Sysmon Alert Details
Alert ID: SYSMON-ARCHIVE-1560-7842 Alert Time: 2024-02-28 11:30:22 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 1 – Process Creation, Event ID 11 – FileCreate) Rule: “Archive Creation of Multiple Files – Potential Exfiltration Prep” MITRE ATT&CK: T1560.001 – Archive Collected Data: Archive via Utility
Alert Details:
Detection: Process creating archive containing many files
Host: FIN-WS-112 (Finance Workstation) User: kwilson@company.com (Karen Wilson, Finance) Time: 11:25 EST
Process Creation (Event ID 1):
Process: C:\Program Files\7-Zip\7z.exe (PID: 4789)
Parent: cmd.exe (PID: 2341)
Command: 7z a -tzip C:\temp\data.zip C:\temp\staging* -pPassw0rd!
File Creation (Event ID 11):
File: C:\temp\data.zip
Size: 1.2 GB
Time: 11:25:30
Preceding Events:
11:00-11:20: Mass file copy to C:\temp\staging\ (1,847 files)
11:25: Archive creation
Archive Contents:
1,847 files from staging directory
Includes: financial reports, customer data, employee records
Password protected (Passw0rd!)
Detection Logic:
Archive tool (7z) used to compress large number of files
Files were previously staged in temp directory
Archive password protected (indicates intent to exfiltrate)
Pattern matches exfiltration preparation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed archive creation of staged data
2. Process Investigation
Identify 7z execution
CrowdStrike Falcon
Attacker used 7-Zip to create password-protected archive
3. User Interview
Contact kwilson
Teams, Phone
User did NOT run 7z (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-112 quarantined
5. File Deletion
Delete staging folder and archive
CrowdStrike Live Response
Staging files and data.zip deleted
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-143 Summary: T1560 – Archive of Staged Data for Exfiltration Status: RESOLVED Resolution: MALICIOUS – Archive Deleted Before Exfiltration Priority: P2 – MEDIUM Labels: T1560, archive-collected-data, 7zip, sysmon, compromised-account Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 and 11.
Alert: “Archive Creation of Multiple Files – Potential Exfiltration Prep”.
Host: FIN-WS-112 (Finance Department, user kwilson).
Archive: C:\temp\data.zip (1.2 GB, password protected).
Time: 2024-02-28 11:30 EST.
Technique: MITRE ATT&CK T1560.001 – Archive Collected Data: Archive via Utility.
2. Technical Analysis:
Attack Chain:
10:30 – kwilson account compromised via phishing
10:45 – Attacker logs into FIN-WS-112 via RDP
10:50 – Attacker creates staging directory
11:00-11:20 – Attacker copies 1,847 files to staging
11:25 – Attacker uses 7-Zip to create password-protected archive
11:25 – Sysmon detects
11:27 – SOC investigates
Staged Files (1,847):
Financial reports (Q1, Q2, Q3) – 456 files
Customer data (PII) – 892 files
Employee records (HR data) – 234 files
Budget spreadsheets – 265 files
Total size before compression: 2.3 GB
After compression: 1.2 GB
Archive Details:
Tool: 7-Zip (legitimate, used maliciously)
Format: ZIP
Password: Passw0rd! (to evade DLP scanning)
Intent: Exfiltrate via email, FTP, or cloud storage
Attacker Intent:
Compress data for easier exfiltration
Password protect to avoid detection
Ready for transfer
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50-11:20 – Data staging
11:25 – Archive created
11:25 – Sysmon alert
11:27 – SOC investigates
11:28 – Host isolated
11:29 – Archive and staging files deleted
Indicators of Compromise (IoCs):
Files:
– C:\temp\staging\ (1,847 files)
– C:\temp\data.zip (1.2 GB, password: Passw0rd!)
Process:
– 7z.exe execution
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-112 via CrowdStrike.
Deleted staging folder and archive.
Disabled kwilson account.
Reset password.
Data Protection:
Archive contained sensitive data.
No exfiltration occurred.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data staging and archiving.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
7-Zip installed (legitimate tool abused).
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 1.2 GB of sensitive data archived but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Archive deleted.
Staging files deleted.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Monitored archive tool usage.
Enhanced DLP for archive creation.
8. Conclusion:
An attacker staged 1,847 sensitive files and used 7-Zip to create a password-protected archive for exfiltration. Sysmon detected the archive creation and enabled rapid deletion before any data could leave the host.
Closure Rationale: Archive deleted; staging cleaned; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 12:30 EST