Sysmon Alert Details
Alert ID: SYSMON-PERM-MOD-1222-7842 Alert Time: 2024-03-05 11:30:22 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 13 – Registry Value Set, Event ID 1 – Process Creation) Rule: “File Permissions Modification via icacls/cacls” MITRE ATT&CK: T1222.001 – File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Alert Details:
Detection: Mass modification of file permissions on network share
Host: FILESRV-01 (File Server) User: SYSTEM (via compromised admin account) Time: 11:15-11:30 EST
Commands Executed (Event ID 1):
11:15:22 – icacls \\filesrv\finance /deny “Domain Users:(R,W)”
11:16:45 – icacls \\filesrv\finance /deny “Authenticated Users:(R,W)”
11:18:12 – icacls \\filesrv\finance /remove “Finance Team”
11:19:33 – icacls \\filesrv\finance /grant “Everyone:F”
11:20:55 – icacls \\filesrv\hr /deny “Domain Users:(R,W)”
11:22:18 – icacls \\filesrv\hr /deny “Authenticated Users:(R,W)”
11:23:40 – icacls \\filesrv\hr /grant “Everyone:F”
11:25:02 – icacls \\filesrv\r&d /deny “Domain Users:(R,W)”
11:26:25 – icacls \\filesrv\r&d /grant “Everyone:F”
Affected Shares:
\filesrv\finance (financial data)
\filesrv\hr (HR records)
\filesrv\r&d (R&D intellectual property)
Detection Logic:
Multiple icacls commands modifying permissions
Removing access for legitimate users (Domain Users, Finance Team)
Granting Everyone full control (insecure)
Pattern matches attacker locking out users or granting themselves access
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed permission changes on shares
2. Process Investigation
Identify source of commands
CrowdStrike Falcon
psexec from compromised admin workstation
3. Immediate Action
Revert permissions
icacls, PowerShell
Permissions restored from backup policy
4. Admin Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Access Verification
Verify users can access shares
Testing
Access restored
Jira Incident Report
Ticket: SOC-2024-173 Summary: T1222 – Mass Permission Modification on File Shares Status: RESOLVED Resolution: MALICIOUS – Permissions Restored Priority: P2 – MEDIUM Labels: T1222, permissions-modification, icacls, sysmon, compromised-admin Components: Data-Security, Access-Control
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 1 (Process Creation).
Alert: “File Permissions Modification via icacls/cacls”.
Host: FILESRV-01 (File Server).
Actions: Permissions changed on finance, HR, R&D shares.
Time: 2024-03-05 11:30 EST.
Technique: MITRE ATT&CK T1222.001 – File and Directory Permissions Modification: Windows File and Directory Permissions Modification.
2. Technical Analysis:
Attack Chain:
10:30 – Admin account (jsmith) compromised via phishing
10:45 – Attacker logs into admin workstation via RDP
11:00 – Attacker uses psexec to run icacls commands
11:15-11:30 – Permission modifications on shares
11:30 – Sysmon detects
Permission Changes:
Finance Share: Denied access to Domain Users, Authenticated Users; removed Finance Team; granted Everyone:F
HR Share: Denied access to Domain Users, Authenticated Users; granted Everyone:F
R&D Share: Denied access to Domain Users; granted Everyone:F
Impact:
All domain users locked out of finance, HR, R&D shares
Everyone (including anonymous) granted full control (extremely insecure)
Data exposed to anyone on network
Attacker Intent:
Lock out legitimate users (disruption)
Grant themselves access (already had admin)
Possibly prepare for data theft
3. Investigation Findings:
Timeline:
10:30 – Admin account compromised
10:45 – Attacker logs in
11:00-11:30 – Permission modifications
11:30 – Sysmon alert
11:32 – SOC investigates
11:33 – Admin account disabled
11:35 – Permissions restored
Indicators of Compromise (IoCs):
Commands:
– icacls \\filesrv\finance /deny “Domain Users:(R,W)”
– icacls \\filesrv\finance /remove “Finance Team”
– icacls \\filesrv\finance /grant “Everyone:F”
– (similar for HR and R&D)
Account:
– jsmith (compromised admin)
4. Containment Actions:
Immediate Actions:
Disabled compromised admin account.
Restored permissions from backup policy (using PowerShell).
Removed Everyone:F access.
Re-added Domain Users and Finance Team with appropriate permissions.
Verified access restored.
Account Remediation:
Reset jsmith password.
Enforced MFA.
Data Protection:
Checked for data exfiltration (none).
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to modify share permissions.
No alerting for permission changes.
6. Business Impact:
Operational Impact: Users locked out of shares for 20 minutes.
Data Exposure: Potential exposure during window (Everyone:F). No evidence of exfiltration.
7. Remediation & Prevention:
Completed Actions:
Permissions restored.
Account secured.
Access verified.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Created alert for icacls/cacls usage on shares.
Implemented change management for permission modifications.
8. Conclusion:
An attacker compromised an admin account and modified permissions on critical file shares, locking out legitimate users and granting Everyone full control. Sysmon detected the icacls commands, enabling rapid restoration of correct permissions.
Closure Rationale: Permissions restored; account secured; no data loss.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 12:30 EST