Command Zero
Narration by Agent Zero
Criticalrun-8d1e8b94-2721-445f-9e74-d624fcf1fcd5
Compromised
High confidence
  • endpoint-compromise
  • persistence
  • credential-access
  • lateral-movement
  • registry-attack
  • dameware

Manufacturing Workstation Compromised: Multi-Stage Attack with Persistence and Credential Harvesting

Manufacturing workstation ws-001 was compromised through a coordinated multi-stage attack involving DameWare deployment via SMB, execution of a purpose-built registry toolkit targeting 186 security tool keys, and successful establishment of persistence and credential harvesting infrastructure.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
11m 35s
INVESTIGATION TIME
Autonomous
34
QUESTIONS ASKED
CROWDSTRIKE, MICROSOFT
26.4K
RECORDS ANALYZED
Across all data sources
~6 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$521
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

CrowdStrike Falcon detected a suspicious registry modification on manufacturing workstation ws-001 (10.1.1.1) when the process regedit.exe executed with the command line `regedit.exe "C:\[CUSTOM_DIR_1]\001.reg"` at 09:07:35 UTC on March 11, 2026. This maps to MITRE technique T1547.001 (Registry Run Keys / Startup Folder), a persistence mechanism. What made this alert stand out was not just the registry change itself, but the artifact: a .reg file located in a non-standard directory (`C:\[CUSTOM_DIR_1]\`) with a systematic naming convention (001.reg). The file triggered 73 alerts in rapid succession, revealing a purpose-built attack toolkit targeting 186 specific CrowdStrike Falcon and AMSI registry keys, along with successful registrations of a Password Filter DLL (T1174) and accessibility API ASEP modifications (T1546.008). Investigation correlated CrowdStrike Falcon and Microsoft Defender telemetry over 11 minutes 35 seconds, uncovering a multi-stage attack: DameWare Mini Remote Control deployed via SMB at ~00:55 UTC, followed by network discovery commands, and finally the coordinated persistence and credential theft attack via the 001.reg toolkit. The workstation was also used as a pivot point for RDP lateral movement to internal hosts 10.1.1.3 and 10.1.1.4 over multiple days.

The Questions We Asked

What follows is the path the agent walked to reach its verdict. Pivots and dead ends both made the cut. Routine steps that just ruled out the obvious are grouped together so you can skim past them.

Q1

Did anyone already triage this?

Negative finding
Supporting Evidence
No analyst notes explaining this activity as authorized or requiring no further action
High
Conclusion:Not Documented as Benign·Documented as Requiring No Action
Q2-Q7

Six checks, mostly ruling out benign explanations.

Supporting Evidence
The activity involves importing a .reg file from C:\[CUSTOM_DIR_1]\ that attempts to disable CrowdStrike Falcon sensor, register credential-harvesting Password Filter DLLs, and establish persistence via Run keys and accessibility API hooks - all MITRE ATT&CK techniques associated with adversary activity, completely outside any expected role scope for a manufacturing workstation user (user_1)
Confirmed
Conclusions:Deviates from Normal Operations·Outside Expected Role Scope·Data Access Exceeds Role·Not Explained by Legitimate Operations·Not Benign User Error·Attempted Policy Violation
Q8

Did anything actually stop it?

Pivot
What CrowdStrike Falcon alerts contain this Device ID?193 records
Supporting Evidence
Three persistence/credential-access changes (RegistryPersistEdit T1547.001, PasswordFilterDLL T1174, AccessibilityApiGenericAsepModified T1546.008) were NOT blocked - they were only detected, meaning those registry changes may have succeeded
High
Conflicting Evidence Resolved
186 out of 192 dispositioned alerts (97%) show the operation was blocked - File system Operation Blocked (105) and Registry Operation Blocked (81) - indicating security controls successfully prevented most harm
Confirmed
Conclusion:Security Controls Did Not Block·Security Controls Blocked Violation
Q9

Do we have enough to call it?

What CrowdStrike Falcon alerts contain this Device ID?193 records
Supporting Evidence
193 detailed CrowdStrike alerts with full process trees, MITRE classifications, file names, and registry key details provide sufficient evidence to characterize the attack definitively
High
Supporting Evidence
3082 detailed registry change events provide forensic evidence of what exactly changed in the registry during this attack
High
Conclusion:Sufficient Evidence for Determination·Insufficient Evidence
Q10

Is malware actually present on the system?

Pivot
What Windows binaries were executed from non-standard paths on this device according to CrowdStrike Falcon Next-Gen SIEM?9 records
Supporting Evidence
The non-standard binaries found (DismHost.exe, dwDrvInst.exe, CitrixReceiverUpdater.exe) are legitimate software components. DameWare is a legitimate remote management tool. No confirmed malware samples were identified in the binary execution data.
Moderate
Supporting Evidence
The regedit.exe used to import 001.reg appears to be the legitimate Windows binary - the attack uses Living off the Land (LOTL) techniques via a malicious .reg file rather than deploying compiled malware executables
Moderate
Conflicting Evidence Resolved
A Password Filter DLL (T1174) was registered via the 001.reg import - this is a malicious DLL designed to intercept and harvest Windows credentials. A DLL registered as a password filter IS malicious software.
Moderate
Conclusion:No Malware or Malicious Software·Malware or Malicious Software Present
Q11

Did an authorized user knowingly do this?

Pivot
What CrowdStrike Falcon alerts contain this Device ID?193 records
Supporting Evidence
DameWare MRC was deployed via SMB (ServiceExecOnSMBFile - a hallmark of attackers installing remote access tools remotely) combined with subsequent persistence mechanisms strongly indicates an unauthorized external actor rather than an authorized user
High
Supporting Evidence
Multiple RDP lateral movement connections from this machine to internal IPs (10.1.1.4 and 10.1.1.3) over multiple days suggests the compromised machine is being used as a pivot point by an attacker, not routine activity by an authorized user
Moderate
Conflicting Evidence Resolved
If the interactive session user (user_1) was the machine's authorized operator, they might be attempting to tamper with CrowdStrike if they had legitimate admin rights and knew what they were doing
Low
Conclusion:Unauthorized Actor or Stolen/Invalid Credentials·Authorized User with Legitimate Credentials
Q12-Q14

Three checks, mostly ruling out benign explanations.

Supporting Evidence
The attack involves: (1) deploying DameWare via SMB for remote access, (2) 186 attempts to disable CrowdStrike Falcon and AMSI (deliberate security evasion), (3) registering a credential-harvesting Password Filter DLL, (4) establishing Run key persistence, (5) modifying accessibility APIs - these are definitive attack indicators that cannot be explained by an authorized user working from an unusual location
Confirmed
Conclusions:Not Explicable By Travel·Attack Attempt by Unauthorized Actor·Non-Password Authentication
Q15

Did the attack actually succeed?

Pivot
What CrowdStrike Falcon alerts contain this Device ID?193 records
Supporting Evidence
Six distinct attack actions succeeded (not blocked): DameWare service execution via SMB, discovery commands (net.exe session, whoami /groups), persistence via Run key (RegistryPersistEdit), credential harvesting DLL (PasswordFilterDLL), and accessibility API ASEP modification - these constitute successful unauthorized access with actions executed
High
Conflicting Evidence Resolved
The majority of attack actions (186) were blocked by Falcon sensor protection, suggesting not all malicious objectives were fully accomplished
Moderate
Conclusion:Successful Unauthorized Access·No Successful Unauthorized Access
Q16

Was malware actually executed?

Pivot
What Windows binaries were executed from non-standard paths on this device according to CrowdStrike Falcon Next-Gen SIEM?9 records
Supporting Evidence
Non-standard binaries identified (DismHost.exe, CitrixReceiverUpdater.exe, dwDrvInst.exe) are legitimate software components; no confirmed compiled malware executables were identified in the binary execution data. The attack primarily used Living-off-the-Land techniques (regedit.exe, cmd.exe, net.exe, whoami.exe) with a malicious .reg configuration file.
Moderate
Conflicting Evidence Resolved
A Password Filter DLL was registered (T1174 - a technique requiring a malicious DLL to be registered in LSA), suggesting a DLL payload was deployed as part of the attack
Moderate
Conclusion:No Malware or Exploit Execution·Malware or Exploit Execution Confirmed

Key Pivots

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

RegistryPersistEditPasswordFilterDLLAccessibilityApiGenericAsepModifiedServiceExecOnSMBFile
TechniqueTacticContext
T1547.001
Registry Run Keys / Startup Folder
PersistenceFlag regedit.exe or reg.exe importing .reg files from paths outside C:\Windows and C:\Program Files. Alert on bulk imports touching more than 10 registry keys in one process lifetime, especially targeting HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The legitimate ways to change Run keys go through MDM or GPO, not interactive regedit.
T1174
Credential Dumping
Credential AccessMonitor for registry modifications to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages or HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages that register new DLL files. Alert on any Password Filter DLL registration outside of vendor-approved paths. Correlate with process execution to identify which process triggered the registration.
T1546.008
Accessibility Features
PersistenceMonitor modifications to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options and accessibility-related registry paths (Sticky Keys, Magnifier, Narrator, On-Screen Keyboard). Alert when these are modified to point to non-standard executables or DLLs. Legitimate accessibility changes are rare and typically deployed via GPO.
T1570
Lateral Tool Transfer
Lateral MovementFlag service execution or process creation from SMB-mounted shares (\\\\server\\share paths). Alert on execution of .exe or .dll files from remote SMB paths, especially admin shares (C$, ADMIN$, IPC$). This pattern is characteristic of attackers deploying tools via SMB lateral movement rather than legitimate software distribution.

Verdict Reasoning

The verdict of Compromised at high confidence rests on the following mutually corroborating signals:

1. CrowdStrike Falcon telemetry provides detailed, corroborated evidence of all attack stages—process trees, command lines, registry keys, and disposition results—with 193 high-severity alerts across multiple MITRE techniques

2. The 'Detection, standard detection.' disposition on RegistryPersistEdit, PasswordFilterDLL, and AccessibilityApiGenericAsepModified alerts definitively confirms those actions were not blocked by Falcon, meaning the persistence mechanisms succeeded

3. The ServiceExecOnSMBFile alert confirms DameWare Mini Remote Control was deployed via SMB admin shares, a hallmark of attacker lateral movement rather than authorized software deployment

4. The purpose-built nature of the 001.reg file—targeting 186 specific Falcon/AMSI registry keys in a single execution—demonstrates deliberate adversarial intent; no legitimate software deployment would construct such a toolkit. Confidence is High (not Confirmed) because the attacker's initial access vector (how they first compromised the network or obtained credentials) and the actual file path and hash of the Password Filter DLL are not fully determined from available telemetry, leaving a gap in the complete attack chain

Lessons

  1. 01
    A high block-rate is not containment. In this investigation, 186 blocked tamper attempts against the Falcon sensor looked like a win. The three unblocked primary objectives (Run key persistence, Password Filter DLL registration, accessibility hooks) completed in the same execution. Always audit what did NOT get blocked, not just what did—the blocked count is the distractor. The attacker's secondary goal (disabling Falcon) failed; the primary goals (persistence and credential theft) succeeded.
  2. 02
    Purpose-built attack toolkits reveal deliberate intent. The 001.reg file targeting 186 specific Falcon/AMSI registry keys demonstrates this was not opportunistic malware or a generic attack. An attacker spent time building a custom toolkit for this environment. When you see a .reg file with dozens or hundreds of specific registry modifications, especially targeting security tools, treat it as a strong signal of a sophisticated, targeted campaign rather than commodity malware.
  3. 03
    SMB-based service execution is a lateral movement red flag. The ServiceExecOnSMBFile alert for DameWare deployment is a hallmark of attacker lateral movement, not authorized software distribution. Legitimate software deployments use MDM, GPO, or signed distribution channels. If you see services or processes executing from SMB shares (\\\\server\\share\\executable.exe), especially admin shares, escalate immediately—this is how attackers move between systems.
  4. 04
    Credential harvesting infrastructure succeeding is worse than persistence. The Password Filter DLL registration (T1174) that was not blocked means the attacker can now intercept every password change on this workstation. This is worse than persistence alone because it gives the attacker ongoing access to credentials. When you see T1174 alerts with 'Detection, standard detection.' disposition, treat it as a critical compromise requiring immediate credential rotation for affected users.
  5. 05
    Multi-day lateral movement indicates dwell time, not exploration. The RDP connections from ws-001 to 10.1.1.3 and 10.1.1.4 over multiple days (March 8–10) before the final attack on March 11 show the attacker was already established and moving laterally. This wasn't a one-shot attack; it was a campaign with reconnaissance and staging phases. Early detection of the DameWare deployment could have prevented the subsequent persistence and lateral movement.