Varonis Alert Details
Alert ID: VARONIS-FILE-DISCOVERY-1083-7842 Alert Time: 2024-02-24 14:15:33 EST Severity: HIGH (82/100) Source: Varonis Data Security Platform Rule: “Mass File Enumeration – Potential Data Harvesting” MITRE ATT&CK: T1083 – File and Directory Discovery
Alert Details:
Detection: User accessing unusually high number of files/folders across multiple shares
User: bturner@company.com (Brian Turner, Finance) Source Host: FIN-WS-078 Time: 14:00-14:15 EST
File Access Events:
14:00:15 – Accessed \filesrv\finance\ (folder listing) – 1,247 files
14:01:22 – Accessed \filesrv\finance\Q1_Reports\ – 342 files
14:02:45 – Accessed \filesrv\finance\Q2_Reports\ – 356 files
14:04:12 – Accessed \filesrv\finance\Q3_Reports\ – 351 files
14:05:38 – Accessed \filesrv\finance\Q4_Reports\ – 348 files
14:07:05 – Accessed \filesrv\hr\payroll\ (unusual for this user) – 234 files
14:08:33 – Accessed \filesrv\executive\board_meetings\ – 87 files
14:10:12 – Accessed \filesrv\it\passwords\ (highly sensitive) – 12 files
14:12:45 – Accessed \filesrv\r&d\projects\ – 567 files
14:14:30 – Accessed \filesrv\legal\contracts\ – 189 files
Total Files Accessed: 3,733 files in 15 minutes (normal is 50-100 per day)
File Types of Interest:
.xlsx (Excel financials) – 847 files
.pdf (reports, contracts) – 1,234 files
.docx (documents) – 892 files
.txt (notes, passwords) – 47 files
.kdbx (KeePass database) – 3 files (CRITICAL)
Detection Logic:
3,733 files accessed in 15 minutes (37x normal)
Access spans multiple shares (Finance, HR, Executive, IT, R&D, Legal)
User bturner normally only accesses Finance share
Process: Windows Explorer + custom script (cmd.exe with dir commands)
Pattern matches data harvesting for exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed mass file enumeration
2. Process Investigation
Identify process on FIN-WS-078
CrowdStrike Falcon
Found dir_scan.bat script enumerating shares
3. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
4. Script Analysis
Analyze dir_scan.bat
Manual review
Script automates directory listing of all shares
5. User Interview
Contact bturner
Teams, Phone
User did NOT run this script (account compromised)
6. Account Remediation
Reset password, disable account
Azure AD, AD
bturner account disabled
Jira Incident Report
Ticket: SOC-2024-122 Summary: T1083 – Mass File Enumeration Across Multiple Shares Status: RESOLVED Resolution: MALICIOUS – Account Compromised Priority: P2 – MEDIUM Labels: T1083, file-discovery, enumeration, varonis, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Mass File Enumeration – Potential Data Harvesting”.
User: bturner@company.com (Finance Department).
Source Host: FIN-WS-078.
Time: 2024-02-24 14:15 EST.
Technique: MITRE ATT&CK T1083 – File and Directory Discovery.
2. Technical Analysis:
Attack Chain:
13:45 – bturner account credentials compromised via phishing
13:50 – Attacker logs into FIN-WS-078 via RDP
13:55 – Attacker creates dir_scan.bat script
14:00-14:15 – Script enumerates files across all network shares
14:15 – Varonis detects anomaly
14:17 – SOC investigates
Script Analysis:
File: C:\Users\bturner\Desktop\dir_scan.bat
Content:
@echo off
dir \\filesrv\finance\*.* /s /w > C:\temp\finance.txt
dir \\filesrv\hr\*.* /s /w > C:\temp\hr.txt
dir \\filesrv\executive\*.* /s /w > C:\temp\exec.txt
dir \\filesrv\it\*.* /s /w > C:\temp\it.txt
dir \\filesrv\r&d\*.* /s /w > C:\temp\rd.txt
dir \\filesrv\legal\*.* /s /w > C:\temp\legal.txt
dir \\filesrv\shared\*.* /s /w > C:\temp\shared.txt
Purpose: Create inventory of all files on network shares
Files of Critical Interest:
IT Share: passwords.txt (plaintext service account passwords)
IT Share: network_diagrams.pdf (infrastructure details)
Executive Share: board_meeting_minutes_q1.docx (confidential)
R&D Share: source_code_backup.zip (intellectual property)
Legal Share: contracts_with_vendors.xlsx (financial agreements)
Attacker Actions After Enumeration:
Created inventory files in C:\temp
No exfiltration yet (detected before)
Preparing for data theft
3. Investigation Findings:
Timeline:
13:45 – Credentials compromised
13:50 – RDP access
13:55 – Script created
14:00-14:15 – Enumeration
14:15 – Varonis alert
14:17 – SOC investigates
14:20 – Host isolated
14:21 – Account disabled
14:22 – RDP session terminated
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\Desktop\dir_scan.bat
– C:\temp\*.txt (inventory files)
Account:
– bturner (compromised)
Network:
– Attacker RDP IP: 45.134.225[.]78
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Disabled bturner account.
Terminated RDP session.
Deleted dir_scan.bat and inventory files.
Data Protection:
Reviewed sensitive files accessed.
No exfiltration detected (DLP logs).
Rotated passwords exposed in IT share.
User Remediation:
bturner password reset.
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User credentials compromised via phishing.
Contributing Factors:
No MFA on finance account.
RDP allowed from internet.
Sensitive files accessible to finance user (over-privileged).
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: Sensitive file inventory created but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Host cleaned.
Sensitive files secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted file share permissions (least privilege).
Enhanced Varonis monitoring for enumeration patterns.
8. Conclusion:
An attacker compromised a finance user’s account and performed mass file enumeration across multiple network shares, creating an inventory of sensitive files. Varonis detected the anomalous access pattern before exfiltration could occur.
Closure Rationale: Account secured; enumeration stopped; data contained.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 15:30 EST