CrowdStrike Alert Details
Alert ID: CS-VIDEO-CAPTURE-1125-7842 Alert Time: 2024-02-27 10:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Webcam Access by Suspicious Process” MITRE ATT&CK: T1125 – Video Capture
Alert Details:
Detection: Process accessing webcam without user interaction
Host: EXEC-WS-002 (CFO’s Laptop) User: kwilson@company.com (Karen Wilson, CFO) Time: 10:15-10:30 EST
Process Details:
Process: C:\Users\kwilson\AppData\Local\Temp\webcam_capture.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: explorer.exe
User: kwilson
Webcam API Calls:
capCreateCaptureWindow (create capture window)
capDriverConnect (connect to webcam driver)
capCaptureSequence (capture video frames)
capFileSaveAs (save video to file)
Files Created:
C:\Users\kwilson\Videos\capture_001.avi (12 MB) – 10:15
C:\Users\kwilson\Videos\capture_002.avi (15 MB) – 10:20
C:\Users\kwilson\Videos\capture_003.avi (14 MB) – 10:25
Webcam LED Status: ON (user would have seen light)
Detection Logic:
Webcam accessed without user initiating video recording
Process from Temp folder (suspicious)
Multiple video files created in short time
CFO would have no legitimate need for this activity
Pattern matches surveillance/espionage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed webcam capture activity
2. User Contact
Call CFO immediately
Phone
CFO saw webcam light, was concerned; did NOT run tool
3. Process Analysis
Analyze webcam_capture.exe
CrowdStrike Sandbox
Surveillance tool capturing video from webcam
4. Immediate Action
Isolate host
CrowdStrike
EXEC-WS-002 quarantined
5. File Removal
Delete executable and videos
CrowdStrike Live Response
Tool and 3 video files deleted
6. Account Remediation
Disable CFO account temporarily
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-140 Summary: T1125 – Webcam Surveillance on CFO Laptop Status: RESOLVED Resolution: MALICIOUS – Video Capture Stopped Priority: P1 – CRITICAL Labels: T1125, video-capture, webcam, surveillance, crowdstrike, executive-targeting Components: Endpoint-Security, Privacy
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Webcam Access by Suspicious Process”.
Host: EXEC-WS-002 (CFO’s Laptop).
User: kwilson@company.com (CFO).
Process: C:\Users\kwilson\AppData\Local\Temp\webcam_capture.exe.
Files: 3 video files (41 MB total).
Time: 2024-02-27 10:30 EST.
Technique: MITRE ATT&CK T1125 – Video Capture.
2. Technical Analysis:
Attack Chain:
09:30 – CFO’s credentials compromised via spearphishing
09:45 – Attacker logs into CFO’s laptop via RDP
10:00 – Attacker downloads webcam_capture.exe to Temp folder
10:05 – Attacker executes tool
10:15-10:30 – Tool captures 3 video segments
10:30 – CrowdStrike detects
Tool Analysis:
Name: webcam_capture.exe (custom surveillance tool)
SHA256: a1b2c3d4…
Capabilities:
Activates webcam and captures video
Saves as AVI files in Videos folder
Records in 5-minute segments
Attempts exfiltration via FTP (blocked)
Video Captures (3 segments, 15 minutes total):
10:15-10:20 – CFO working at desk (emails, documents)
10:20-10:25 – CFO on phone call (visible lip movement)
10:25-10:30 – CFO typing (keyboard visible)
Content: Full video of CFO’s activities, including screen content visible in background
User Observation:
CFO noticed webcam LED light on (unusual)
Was concerned but didn’t know how to stop it
Reported to IT just as SOC called
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
10:00-10:05 – Tool deployed
10:15-10:30 – Video capture
10:30 – CrowdStrike alert
10:31 – CFO calls IT
10:32 – SOC investigates
10:33 – Host isolated
10:34 – Tool and videos deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\webcam_capture.exe (SHA256: a1b2c3d4…)
– C:\Users\kwilson\Videos\capture_001.avi (12 MB)
– C:\Users\kwilson\Videos\capture_002.avi (15 MB)
– C:\Users\kwilson\Videos\capture_003.avi (14 MB)
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated CFO’s laptop via CrowdStrike.
Terminated webcam_capture.exe.
Deleted tool and all video files.
Disabled CFO account.
Reset password.
Enforced MFA.
Privacy Protection:
Videos contained sensitive visual information.
No exfiltration occurred (files local only).
All videos deleted.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: CFO credentials compromised via spearphishing.
Contributing Factors:
No MFA on executive account.
RDP allowed from internet.
Webcam accessible without user consent.
6. Business Impact:
Operational Impact: CFO offline for 2 hours.
Privacy Impact: 15 minutes of video captured (activities, phone call).
Reputational Impact: Potential if videos leaked (prevented).
7. Remediation & Prevention:
Completed Actions:
Surveillance stopped.
Videos deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all executives.
Moved RDP behind VPN only.
Implemented application control.
Enhanced monitoring for webcam access.
Added physical webcam covers for all executive laptops.
8. Conclusion:
An attacker compromised the CFO’s account and deployed a webcam surveillance tool that captured 15 minutes of video, including the CFO’s activities and a phone call. CrowdStrike detected the webcam access and enabled rapid containment before any exfiltration. The CFO’s observation of the webcam light also aided detection.
Closure Rationale: Surveillance stopped; videos deleted; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 11:30 EST
End of Batch 20 – Milestone 100 Reports Completed!
Ready for your next batch of prompts whenever you are.
Batch 21: Collection & Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.