SOC Incident Report: Replication Through Removable Media (T1091)

by

Alert Details: EDR + DLP Correlation Alert

EDR Alert (Microsoft Defender for Endpoint):

Alert ID: MDE-USB-WORM-7842
Alert Time: 2024-01-24 11:18:42 EST
Severity: HIGH (82/100)
MITRE ATT&CK: T1091 – Replication Through Removable Media
Detection: “Worm-like behavior via removable media”

Details:

Host: RND-WS-023 (R&D Department)
User: drajput (Deepak Rajput, Research Scientist)
Process: C:\Windows\Temp\usb_sync.exe
Parent: explorer.exe
Command Line: usb_sync.exe /autorun /silent /propagate

File Activity:
- Created: C:\Windows\Temp\usb_sync.exe (SHA256: 8e7f6a5b4c3d2e1f...)
- Copied: 1,245 files to USB drive (E:)
- Modified: autorun.inf on USB root
- Created: E:\System Volume Information\winstore.dat

Process Behavior:
- Enumerated all removable drives (E:, F:, G:)
- Created hidden folder: E:\$RECYCLE.BIN\.system
- Copied self to: E:\$RECYCLE.BIN\.system\usb_sync.exe
- Set up WMI event subscription for USB insertion

DLP Alert (Forcepoint DLP):

Alert ID: DLP-RND-DATAEXFIL-4587
Alert Time: 2024-01-24 11:20:15 EST
Severity: CRITICAL (95/100)
Policy Violation: “Intellectual Property Exfiltration via Removable Media”

Details:

User: drajput
Host: RND-WS-023
Action: COPY to removable media
Data Class: Intellectual Property - Research Data
Files Copied: 87 files (2.8 GB total)
- Source: \\RND-SERVER\Projects\QuantumComputing\
- Destination: E:\Backup\QC_Research\
File Types: .ipynb, .py, .mat, .research, .cad, .pdf

Content Matched:
- 42 files containing "PROPRIETARY" header
- 15 files with "CONFIDENTIAL" watermark
- 8 files matching "Quantum Algorithm" patterns
- 22 files from "Project Helios" folder

Risk Score: 98/100 (Extreme sensitivity)

Correlation Context:

Both alerts triggered within 2 minutes on same host/user. USB device identified as:

  • Device: Kingston DataTraveler 2000 (encrypted USB)
  • Serial: 001CC0EC3466B881A43903C3
  • Capacity: 64GB (58GB used)
  • Volume Name: “BACKUP_DRIVE”
  • Last Connected: 2024-01-24 11:15 EST

SOC Investigation Process

Phase 1: Initial Triage & Containment (11:20-11:35 EST)

Tools: Microsoft Defender for Endpoint, Forcepoint DLP Console, Active Directory

  1. Alert Validation:
    • Verified both alerts in respective consoles
    • Confirmed USB device still connected (EDR telemetry active)
    • Checked user’s clearance level (Top Secret R&D access)
  2. Immediate Containment:
    • Initiated host isolation via MDE (network containment)
    • Disabled user’s AD account and VPN access
    • Blocked USB port via Group Policy emergency push
    • Sent security to physically secure USB device
  3. Initial Assessment:
    • User has legitimate need for encrypted USB (approved for work)
    • But pattern suggests malware + intentional data copy

Phase 2: Forensic Analysis (11:35-13:00 EST)

Tools: Velociraptor, FTK Imager, Autopsy, USBDeview

  1. Memory Forensics:
    • Captured RAM using Velociraptor
    • Found usb_sync.exe process with network connections to 194.165.16[.]89
    • Discovered additional malicious DLL loaded: usb_propagate.dll
  2. Disk Forensics:
    • Created forensic image of host hard drive
    • Extracted USB device artifacts:
      • Registry: HKLM\SYSTEM\MountedDevices
      • Event Logs: Microsoft-Windows-Partition/Diagnostic
      • Prefetch: USB_SYNC.EXE.pf
  3. USB Device Analysis:
    • Device had dual partitions (visible 32GB + hidden 32GB)
    • Hidden partition contained additional malware samples
    • Autorun.inf configured for persistence on new hosts
    • winstore.dat contained encrypted C2 configuration
  4. Malware Analysis:
    • usb_sync.exe: Worm designed to spread via removable media
    • Capabilities:
      • Enumerate and copy to all removable drives
      • Hide in System Volume Information folders
      • Establish persistence via WMI/Scheduled Tasks
      • Exfiltrate data to C2 over HTTPS
    • Attribution: Similar to “Raspberry Robin” worm variants

Phase 3: Data Loss Assessment (13:00-14:00 EST)

Tools: Forcepoint DLP Analyzer, Microsoft Purview, Splunk SIEM

  1. Data Classification Review:
    • Exfiltrated files categorized:
      • Level 1 (Restricted): 15 files
      • Level 2 (Confidential): 42 files
      • Level 3 (Internal): 30 files
    • Total sensitive data: 2.1GB of 2.8GB
  2. Exfiltration Pathway:
    • Files copied from network share to local temp
    • Encrypted via malware’s embedded routine
    • Written to USB hidden partition
    • No network exfiltration detected (offline transfer)
  3. User Behavior Analysis:
    • Checked previous USB usage patterns
    • Reviewed file access logs for past 30 days
    • Found similar copy patterns on 3 previous dates

Phase 4: Threat Hunting & Scope (14:00-15:30 EST)

Tools: Microsoft Defender for Endpoint Advanced Hunting, Tanium, CrowdStrike Falcon

  1. Enterprise USB Event Search:kqlDeviceEvents | where ActionType == “UsbDriveMounted” | where Timestamp > ago(7d) | where DeviceName == “RND-WS-023” | project Timestamp, DeviceName, AdditionalFields
  2. Worm Spread Assessment:
    • Searched for usb_sync.exe hash across all endpoints
    • Checked for WMI event subscriptions related to USB
    • Found 2 other R&D workstations with similar artifacts
  3. Network Impact:
    • No lateral movement via network detected
    • C2 IP blocked before successful connection
    • No evidence of data leaving via network channels

Phase 5: Containment & Remediation (15:30-17:00 EST)

Tools: Microsoft Intune, Group Policy, Active Directory, PowerShell

  1. Host Remediation:
    • Booted from clean WinPE environment
    • Removed malware artifacts:
      • Files: usb_sync.exeusb_propagate.dll
      • Registry: WMI subscriptions, AutoRun entries
      • Scheduled Tasks: 3 malicious tasks
    • Rebuilt host from gold image
  2. USB Device Handling:
    • Forensic image created of entire device
    • Device encrypted and stored as evidence
    • Blocked device serial via Device Control GPO
  3. Data Protection:
    • Revoked user’s access to R&D shares
    • Implemented Just-In-Time access for sensitive data
    • Enhanced DLP policies for removable media
  4. Policy Updates:
    • Updated Device Control Policy: Block all USB storage in R&D
    • Implemented Microsoft Defender Application Control
    • Enabled Windows Defender Exploit Guard for removable media

Jira Incident Report

Ticket: SOC-2024-024
Summary: T1091 – Worm Propagation & Data Exfiltration via USB (R&D Department)
Status: RESOLVED
Resolution: MALICIOUS – Data Exfiltration Attempt
Priority: P1 – CRITICAL
Labels: T1091, removable-media, data-exfiltration, worm, R&D, intellectual-property
Components: Endpoint-Security, Data-Loss-Prevention, Incident-Response

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Microsoft Defender for Endpoint (EDR) + Forcepoint DLP correlation.
  • Host: RND-WS-023 (Quantum Computing Research Team).
  • User: drajput (Deepak Rajput, Senior Research Scientist).
  • Time: 2024-01-24 11:18 EST (EDR) & 11:20 EST (DLP).
  • Technique: MITRE ATT&CK T1091 – Replication Through Removable Media combined with data exfiltration.

2. Technical Analysis:

  • Malware Vector: Encrypted USB drive (Kingston DataTraveler 2000) infected with worm usb_sync.exe.
  • Infection Chain:
    1. USB inserted → autorun.inf executes usb_sync.exe
    2. Worm copies itself to hidden system folder on USB
    3. Enumerates local files, identifies sensitive data via keywords
    4. Copies 2.8GB of R&D data to USB hidden partition
    5. Establishes WMI persistence for future USB insertions
    6. Attempts C2 call to 194.165.16[.]89 (blocked)
  • Data Exfiltration Details:
    • Source: \\RND-SERVER\Projects\QuantumComputing\
    • Files: 87 files (15 Restricted, 42 Confidential, 30 Internal)
    • Content: Quantum algorithm research, proprietary simulations, CAD designs
    • Method: Offline transfer via USB (no network exfiltration detected)
  • Malware Capabilities:
    • Self-replication to all removable media
    • Data harvesting based on file content and extensions
    • Persistence via WMI Event Subscription
    • Encrypted C2 communication (TLS with custom cert)
  • Campaign Indicators: Similar to “Raspberry Robin” worm with added data theft module. Infrastructure overlaps with APT29 historical campaigns.

3. Investigation Findings:

  • Scope: Isolated to single host (RND-WS-023) and USB device.
  • Lateral Movement: None detected via network. Worm designed for USB-only propagation.
  • User Intent: Investigation ongoing with HR/Legal. Initial logs show automated malware activity, but user had legitimate USB usage history.
  • Data Exposure Risk: HIGH. 2.1GB of sensitive IP now on uncontrolled media. USB device recovered and secured.
  • Forensic Artifacts:textFiles: – usb_sync.exe (SHA256: 8e7f6a5b4c3d2e1f…) – usb_propagate.dll (SHA256: a9b8c7d6e5f4a3b2…) – E:\$RECYCLE.BIN\.system\winstore.dat Registry: – HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USB Sync – HKLM\SOFTWARE\Classes\Drive\shell\open\command (autorun) – HKLM\SOFTWARE\Microsoft\WMI\EventLog\USB_Insert Network: – C2: 194.165.16[.]89:443 (Bulgaria) – Domain: sync-update[.]online (registered 7 days ago)

4. Containment Actions:

  • Immediate (11:20-11:35 EST):
    • Host network isolation via MDE Automated Response.
    • User account disabled (Active Directory).
    • USB device physically confiscated by security.
    • Emergency GPO pushed to block all USB storage on R&D VLAN.
  • Forensic (11:35-15:30 EST):
    • Memory and disk images captured for host and USB device.
    • Malware samples submitted to sandbox (ANY.RUN).
    • Complete file system timeline created.
  • Remediation (15:30-17:00 EST):
    • Host re-imaged from clean baseline.
    • USB device cryptographically wiped after evidence preservation.
    • User’s access to sensitive data revoked pending investigation.

5. Indicators of Compromise (IoCs):

Host-based IoCs:
- File: usb_sync.exe (SHA256: 8e7f6a5b4c3d2e1f...)
- File: usb_propagate.dll (SHA256: a9b8c7d6e5f4a3b2...)
- Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USB Sync
- Process: usb_sync.exe /autorun /silent /propagate

Device IoCs:
- USB Serial: 001CC0EC3466B881A43903C3
- Volume Name: BACKUP_DRIVE
- Hidden Partition: Offset 32256, Size 32GB

Network IoCs:
- IP: 194.165.16[.]89:443
- Domain: sync-update[.]online
- User Agent: USB-Sync/2.1 (WinNT 10.0)

6. Root Cause Analysis:

  • Primary Cause: Compromised USB device introduced to secure environment. Device likely infected from external source (home computer, conference, etc.).
  • Contributing Factors:
    1. Policy Gap: Encrypted USBs allowed without device health check requirement.
    2. Technical Control: No application control for executables from removable media.
    3. Monitoring Gap: DLP alert triggered after data copied, not during enumeration phase.
    4. User Training: Insufficient awareness of USB-based malware risks.
  • Attack Path Reconstruction:
    External USB infection → Internal insertion → Worm execution → Data enumeration → Copy to hidden partition → Persistence establishment → Attempted C2 (blocked)

7. Business Impact:

  • Confidentiality: HIGH – Sensitive R&D data on uncontrolled media.
  • Integrity: LOW – No modification of source data.
  • Availability: LOW – Single workstation affected.
  • Reputational: MEDIUM – Potential IP loss in competitive research field.
  • Regulatory: MEDIUM – May violate data protection clauses in research contracts.

8. Remediation & Prevention:

Completed Actions:

  • Host cleaned and returned to service with enhanced monitoring.
  • USB device secured as evidence, cryptographically wiped.
  • All IOCs distributed to security stack (EDR, firewall, DNS, email).
  • User re-trained on removable media policies.

Technical Controls Enhanced:

  • Microsoft Defender Application Control deployed for R&D endpoints (block all removable media executables).
  • Device Control GPO updated: Block all USB storage devices in R&D department.
  • DLP policies enhanced: Real-time monitoring for large data transfers to removable media.
  • Windows Defender Exploit Guard configured for USB attack surface reduction.

Process Improvements:

  • Implemented USB device check-in/check-out process for R&D.
  • Created incident response playbook for T1091 incidents.
  • Scheduled weekly scans for unauthorized USB devices via Tanium.

9. Lessons Learned:

  • Detection Gap: Need earlier detection of worm behavior (file enumeration phase).
  • Prevention Gap: Application control should have blocked usb_sync.exe execution.
  • Response Gap: DLP and EDR teams need tighter integration for correlated alerts.

10. Resolution Verification:

  • Technical:
    • MDE shows host clean (no malicious processes).
    • DLP shows no further exfiltration attempts.
    • Network monitoring confirms no C2 communication.
    • USB device serial added to global blocklist.
  • Process:
    • User undergoing security re-certification.
    • R&D department briefed on new USB policies.
    • Legal/HR investigation ongoing for policy violations.

11. Conclusion:

This incident involved a sophisticated worm (usb_sync.exe) propagating via removable media while harvesting sensitive R&D data. The correlation of EDR (T1091 detection) and DLP (data exfiltration) alerts enabled rapid response. While significant data was copied to the USB device, containment prevented network propagation and the device was recovered before leaving the premises.

Closure Rationale: All malicious artifacts eradicated, technical controls enhanced to prevent recurrence, affected systems secured, and monitoring improved. USB device contained and data exposure contained.

Follow-up Actions:

  1. Legal review of data exposure implications (ETA: 1 week)
  2. Department-wide security training on removable media risks (ETA: 2 weeks)
  3. Purple team exercise simulating T1091 attack (ETA: 1 month)

Analyst: [Walter White], Senior SOC Analyst – Data Protection Team
Date: 2024-01-24 18:00 EST

Leave a Comment