Threat Finding

CrowdStrike Intelligence Indicator ...main During DuckDB Library Download
CrowdStrike Intelligence Indicator Match on GitHub CDN Domain During DuckDB Library Download
Priority
P3
Severity
High
ID
ind:0041e732...4900-1761305
ind:0041e732098e4719a127d6849fa8a2c6:671158239309499937-4900-1761305
Assignee
N/A
Status
Closed
Resolution
False positive
Recommendation
False Positive
Confidence
High
Data Source
    Crowdstrike
    Crowdstrike
Finding Source
    EPP
    EPP
Account
Exaforce Tags
MdrAuto : Processed
MdrAuto : Processed

EPP Summary

CrowdStrike Falcon detected a domain intelligence indicator match when user bill executed a curl command to download the DuckDB database library version 1.4.4 from GitHub's official releases repository. The detection was triggered by the domain release-assets.githubusercontent.com, which appears in CrowdStrike's threat intelligence database due to historical use in targeted attacks. The activity occurred on March 12, 2026 at 10:49 UTC from a private network address. This was a detection-only alert with no blocking action taken (pattern disposition 0). This finding is part of a composite group.

Workflows

Exabot Detect
Conclusion
False Positive
High Confidence
This detection represents a false positive based on comprehensive analysis and direct user/manager confirmation. Engineer Bill (bill@acme.com) from the Engineering department executed a legitimate software development operation to download the DuckDB v1.4.4 library from the official github.com/duckdb/duckdb/releases repository. The flagged domain release-assets.githubusercontent.com is GitHub's official CDN for release assets, confirmed by multiple authoritative sources. All contextual evidence supports legitimacy: the activity originated from a private RFC1918 network (192.168.68.56), the user has proper MFA enrollment with 6-9 factors across all identity providers, network connections resolved to GitHub Inc. infrastructure (140.82.121.3, 185.199.111.133), and external threat hunting returned safe status for all checks. The user maintains established access patterns from Zurich, Switzerland and is not flagged as high-risk. User bill@acme.com directly confirmed the activity as legitimate, and manager george@acme.com independently validated this confirmation via Slack bot workflow. While CrowdStrike correctly applied threat intelligence to detect a domain historically used in attacks, the specific context and dual confirmation verify this is routine open-source dependency acquisition by a verified engineering employee.

Top Findings

  1. 1

    CrowdStrike detected domain release-assets.githubusercontent.com matching threat intelligence indicator

  2. 2

    User bill@acme.com downloaded libduckdb-linux-amd64.zip v1.4.4 from official GitHub repository

  3. 3

    Activity originated from private network 192.168.68.56 (RFC1918 address space)

  4. 4

    Detection-only alert with pattern disposition 0 - no blocking action taken

  5. 5

    External threat hunting confirmed safe for process execution, credentials, and network activity

  6. 6

    Target domain is GitHub's official CDN for release assets, not malicious infrastructure

  7. 7

    User is verified Engineering department employee with active MFA and normal Switzerland access patterns

IOCs (Indicators of Compromise)

  • Identity

    Principal

    • S-1-5-21-218846377-...16619-2002 (bill)
      S-1-5-21-218846377-2606814144-3065716619-2002 (bill)
  • Location

    IP

    ASN

  • Resource

    File Path

    • /usr/bin/curl
      /usr/bin/curl

    File Hash

    • d9431c1ea046128449...db417e155 (sha256)
      d9431c1ea04612844996bcbdf11d052afdc560116718f338ae6365ddb417e155 (sha256)
    • f15db476b960fbfec7...8e00b4220981 (md5)
      f15db476b960fbfec7658e00b4220981 (md5)

    Domain

    • release-assets.githubusercontent.com
      release-assets.githubusercontent.com
    • github.com
      github.com

    URL

    • https://github.com/d...ckdb-linux-amd64.zip
      https://github.com/duckdb/duckdb/releases/download/v1.4.4/libduckdb-linux-amd64.zip

    Process Name

    • curl
      curl
  • Device

    Device

  • Action

    Session

    • 671158244340861284
      671158244340861284
Exabot Search

Hello, Taylor

Exabot can make mistakes. Verify before making decisions.
Use shift+enter for new line
Exabot Search