Palo Alto Alert Details
Alert ID: PAN-EXFIL-ALT-PROTO-1048-7842 Alert Time: 2024-03-12 10:30:22 EST Severity: HIGH (85/100) Source: Palo Alto Networks Firewall + WildFire Rule: “Data Exfiltration over Non-Standard Port Detected” MITRE ATT&CK: T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Alert Details:
Detection: Large data transfer over TCP port 444 (not standard) to suspicious IP
User: bturner@company.com (Brian Turner, Accountant) Source: 192.168.45.112 (FIN-WS-078) Destination: 185.143.221[.]89:444 Time: 10:15-10:30 EST Protocol: Raw TCP (no application layer)
Traffic Analysis:
10:15-10:30: 4 separate TCP streams
Total data: 47 MB
Data pattern: Raw binary (not HTTP, FTP, etc.)
Payload analysis (WildFire): Contains ZIP archives of financial documents
Detection Logic:
Large data transfer on non-standard port (444)
Destination IP known malicious
No standard protocol (raw TCP) – suspicious
Pattern matches exfiltration over alternative protocol
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Palo Alto alert
Panorama Logs
Confirmed exfiltration over TCP/444
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
Custom exfiltration tool (exfil.exe)
3. Data Analysis
Determine what was stolen
DLP, File Audit
47 MB of financial data exfiltrated
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-078 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
185.143.221[.]89 blocked
6. Incident Response
Activate breach response
Legal, Management
Data breach declared
Jira Incident Report
Ticket: SOC-2024-210 Summary: T1048.003 – 47 MB Financial Data Exfiltrated over TCP/444 Status: RESOLVED Resolution: MALICIOUS – Data Breach Confirmed Priority: P1 – CRITICAL Labels: T1048, exfiltration, alternative-protocol, palo-alto, data-breach Components: Network-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Networks Firewall + WildFire.
Alert: “Data Exfiltration over Non-Standard Port Detected”.
User: bturner@company.com (Finance Department).
Host: FIN-WS-078.
Destination: 185.143.221[.]89:444.
Data: 47 MB exfiltrated.
Time: 2024-03-12 10:30 EST.
Technique: MITRE ATT&CK T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol.
2. Technical Analysis:
Attack Chain:
09:30 – bturner account compromised via phishing
09:45 – Attacker logs into FIN-WS-078 via RDP
09:50 – Attacker collects financial documents
10:00 – Attacker runs exfil.exe (custom tool)
10:15-10:30 – Data exfiltration over TCP/444
10:30 – Palo Alto detects
Exfiltration Method:
Protocol: Raw TCP (no HTTP, FTP, etc.)
Port: 444 (non-standard, not commonly monitored)
Tool: exfil.exe (SHA256: a1b2c3d4…)
Data: 47 MB in 4 streams
Exfiltrated Data:
Q1 financial reports (12 MB)
Q2 forecasts (8 MB)
Budget spreadsheets (15 MB)
Customer payment data (10 MB)
Merger documents (2 MB)
Total: 47 MB
Attacker Infrastructure:
IP: 185.143.221[.]89
Port: 444
Location: Bulgaria
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
09:50-10:00 – Data collection
10:15-10:30 – Exfiltration
10:30 – Alert
10:32 – SOC investigates
10:33 – Host isolated
10:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Destination: 185.143.221[.]89:444
– Protocol: Raw TCP
Files:
– C:\Windows\Temp\exfil.exe (SHA256: a1b2c3d4…)
– C:\temp\data.zip (47 MB, exfiltrated)
Account:
– bturner (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-078.
Blocked destination IP at firewall.
Terminated exfil.exe process.
Deleted exfil.exe.
Disabled bturner account.
Reset password.
Breach Response:
Declared data breach.
Notified legal, PR, management.
Began customer notification process.
Reported to relevant authorities.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Outbound traffic allowed on non-standard ports.
6. Business Impact:
Operational Impact: Finance host offline.
Data Exposure: 47 MB of financial and customer data exfiltrated.
Regulatory Impact: GDPR/CCPA breach.
Financial Impact: Significant.
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Blocked non-standard outbound ports.
Enhanced DLP for egress traffic.
8. Conclusion:
An attacker compromised a finance user’s account and exfiltrated 47 MB of financial data over a non-standard port (TCP/444). Palo Alto detected the anomalous traffic, but exfiltration had already occurred. A full data breach response was initiated.
Closure Rationale: Data exfiltrated; exfiltration stopped; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-12 11:30 EST
End of Batch 34
Ready for your next batch of prompts whenever you are.
Batch 35: Impact & Collection Incident Reports
Here are the next 5 detailed SOC incident reports.