Sysmon Alert Details
Alert ID: SYSMON-DATA-DESTROY-1485-7842 Alert Time: 2024-03-03 14:15:33 EST Severity: CRITICAL (98/100) Source: Sysmon (Event ID 11 – FileCreate, Event ID 23 – FileDelete) Rule: “Mass File Deletion Detected – Potential Data Destruction” MITRE ATT&CK: T1485 – Data Destruction
Alert Details:
Detection: Mass file deletion from critical file server
Host: FILESRV-01 (Primary File Server) User: SYSTEM (via compromised admin account) Time: 14:00-14:15 EST
File Delete Events (Event ID 23):
14:00-14:15: 12,847 files deleted
Total size: 78 GB
Locations targeted:
\filesrv\finance*.* – 3,456 files (23 GB)
\filesrv\hr*.* – 2,891 files (15 GB)
\filesrv\r&d*.* – 4,234 files (28 GB)
\filesrv\executive*.* – 1,234 files (8 GB)
\filesrv\backups*.* – 1,032 files (4 GB)
Process Details:
Process: cmd.exe (PID: 4789)
Parent: psexec.exe (from attacker workstation)
Command: del /s /q \filesrv\finance*.*
Command: del /s /q \filesrv\hr*.*
Command: del /s /q \filesrv\r&d*.*
Command: del /s /q \filesrv\executive*.*
Command: del /s /q \filesrv\backups*.*
Additional Tools:
SDelete.exe (used for secure deletion on some files)
Cipher.exe /w (used to wipe free space)
Detection Logic:
12,847 files deleted in 15 minutes (mass destruction)
Critical business data targeted (finance, HR, R&D, executive)
Backups also deleted (preventing recovery)
Secure deletion tools used (SDelete, cipher)
Pattern matches ransomware preparation or malicious destruction
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed mass file deletion
2. Process Investigation
Identify source of deletion
CrowdStrike Falcon
psexec.exe from compromised admin workstation
3. Immediate Action
Isolate file server
CrowdStrike, Network ACLs
FILESRV-01 quarantined
4. Backup Restoration
Restore from backups
Veeam Backup
All 78 GB of data restored
5. Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
6. Incident Response
Activate disaster recovery
Management, Legal
Data destruction incident declared
Jira Incident Report
Ticket: SOC-2024-162 Summary: T1485 – Mass Data Destruction of 78 GB on File Server Status: RESOLVED Resolution: MALICIOUS – Data Destroyed, Restored from Backups Priority: P1 – CRITICAL Labels: T1485, data-destruction, mass-deletion, sysmon, compromised-admin Components: Data-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 23 (FileDelete).
Alert: “Mass File Deletion Detected – Potential Data Destruction”.
Host: FILESRV-01 (Primary File Server).
Action: 12,847 files (78 GB) deleted.
Time: 2024-03-03 14:15 EST.
Technique: MITRE ATT&CK T1485 – Data Destruction.
2. Technical Analysis:
Attack Chain:
13:30 – Domain admin account (jsmith) compromised via phishing
13:45 – Attacker logs into admin workstation via RDP
13:50 – Attacker uses psexec to access file server
14:00-14:15 – Mass file deletion using del commands
14:10 – Attacker runs SDelete on key directories
14:15 – Sysmon detects
Data Destroyed:
Finance: 3,456 files (23 GB) – financial records, reports
HR: 2,891 files (15 GB) – employee records, payroll
R&D: 4,234 files (28 GB) – source code, designs, IP
Executive: 1,234 files (8 GB) – board minutes, strategy
Backups: 1,032 files (4 GB) – on-server backups
Total: 12,847 files, 78 GB
Destruction Tools:
del /s /q: Recursive quiet deletion
SDelete.exe: Secure file deletion (overwrites data)
cipher.exe /w: Wipes free space (prevents recovery)
Attacker Intent:
Maximum business disruption
Prevent data recovery (secure deletion)
Possibly precursor to ransomware (no ransom note found)
3. Investigation Findings:
Timeline:
13:30 – Admin account compromised
13:45 – Attacker logs in
13:50 – Access to file server
14:00-14:15 – Data destruction
14:15 – Sysmon alert
14:17 – SOC investigates
14:18 – File server isolated
14:20 – Backup restoration begins
Indicators of Compromise (IoCs):
Commands:
– del /s /q \\filesrv\finance\*.*
– del /s /q \\filesrv\hr\*.*
– del /s /q \\filesrv\r&d\*.*
– del /s /q \\filesrv\executive\*.*
– del /s /q \\filesrv\backups\*.*
– SDelete.exe execution
– cipher.exe /w execution
Account:
– jsmith (compromised domain admin)
4. Containment Actions:
Immediate Actions:
Isolated FILESRV-01 via network ACLs.
Disabled jsmith account.
Reset admin password.
Blocked attacker IP at firewall.
Data Recovery:
Restored all 78 GB of data from Veeam backups (off-site).
Verified data integrity (no corruption).
File server back online at 15:30.
Account Remediation:
Reset all domain admin passwords.
Enforced MFA for all admins.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to file server (legitimate).
No file integrity monitoring on server.
6. Business Impact:
Operational Impact: File server offline for 1.5 hours.
Data Exposure: Data destroyed, not stolen (no exfiltration).
Business Disruption: All departments unable to access files for 1.5 hours.
Recovery Cost: Significant (restoration time, incident response).
7. Remediation & Prevention:
Completed Actions:
Data restored from backups.
Account secured.
File server back online.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved admin access behind VPN only.
Implemented file integrity monitoring on critical servers.
Enhanced backup frequency (hourly for critical data).
8. Conclusion:
An attacker compromised a domain admin account and systematically destroyed 78 GB of critical business data on the primary file server, including finance, HR, R&D, and executive files. Sysmon detected the mass deletion, and backups enabled full recovery within 1.5 hours.
Closure Rationale: Data destroyed; data restored from backups; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 15:30 EST