ExtraHop Alert Details
Alert ID: EXTRAHOP-TOOL-TRANSFER-1570-7842 Alert Time: 2024-02-26 14:15:33 EST Severity: HIGH (85/100) Source: ExtraHop Reveal(x) Rule: “Large File Transfer over SMB – Potential Tool Transfer” MITRE ATT&CK: T1570 – Lateral Tool Transfer
Alert Details:
Detection: Large executable file transferred over SMB between internal hosts
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 192.168.45.112 (SALES-WS-023 – Sales) Protocol: SMB (TCP/445) File: \ENG-WS-045\C$\Tools\mimikatz.exe File Size: 1.2 MB Time: 14:10-14:15 EST
Transfer Details:
File: mimikatz.exe (SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4)
Source Share: ADMIN$ (admin share)
Destination: C:\Users\Public\Downloads\mimikatz.exe
Transfer Time: 14:10:22 – 14:10:45 (23 seconds)
Additional Context:
Source host (ENG-WS-045) was previously compromised
Destination host (SALES-WS-023) is a sales workstation
Transfer of hacking tool (mimikatz) indicates lateral movement preparation
Both hosts now potentially compromised
Detection Logic:
Large executable transferred over SMB (unusual for sales workflow)
File name “mimikatz.exe” (known credential dumping tool)
Source host has history of suspicious activity
Destination host has no legitimate need for such tool
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed mimikatz transfer
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has active Cobalt Strike beacon
3. Destination Investigation
Check SALES-WS-023
CrowdStrike Falcon
mimikatz.exe present; no execution yet
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. File Removal
Delete mimikatz.exe from destination
CrowdStrike Live Response
File deleted
6. Threat Hunting
Check for other tool transfers
ExtraHop, Splunk
No other transfers found
Jira Incident Report
Ticket: SOC-2024-132 Summary: T1570 – Lateral Tool Transfer (Mimikatz) from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Transfer Blocked, Tools Removed Priority: P2 – MEDIUM Labels: T1570, lateral-tool-transfer, mimikatz, extrahop, lateral-movement Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “Large File Transfer over SMB – Potential Tool Transfer”.
Source: 192.168.45.78 (ENG-WS-045 – Engineering, compromised).
Destination: 192.168.45.112 (SALES-WS-023 – Sales).
File: mimikatz.exe (1.2 MB).
Time: 2024-02-26 14:15 EST.
Technique: MITRE ATT&CK T1570 – Lateral Tool Transfer.
2. Technical Analysis:
Attack Chain:
13:00 – ENG-WS-045 compromised (Cobalt Strike)
13:30 – Attacker downloads mimikatz to engineering host
14:10 – Attacker transfers mimikatz to sales workstation via SMB
14:10-14:15 – Transfer completed
14:15 – ExtraHop detects
Transfer Details:
File: mimikatz.exe (SHA256: a1b2c3d4…)
Source: \ENG-WS-045\C$\Tools\mimikatz.exe (admin share)
Destination: C:\Users\Public\Downloads\mimikatz.exe
Method: Attacker used compromised engineering host credentials to access admin share on destination
Destination Host Status:
SALES-WS-023 not yet compromised (no execution)
mimikatz present but not run
User mwilson unaware
Attacker Intent:
Stage tools on multiple hosts for further lateral movement
Prepare for credential dumping on sales workstations
Potential for ransomware deployment
3. Investigation Findings:
Timeline:
13:00 – ENG-WS-045 compromised
14:10 – Tool transfer
14:15 – ExtraHop alert
14:17 – SOC investigates
14:18 – Both hosts isolated
14:20 – mimikatz deleted from destination
Indicators of Compromise (IoCs):
Files:
– mimikatz.exe (SHA256: a1b2c3d4…)
Hosts:
– ENG-WS-045 (compromised)
– SALES-WS-023 (tool present)
Network:
– SMB transfer from 192.168.45.78 to 192.168.45.112
4. Containment Actions:
Immediate Actions:
Isolated both hosts via CrowdStrike.
Deleted mimikatz.exe from sales workstation.
Scanned destination for other tools (none).
Source Remediation:
ENG-WS-045 reimaged (from previous incident).
Full cleanup.
Destination Remediation:
Full scan (clean).
Password reset for user mwilson (precaution).
5. Root Cause Analysis:
Primary Cause: Compromised engineering host used to transfer tools laterally.
Contributing Factors:
Admin shares accessible (C$, ADMIN$) over network.
No network segmentation between departments.
No application control blocking unknown executables.
6. Business Impact:
Operational Impact: Two workstations offline for 2 hours.
Security Impact: Tool staged but not executed; no compromise of destination.
7. Remediation & Prevention:
Completed Actions:
Tools removed.
Hosts cleaned.
Lateral movement blocked.
Technical Controls Enhanced:
Disabled admin shares where not needed.
Implemented network segmentation between departments.
Enhanced monitoring for large file transfers.
8. Conclusion:
An attacker transferred mimikatz from a compromised engineering host to a sales workstation, staging tools for further lateral movement. ExtraHop detected the large file transfer, enabling isolation and removal before the tool could be executed.
Closure Rationale: Tool removed; lateral movement blocked; hosts secured.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 15:30 EST