Carbon Black Alert Details
Alert ID: CB-DISK-WIPE-1561-7842 Alert Time: 2024-03-05 16:30:45 EST Severity: CRITICAL (99/100) Source: VMware Carbon Black Cloud Rule: “Disk Wiping Activity Detected – Raw Disk Access” MITRE ATT&CK: T1561.001 – Disk Wipe: Disk Content Wipe
Alert Details:
Detection: Process overwriting disk sectors with raw write access
Host: SQL-SRV-01 (Primary SQL Server) User: SYSTEM (via compromised admin) Time: 16:15-16:30 EST
Process Details:
Process: C:\Windows\Temp\wipe.exe (PID: 4789)
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Parent: psexec.exe (from admin workstation)
Disk Activity:
Raw write access to \.\PhysicalDrive0 (system disk)
Overwriting sectors 0-10,000 with zeros
MBR (Master Boot Record) overwritten
Partition table corrupted
Data on C: drive being wiped sequentially
Additional Tools:
sdelete.exe -c (clean free space)
cipher.exe /w (wipe free space)
Detection Logic:
Process with raw disk write access (unusual)
Overwriting disk sectors (not just files)
MBR overwritten (system unbootable)
Pattern matches destructive disk wipe attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Carbon Black alert
Carbon Black Console
Confirmed disk wiping activity
2. Immediate Action
Power off server
Remote Console
Server shut down to prevent further damage
3. Process Investigation
Identify source
CrowdStrike Falcon
psexec from compromised admin workstation
4. Admin Account Remediation
Disable compromised admin account
Azure AD, AD
Admin account disabled; password reset
5. Data Recovery
Restore from backups
Veeam Backup
Full server restore from previous night’s backup
6. Incident Response
Activate disaster recovery
Management, Legal
Data destruction incident declared
Jira Incident Report
Ticket: SOC-2024-174 Summary: T1561 – Disk Wipe Attack on SQL Server (MBR Overwritten) Status: RESOLVED Resolution: MALICIOUS – Data Destroyed, Restored from Backups Priority: P1 – CRITICAL Labels: T1561, disk-wipe, raw-disk-access, carbon-black, compromised-admin Components: Endpoint-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: VMware Carbon Black Cloud.
Alert: “Disk Wiping Activity Detected – Raw Disk Access”.
Host: SQL-SRV-01 (Primary SQL Server).
Action: Overwriting disk sectors, MBR destroyed.
Time: 2024-03-05 16:30 EST.
Technique: MITRE ATT&CK T1561.001 – Disk Wipe: Disk Content Wipe.
2. Technical Analysis:
Attack Chain:
15:30 – Admin account (jwilson) compromised via phishing
15:45 – Attacker logs into admin workstation via RDP
16:00 – Attacker uses psexec to deploy wipe.exe to SQL server
16:05 – wipe.exe executed with SYSTEM privileges
16:05-16:30 – Disk wiping in progress (MBR overwritten, data wiped)
16:30 – Carbon Black detects
Wipe Tool Analysis:
Name: wipe.exe (custom disk wiper)
SHA256: a1b2c3d4…
Function: Opens physical drive \.\PhysicalDrive0 with write access, overwrites sectors with zeros
Progress: Overwrote first 10,000 sectors (MBR + partition table + beginning of data)
Damage:
MBR destroyed (system unbootable)
Partition table lost
SQL data files partially overwritten (beginning of drive)
System unrecoverable without full restore
Attacker Intent:
Maximum destruction
Prevent recovery
Likely part of destructive attack (wiper)
3. Investigation Findings:
Timeline:
15:30 – Admin account compromised
15:45 – Attacker logs in
16:00 – wipe.exe deployed
16:05-16:30 – Disk wiping
16:30 – Carbon Black alert
16:32 – SOC investigates
16:33 – Server powered off
16:35 – Admin account disabled
16:40 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Windows\Temp\wipe.exe (SHA256: a1b2c3d4…)
Disk Activity:
– Raw write to \\.\PhysicalDrive0
– MBR overwritten
Account:
– jwilson (compromised admin)
4. Containment Actions:
Immediate Actions:
Powered off SQL server to prevent further wiping.
Disabled compromised admin account.
Reset admin password.
Blocked attacker IP.
Data Recovery:
Restored SQL server from previous night’s Veeam backup (16 hours old).
Data loss: Transactions between 00:00 and 16:30 (16.5 hours).
Restored to new VM to ensure clean state.
Business Impact Mitigation:
Declared data breach (data loss).
Notified affected business units.
Recovered database from backup.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had ability to deploy tools to servers.
No alerting for raw disk access.
6. Business Impact:
Operational Impact: SQL server offline for 4 hours (restore time).
Data Loss: 16.5 hours of transactions lost.
Financial Impact: Significant (lost transactions, recovery costs).
7. Remediation & Prevention:
Completed Actions:
Server restored.
Admin account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Blocked raw disk access for non-system processes.
Enhanced Carbon Black monitoring for raw disk writes.
8. Conclusion:
An attacker compromised an admin account and deployed a disk wiper on the primary SQL server, overwriting the MBR and partially destroying data. Carbon Black detected the raw disk access, enabling shutdown before complete destruction. The server was restored from backup with 16.5 hours of data loss.
Closure Rationale: Data partially destroyed; server restored from backup; admin account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-05 18:00 EST