CrowdStrike Alert Details
Alert ID: CS-LOC-DISCOVERY-1614-7842 Alert Time: 2024-03-13 10:30:22 EST Severity: MEDIUM (72/100) Source: CrowdStrike Falcon EDR Rule: “System Location Discovery – Geolocation API Calls” MITRE ATT&CK: T1614 – System Location Discovery
Alert Details:
Detection: Process making external API calls to determine system geolocation
Host: DEV-WS-089 (Development Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 10:25 EST
Process Tree:
explorer.exe (PID: 2341)
powershell.exe (PID: 4789)
Command: powershell -Command “(Invoke-WebRequest -Uri ‘http://ip-api.com/json’).Content | ConvertFrom-Json | Select country, city, lat, lon”
Command: powershell -Command “(Invoke-WebRequest -Uri ‘http://api.ipify.org’).Content”
Command: powershell -Command “(Invoke-WebRequest -Uri ‘http://ipinfo.io/json’).Content”
Network Connections:
10:25:10 – GET http://ip-api.com/json (response: {“country”:”United States”,”city”:”New York”,”lat”:40.7128,”lon”:-74.0060})
10:25:15 – GET http://api.ipify.org (response: “192.0.2.123”)
10:25:20 – GET http://ipinfo.io/json (response: {“ip”:”192.0.2.123″,”country”:”US”,”city”:”New York”})
Detection Logic:
PowerShell making multiple geolocation API calls (unusual)
User alexchen has no legitimate need for this
Commands used to determine country/city
Pattern matches adversary checking if they are in target geography
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed geolocation discovery
2. Process Investigation
Identify source of commands
CrowdStrike
PowerShell script launched from suspicious macro in document
3. User Interview
Contact alexchen
Teams, Phone
User opened document from email; script ran in background
4. Immediate Action
Terminate PowerShell
CrowdStrike
Process killed
5. Email Investigation
Find source email
Proofpoint, Exchange
Email with macro-enabled document quarantined
6. Account Remediation
Reset alexchen password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-215 Summary: T1614 – System Location Discovery via Geolocation API Status: RESOLVED Resolution: MALICIOUS – Reconnaissance Detected Priority: P3 – LOW Labels: T1614, location-discovery, reconnaissance, crowdstrike, phishing Components: Endpoint-Security, Threat-Hunting
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “System Location Discovery – Geolocation API Calls”.
Host: DEV-WS-089 (Engineering, user alexchen).
Activity: PowerShell geolocation API calls.
Time: 2024-03-13 10:30 EST.
Technique: MITRE ATT&CK T1614 – System Location Discovery.
2. Technical Analysis:
Attack Chain:
10:00 – User receives phishing email with “Document.docm”
10:05 – User opens document, enables macros
10:06 – Macro runs hidden PowerShell script
10:10 – PowerShell queries geolocation APIs
10:25 – CrowdStrike detects
Geolocation Queries:
ip-api.com: Returns country, city, lat/lon
api.ipify.org: Returns public IP
ipinfo.io: Returns IP and location details
Purpose:
Attacker checking if the system is in a target country (e.g., US)
May adjust behavior based on location (e.g., don’t run if in Russia/China)
User Status:
User unaware; macro executed silently
3. Investigation Findings:
Timeline:
10:00 – Email received
10:05 – Document opened
10:06-10:10 – Script runs
10:25 – Alert
10:27 – SOC investigates
10:28 – PowerShell terminated
Indicators of Compromise (IoCs):
URLs:
– http://ip-api.com/json
– http://api.ipify.org
– http://ipinfo.io/json
File:
– Document.docm (SHA256: a1b2c3d4…)
4. Containment Actions:
Immediate Actions:
Terminated PowerShell.
Quarantined email.
Deleted macro document.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
User Education:
Counseled on phishing.
5. Root Cause Analysis:
Primary Cause: User opened malicious macro document.
Contributing Factors:
Macros enabled.
No ASR rule blocking Office child processes.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (only location data, already public).
7. Remediation & Prevention:
Completed Actions:
Reconnaissance stopped.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block Office applications from creating child processes”.
Blocked macros from internet.
8. Conclusion:
An attacker used a macro-enabled document to run PowerShell that queried geolocation APIs to determine the system’s location. CrowdStrike detected the anomalous API calls and enabled termination. The reconnaissance was part of a larger attack chain that was stopped.
Closure Rationale: Reconnaissance detected; process terminated; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-13 11:30 EST
End of Batch 35
Ready for your next batch of prompts whenever you are.
Batch 36: Cloud & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.