Varonis Alert Details
Alert ID: VARONIS-NETWORK-DATA-1039-7842 Alert Time: 2024-02-26 10:30:22 EST Severity: HIGH (88/100) Source: Varonis Data Security Platform Rule: “Mass File Access from Network Share – Potential Data Harvesting” MITRE ATT&CK: T1039 – Data from Network Shared Drive
Alert Details:
Detection: User accessing unusually high number of files from network share
User: bturner@company.com (Brian Turner, Finance) Source Host: FIN-WS-078 Share: \filesrv\finance\archive
Time: 10:15-10:30 EST
File Access Events:
10:15-10:30: 1,234 files accessed
File types: .xlsx, .pdf, .docx
Total size: 1.8 GB
Folders accessed:
\filesrv\finance\archive\2023\ – 456 files
\filesrv\finance\archive\2024\ – 778 files
\filesrv\finance\confidential\ – 0 files (access denied)
Additional Access (other shares):
\filesrv\hr\payroll\ – accessed 234 files (unusual for finance)
\filesrv\executive\board\ – accessed 89 files (unusual)
\filesrv\r&d\projects\ – accessed 167 files (unusual)
Process Details:
Process: \filesrv\finance\tools\bulk_copy.exe (not a standard Windows tool)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Command: bulk_copy.exe /source:\filesrv\finance\archive /target:C:\temp\staging /pattern:.
Detection Logic:
1,234 files accessed in 15 minutes (5x normal for user)
User bturner normally accesses 200-300 files/day
Access spans multiple shares outside Finance (HR, Executive, R&D)
Custom tool used (bulk_copy.exe)
Pattern matches data harvesting
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed mass file access across multiple shares
2. Process Investigation
Identify bulk_copy.exe
CrowdStrike Falcon
Custom tool downloaded from internet; used for bulk copying
3. User Interview
Contact bturner
Teams, Phone
User did NOT run this tool (account compromised)
4. Immediate Action
Isolate FIN-WS-078
CrowdStrike
Host quarantined
5. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled
6. Data Removal
Delete staged files from C:\temp
CrowdStrike Live Response
Staged files (1.8 GB) deleted
Jira Incident Report
Ticket: SOC-2024-135 Summary: T1039 – Mass Data Harvesting from Network Shares Using Custom Tool Status: RESOLVED Resolution: MALICIOUS – Data Staged, Then Deleted Priority: P2 – MEDIUM Labels: T1039, data-from-network-share, data-harvesting, varonis, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Mass File Access from Network Share – Potential Data Harvesting”.
User: bturner@company.com (Finance Department).
Source Host: FIN-WS-078.
Time: 2024-02-26 10:30 EST.
Technique: MITRE ATT&CK T1039 – Data from Network Shared Drive.
2. Technical Analysis:
Attack Chain:
09:30 – bturner account compromised via phishing
09:45 – Attacker logs into FIN-WS-078
10:00 – Attacker downloads bulk_copy.exe from malicious site
10:05 – Attacker runs tool to copy files from finance archive
10:10 – Attacker expands to HR, Executive, R&D shares
10:15-10:30 – 1,690 files copied (2.4 GB)
10:30 – Varonis detects
Tool Analysis:
Name: bulk_copy.exe (custom data theft tool)
SHA256: a1b2c3d4…
Capabilities:
Recursively copies files matching patterns
Preserves folder structure
Logs all copied files
No network exfiltration (stages locally)
Data Staged:
Finance Archive: 1,234 files (1.8 GB) – financial records, reports
HR Payroll: 234 files (0.3 GB) – employee salaries, PII
Executive Board: 89 files (0.1 GB) – board minutes, strategy
R&D Projects: 167 files (0.2 GB) – project plans, IP
Total: 1,724 files, 2.4 GB staged in C:\temp\staging
Attacker Intent:
Stage data for exfiltration
Planning to compress and send via FTP/HTTP
No exfiltration yet (detected before)
3. Investigation Findings:
Timeline:
09:30 – Credentials compromised
09:45 – Attacker logs in
10:00-10:30 – Data staging
10:30 – Varonis alert
10:32 – SOC investigates
10:33 – Host isolated
10:34 – bturner account disabled
10:35 – Staged files deleted
Indicators of Compromise (IoCs):
Files:
– C:\temp\bulk_copy.exe (SHA256: a1b2c3d4…)
– C:\temp\staging\ (1,724 files)
Account:
– bturner (compromised)
Network:
– Attacker IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078 via CrowdStrike.
Disabled bturner account.
Deleted bulk_copy.exe and staging folder.
Reset bturner password.
Data Protection:
Verified no exfiltration (DLP logs).
Data remained on host, now deleted.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: Finance user account compromised via phishing.
Contributing Factors:
No MFA on account.
User had broad access to multiple shares (over-privileged).
No monitoring for bulk file access.
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 2.4 GB of sensitive data staged but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Data staged, then deleted.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted share permissions (least privilege).
Implemented DLP for mass file access.
Enhanced Varonis monitoring for bulk copy tools.
8. Conclusion:
An attacker compromised a finance user’s account and used a custom tool to stage 2.4 GB of sensitive data from multiple network shares. Varonis detected the anomalous access pattern and enabled rapid containment before exfiltration.
Closure Rationale: Data staged but not exfiltrated; account secured; host cleaned.
Analyst: [Walter White], SOC Analyst Date: 2024-02-26 11:30 EST
End of Batch 19
Ready for your next batch of prompts whenever you are.
Batch 20: Collection Incident Reports
Here are the next 5 detailed SOC incident reports.