executive account.
RDP allowed from internet.
No application control blocking unknown executables.
6. Business Impact:
Operational Impact: CEO offline for 2 hours.
Privacy Impact: 15 minutes of screen activity captured (emails, documents).
Reputational Impact: Potential if surveillance continued (prevented).
7. Remediation & Prevention:
Completed Actions:
Surveillance stopped.
Screenshots deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all executives.
Moved RDP behind VPN only.
Implemented application control.
Enhanced monitoring for screen capture APIs.
8. Conclusion:
An attacker compromised the CEO’s account and deployed a surveillance tool that captured 47 screenshots over 15 minutes. CrowdStrike detected the screen capture activity and enabled rapid containment before any data could be exfiltrated.
Closure Rationale: Surveillance stopped; screenshots deleted; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 12:30 EST