Microsoft Defender Alert Details
Alert ID: MD-USB-DATA-1025-7842 Alert Time: 2024-02-27 09:30:15 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Mass File Copy to Removable Media – Potential Data Theft” MITRE ATT&CK: T1025 – Data from Removable Media
Alert Details:
Detection: Large number of files copied to USB device
Host: RND-WS-078 (Research & Development) User: alexchen@company.com (Alex Chen, Researcher) Time: 09:15-09:30 EST
USB Device Details:
Device: Kingston DataTraveler 3.0 (VID: 0951, PID: 1666)
Serial: 001CC0EC3466B881A43903C3
Capacity: 64 GB
Drive Letter: E:
First Connect: 09:15 EST
File Copy Events:
09:15-09:30: 2,847 files copied to USB
Total size: 12.4 GB
File types:
.docx (research papers) – 1,234 files
.xlsx (research data) – 567 files
.pdf (publications) – 892 files
.py (source code) – 154 files
.ipynb (Jupyter notebooks) – 0? (none, but .py present)
.kdbx (KeePass database) – 1 file (CRITICAL)
Source Folders:
C:\Users\alexchen\Documents\Research\QuantumComputing\ – 1,245 files
C:\Users\alexchen\Documents\Research\AI\ – 892 files
C:\Users\alexchen\Desktop\ – 456 files
C:\Users\alexchen\Downloads\ – 254 files
Detection Logic:
2,847 files copied to USB in 15 minutes (high volume)
User alexchen has no history of USB usage
Files include research IP and KeePass database
Pattern matches data exfiltration via removable media
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed mass file copy to USB
2. User Interview
Contact alexchen
Teams, Phone
User did NOT copy files to USB (account compromised)
3. Immediate Action
Disable USB ports via policy
Microsoft Intune
USB ports disabled enterprise-wide
4. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled
5. Physical Security
Dispatch to user location
Security Team
USB device confiscated from user’s desk
6. Data Protection
Review copied files
File Audit Logs
12.4 GB research IP copied; USB recovered
Jira Incident Report
Ticket: SOC-2024-136 Summary: T1025 – Mass Data Exfiltration via USB from R&D Workstation Status: RESOLVED Resolution: MALICIOUS – Data Exfiltrated via USB, Device Recovered Priority: P1 – CRITICAL Labels: T1025, removable-media, usb-exfiltration, defender, data-theft Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Mass File Copy to Removable Media – Potential Data Theft”.
Host: RND-WS-078 (R&D Department, user alexchen).
Device: Kingston USB drive (64 GB).
Files: 2,847 files (12.4 GB) copied.
Time: 2024-02-27 09:30 EST.
Technique: MITRE ATT&CK T1025 – Data from Removable Media.
2. Technical Analysis:
Attack Chain:
08:30 – alexchen account compromised via phishing
08:45 – Attacker logs into RND-WS-078 via RDP
09:00 – Attacker plugs in USB device
09:15-09:30 – Attacker copies 2,847 files to USB
09:30 – Defender detects
09:31 – SOC investigates
Data Exfiltrated:
Quantum Computing Research: 1,245 files – proprietary algorithms, formulas
AI Research: 892 files – models, training data
Desktop Files: 456 files – various sensitive
Downloads: 254 files – various
KeePass Database: 1 file – corporate password vault
USB Device:
Kingston DataTraveler 64 GB
Purchased by attacker (not company-issued)
Left at user’s desk after copy completed
Security recovered device from desk
User Status:
Account compromised; user unaware
No malicious intent
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
09:00-09:30 – Data exfiltration
09:30 – Defender alert
09:31 – SOC investigates
09:32 – USB ports disabled
09:33 – alexchen account disabled
09:35 – USB recovered by security
Indicators of Compromise (IoCs):
Device:
– USB: Kingston DataTraveler (Serial: 001CC0EC3466B881A43903C3)
Account:
– alexchen (compromised)
Files:
– 2,847 files (12.4 GB) copied to USB (now recovered)
4. Containment Actions:
Immediate Actions:
Disabled USB ports enterprise-wide via Intune.
Disabled alexchen account.
Security recovered USB device.
Reset alexchen password.
Data Protection:
USB device confiscated and secured.
Data not yet removed from premises (recovered).
No evidence of further distribution.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker physical access via RDP.
Contributing Factors:
No MFA on account.
USB ports allowed (no device control policy).
RDP allowed from internet.
6. Business Impact:
Operational Impact: R&D user offline for 2 hours.
Data Exposure: 12.4 GB of research IP copied but recovered.
Financial Impact: Potential loss of IP prevented.
7. Remediation & Prevention:
Completed Actions:
USB device recovered.
Account secured.
USB ports disabled.
Technical Controls Enhanced:
Implemented USB device control (allow only approved devices).
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced DLP for USB transfers.
8. Conclusion:
An attacker compromised an R&D user’s account and used a USB drive to exfiltrate 12.4 GB of research intellectual property. Defender detected the mass file copy to removable media, enabling rapid recovery of the USB device before it left the premises.
Closure Rationale: Data exfiltrated but recovered; account secured; USB controls enhanced.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 10:30 EST