Microsoft Purview Alert Details
Alert ID: PURVIEW-AUTO-COLLECT-1119-7842 Alert Time: 2024-02-27 14:15:33 EST Severity: HIGH (82/100) Source: Microsoft Purview Data Loss Prevention Rule: “Automated Script Collecting Sensitive Data” MITRE ATT&CK: T1119 – Automated Collection
Alert Details:
Detection: PowerShell script automatically collecting and archiving sensitive files
User: bturner@company.com (Brian Turner, Finance) Host: FIN-WS-078 Time: 14:00-14:15 EST
Script Details:
Path: C:\Users\bturner\Documents\collect.ps1
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Scheduled Task: “DataBackup” (created 13:55)
Trigger: Every 15 minutes
Script Content:
$targets = @(
“\\filesrv\finance\reports\*.xlsx”,
“\\filesrv\hr\payroll\*.xlsx”,
“\\filesrv\executive\board\*.docx”,
“C:\Users\bturner\Documents\*.xlsx”,
“C:\Users\bturner\Desktop\*.docx”
)
$zipFile = “C:\temp\backup_$(Get-Date -Format ‘yyyyMMddHHmm’).zip”
$tempDir = “C:\temp\collect”
New-Item -ItemType Directory -Path $tempDir -Force
foreach ($target in $targets) {
Copy-Item -Path $target -Destination $tempDir -Recurse -ErrorAction SilentlyContinue
}
Compress-Archive -Path $tempDir\* -DestinationPath $zipFile -Force
Remove-Item -Path $tempDir -Recurse -Force
Collected Files:
14:00 – First run: 847 files (345 MB) collected and zipped
14:15 – Second run blocked by Purview
Detection Logic:
Scheduled task created for automated collection
Script targets multiple sensitive locations (Finance, HR, Executive)
Files compressed and staged locally
Pattern matches automated data harvesting
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Purview alert
Microsoft Purview Console
Confirmed automated collection script
2. Process Investigation
Identify scheduled task
CrowdStrike Falcon
Scheduled task “DataBackup” created by attacker
3. User Interview
Contact bturner
Teams, Phone
User did NOT create script (account compromised)
4. Immediate Action
Disable scheduled task
schtasks /delete
Task removed
5. File Deletion
Delete script and collected files
CrowdStrike Live Response
collect.ps1 and backup zip files deleted
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-137 Summary: T1119 – Automated Collection Script Harvesting Sensitive Data Status: RESOLVED Resolution: MALICIOUS – Automated Collection Stopped Priority: P2 – MEDIUM Labels: T1119, automated-collection, powershell, purview, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Purview Data Loss Prevention.
Alert: “Automated Script Collecting Sensitive Data”.
User: bturner@company.com (Finance Department).
Host: FIN-WS-078.
Script: C:\Users\bturner\Documents\collect.ps1.
Scheduled Task: “DataBackup” (every 15 minutes).
Time: 2024-02-27 14:15 EST.
Technique: MITRE ATT&CK T1119 – Automated Collection.
2. Technical Analysis:
Attack Chain:
13:30 – bturner account compromised via phishing
13:45 – Attacker logs into FIN-WS-078
13:50 – Attacker creates collect.ps1 script
13:55 – Attacker creates scheduled task “DataBackup”
14:00 – First automated collection runs (847 files, 345 MB)
14:15 – Second run attempted; Purview detects
Script Analysis:
Targets: Finance reports, HR payroll, Executive board docs, local files
Frequency: Every 15 minutes (ensures new files are captured)
Output: Zipped archives in C:\temp with timestamps
Purpose: Automated, persistent data harvesting
Data Collected (First Run):
Finance reports: 456 files (revenue, budgets)
HR payroll: 234 files (employee salaries)
Executive board: 89 files (board minutes, strategy)
Local documents: 68 files (user’s personal notes)
Total: 847 files, 345 MB
Attacker Intent:
Establish persistent collection mechanism
Gather data over time without manual intervention
Later exfiltrate collected archives
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45-13:55 – Script and task created
14:00 – First collection
14:15 – Second collection attempt detected
14:16 – SOC investigates
14:18 – Scheduled task disabled
14:19 – Script and archives deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\bturner\Documents\collect.ps1
– C:\temp\backup_202402271400.zip (345 MB)
Scheduled Task:
– “DataBackup”
Account:
– bturner (compromised)
4. Containment Actions:
Immediate Actions:
Disabled scheduled task.
Deleted collect.ps1 and backup zip files.
Disabled bturner account.
Reset password.
Data Protection:
Verified no exfiltration of collected archives.
Archives contained sensitive data but not exfiltrated.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: Finance user account compromised via phishing.
Contributing Factors:
No MFA on account.
PowerShell allowed to create scheduled tasks.
No monitoring for automated collection patterns.
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 345 MB of sensitive data collected but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Automated collection stopped.
Data deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted PowerShell script execution.
Enhanced monitoring for scheduled task creation.
Implemented DLP for automated collection patterns.
8. Conclusion:
An attacker compromised a finance user’s account and created an automated collection script that harvested sensitive data from multiple sources every 15 minutes. Purview detected the pattern and enabled rapid removal before exfiltration.
Closure Rationale: Automated collection stopped; data deleted; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-27 15:30 EST