CrowdStrike Alert Details
Alert ID: CS-AUTH-MOD-1556-7842 Alert Time: 2024-02-22 16:30:45 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “Authentication DLL Injection – Potential Credential Theft” MITRE ATT&CK: T1556.003 – Modify Authentication Process: Pluggable Authentication Modules
Alert Details:
Detection: Suspicious DLL injected into LSASS process
Host: DC-01 (Primary Domain Controller) User: SYSTEM Time: 16:25 EST
Process Details:
Target Process: lsass.exe (PID: 568) – Local Security Authority Subsystem Service
PID: 568
Suspicious DLL: C:\Windows\System32\winlogon.dll (modified version)
Original DLL Hash: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b
Current DLL Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Modification Time: 16:20 EST
API Calls:
LsaRegisterLogonProcess (registered rogue authentication package)
LsaApLogonUser (hooking logon attempts)
LsaApCallPackage (intercepting authentication)
Detection Logic:
winlogon.dll is not a legitimate LSASS-loaded DLL (suspicious)
DLL hash mismatch (modified)
DLL intercepts authentication calls
Pattern matches credential theft via authentication package
Additional Context:
Domain Controller (critical infrastructure)
LSASS handles all authentication for domain
Compromise would give attacker all domain credentials
Threat Intelligence:
Technique known as “SSP (Security Support Provider) hijacking”
Attacker can capture plaintext passwords during logon
Requires admin privileges to install
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed malicious DLL loaded into LSASS
2. Immediate Action
Isolate Domain Controller
CrowdStrike, Network ACLs
DC-01 quarantined
3. DLL Removal
Remove malicious winlogon.dll
CrowdStrike Live Response
DLL deleted; restored from backup
4. LSASS Restart
Reboot Domain Controller
PowerShell Restart-Computer
LSASS restarted; clean state
5. Credential Reset
Force domain-wide password reset
AD, Azure AD
All domain passwords reset
6. Investigation
Determine source of compromise
EDR, SIEM
Attacker compromised admin account
Jira Incident Report
Ticket: SOC-2024-114 Summary: T1556 – Authentication Package Hijacking on Domain Controller Status: RESOLVED Resolution: MALICIOUS – Domain Controller Compromised, Cleaned Priority: P1 – CRITICAL Labels: T1556, modify-authentication, lsass, ssp-hijacking, crowdstrike Components: Identity-Management, Domain-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Authentication DLL Injection – Potential Credential Theft”.
Host: DC-01 (Primary Domain Controller).
Process: lsass.exe with malicious winlogon.dll loaded.
Time: 2024-02-22 16:30 EST.
Technique: MITRE ATT&CK T1556.003 – Modify Authentication Process: Pluggable Authentication Modules.
2. Technical Analysis:
Attack Chain:
15:00 – Attacker compromises domain admin account via phishing
15:30 – Attacker logs into DC-01 using compromised credentials
15:45 – Attacker downloads malicious winlogon.dll
16:00 – Attacker replaces legitimate winlogon.dll with malicious version
16:05 – Attacker adds registry key for SSP (Security Support Provider)
16:10 – LSASS loads malicious DLL automatically
16:10-16:25 – Malicious DLL captures credentials from 78 logon attempts
16:25 – CrowdStrike detects anomaly
16:30 – Alert triggers
Malicious DLL Analysis:
File: winlogon.dll (SHA256: a1b2c3d4…)
Technique: Security Support Provider (SSP) hijacking
Function: Intercepts all authentication attempts (logons, password changes)
Capabilities:
Captures plaintext passwords
Logs to file: C:\Windows\Temp~df78e.tmp
Exfiltrates every 5 minutes to 185.143.221[.]89:443
Credentials Compromised:
78 user logons captured (including 12 domain admins)
3 password changes captured (including 1 admin)
All captured credentials exfiltrated before detection
Attacker Access:
Full control of domain controller
All domain credentials potentially compromised
3. Investigation Findings:
Timeline:
15:00 – Admin account compromised
15:30-16:10 – SSP installed
16:10-16:25 – Credential capture
16:25 – Detection
16:30 – Alert
16:32 – DC isolated
16:35 – DLL removed
16:45 – DC rebooted
17:00 – Domain-wide password reset initiated
Indicators of Compromise (IoCs):
Files:
– C:\Windows\System32\winlogon.dll (SHA256: a1b2c3d4…)
– C:\Windows\Temp\~df78e.tmp (captured credentials)
Registry:
– HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages (winlogon added)
Network:
– Exfiltration IP: 185.143.221[.]89:443
Accounts:
– Compromised admin account (disabled)
4. Containment Actions:
Immediate Actions:
Isolated DC-01 from network.
Removed malicious winlogon.dll.
Restored original DLL from backup.
Rebooted DC-01.
Removed registry SSP entry.
Domain-Wide Actions:
Forced password reset for ALL domain users (3,200+).
Reset krbtgt password (twice).
Reset all service account passwords.
Revoked all certificates.
Credential Monitoring:
Monitored for any suspicious logins using stolen credentials (none found).
Blocked exfiltration IP at firewall.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin accounts.
Admin allowed to log directly into DC (should be PAW).
No application control on DC.
6. Business Impact:
Operational Impact: Domain-wide password reset, 4 hours of disruption.
Security Impact: All domain credentials potentially compromised; full reset required.
Financial Impact: Significant (incident response, password reset costs).
7. Remediation & Prevention:
Completed Actions:
Malicious DLL removed.
DC cleaned.
All passwords reset.
Admin account secured.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Implemented Privileged Access Workstations (PAWs).
Blocked direct admin logins to DCs.
Enabled application control on DCs (CrowdStrike Falcon Prevent).
Monitored LSASS for any unauthorized DLL loads.
8. Conclusion:
An attacker compromised a domain admin, installed a malicious SSP on the domain controller, and captured 78 user credentials before detection. CrowdStrike detected the anomalous DLL in LSASS, enabling rapid containment. All domain passwords were reset.
Closure Rationale: DC cleaned; all passwords reset; admin controls enhanced.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 18:00 EST