Microsoft Defender Alert Details
Alert ID: MD-ENDPOINT-DOS-1499-7842 Alert Time: 2024-03-04 16:30:45 EST Severity: HIGH (82/100) Source: Microsoft Defender for Endpoint Rule: “Fork Bomb Detected – Potential DoS” MITRE ATT&CK: T1499.001 – Endpoint Denial of Service: OS Exhaustion Flood
Alert Details:
Detection: Process creating excessive number of child processes (fork bomb)
Host: DEV-WS-078 (Development Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 16:15-16:30 EST
Process Tree:
cmd.exe (PID: 2341)
cmd.exe (PID: 4789)
cmd.exe (PID: 4792)
cmd.exe (PID: 4795)
(thousands of processes)
Process Count:
16:15:00 – 50 processes
16:20:00 – 2,500 processes
16:25:00 – 8,000 processes
16:30:00 – System unresponsive (alert triggered)
Detection Logic:
Exponential process creation (fork bomb)
System resource exhaustion (CPU 100%, memory full)
User alexchen has no legitimate reason for this
Pattern matches denial of service attack
Additional Context:
Host became unresponsive at 16:28
User locked out
Hard reboot required
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed fork bomb activity
2. Remote Access
Attempt remote access (failed)
RDP, PowerShell
Host unresponsive
3. Physical Access
Dispatch to user location
Security Team
Hard reboot performed
4. Post-Recovery Analysis
Check logs after reboot
CrowdStrike Falcon
Malicious script launched fork bomb
5. User Interview
Contact alexchen
Teams, Phone
User ran “stress test” tool from internet
6. Tool Removal
Delete malicious script
CrowdStrike Live Response
Script removed
Jira Incident Report
Ticket: SOC-2024-169 Summary: T1499 – Fork Bomb DoS on Development Workstation Status: RESOLVED Resolution: MALICIOUS – System Recovered Priority: P3 – LOW Labels: T1499, endpoint-dos, fork-bomb, defender, user-error Components: Endpoint-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Fork Bomb Detected – Potential DoS”.
Host: DEV-WS-078 (Development, user alexchen).
Activity: Exponential process creation (fork bomb).
Outcome: System unresponsive.
Time: 2024-03-04 16:30 EST.
Technique: MITRE ATT&CK T1499.001 – Endpoint Denial of Service: OS Exhaustion Flood.
2. Technical Analysis:
Attack Chain:
16:00 – User downloads “stress test tool” from internet
16:05 – User executes forkbomb.exe
16:05-16:28 – Exponential process creation
16:28 – System becomes unresponsive
16:30 – Defender alerts (after reboot)
Fork Bomb Code:
Simple batch file or executable that recursively creates processes
Consumes all system resources (CPU, memory)
Renders system unusable until reboot
User Intent:
User was “curious about system limits”
No malicious intent
Unaware of consequences
Post-Recovery:
System hard rebooted by security team
No persistence or data loss
3. Investigation Findings:
Timeline:
16:00 – Tool downloaded
16:05 – Execution
16:28 – System unresponsive
16:30 – Physical reboot
16:32 – SOC investigates
16:35 – Tool identified and removed
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\forkbomb.exe (SHA256: a1b2c3d4…)
Process:
– Exponential process creation
4. Containment Actions:
Immediate Actions:
Hard reboot of affected host.
Deleted forkbomb.exe.
Scanned for other malware (none).
User Remediation:
User counseled on safe software practices.
Required to complete security awareness training.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed untrusted “stress test” tool.
Contributing Factors:
No application control blocking unknown executables.
User unaware of fork bomb risks.
6. Business Impact:
Operational Impact: Developer workstation offline for 1 hour.
Data Exposure: None.
Productivity Impact: Minor.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
User educated.
System restored.
Technical Controls Enhanced:
Created alert for excessive process creation.
Enhanced application control policies.
8. Conclusion:
A developer downloaded and executed a fork bomb tool, causing his workstation to become unresponsive. Defender detected the anomalous process creation after reboot. The tool was removed, and the user was educated.
Closure Rationale: System recovered; tool removed; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 17:30 EST