Sysmon Alert Details
Alert ID: SYSMON-DATA-STAGED-1074-7842 Alert Time: 2024-02-28 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 11 – FileCreate) Rule: “Mass File Copy to Staging Directory” MITRE ATT&CK: T1074.001 – Data Staged: Local Data Staging
Alert Details:
Detection: Large number of files copied to a staging directory
Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 14:00-14:15 EST
File Creation Events (Event ID 11):
14:00-14:15: 1,247 files created in C:\temp\staging\
File types: .docx, .xlsx, .pdf, .py, .ipynb, .kdbx
Total size: 2.8 GB
Source paths:
C:\Users\alexchen\Documents\ProjectX*.*
C:\Users\alexchen\Desktop*.*
C:\Users\alexchen\Downloads*.*
\filesrv\r&d\projects*.*
Process Details:
Process: cmd.exe (PID: 4789)
Parent: explorer.exe
Command: for /r C:\Users\alexchen %i in (*.docx *.xlsx *.pdf *.py *.ipynb) do copy %i C:\temp\staging\
Additional Events:
Event ID 1 (Process Creation): cmd.exe with for loop command
Event ID 13 (Registry): No relevant registry changes
Detection Logic:
1,247 files copied to staging directory in 15 minutes (highly anomalous)
Source includes local files and network shares
Staging directory created specifically for this activity
Pattern matches data staging before exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Sysmon events
Splunk, Sysmon Logs
Confirmed mass file staging
2. Process Investigation
Identify cmd.exe activity
CrowdStrike Falcon
For loop copying files to staging
3. User Interview
Contact alexchen
Teams, Phone
User did NOT run this command (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. File Deletion
Delete staging folder and contents
CrowdStrike Live Response
1,247 files (2.8 GB) deleted
6. Account Remediation
Disable alexchen account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-142 Summary: T1074 – Data Staged for Exfiltration on Engineering Workstation Status: RESOLVED Resolution: MALICIOUS – Staged Data Deleted Priority: P2 – MEDIUM Labels: T1074, data-staged, staging, sysmon, compromised-account Components: Endpoint-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Sysmon Event ID 11 (FileCreate).
Alert: “Mass File Copy to Staging Directory”.
Host: ENG-WS-045 (Engineering Department, user alexchen).
Staging Directory: C:\temp\staging.
Files: 1,247 files (2.8 GB) staged.
Time: 2024-02-28 14:15 EST.
Technique: MITRE ATT&CK T1074.001 – Data Staged: Local Data Staging.
2. Technical Analysis:
Attack Chain:
13:30 – alexchen account compromised via phishing
13:45 – Attacker logs into ENG-WS-045 via RDP
13:55 – Attacker creates staging directory
14:00-14:15 – Attacker copies files to staging
14:15 – Sysmon detects
Staged Files:
ProjectX Documents: 456 files (engineering specs)
Desktop Files: 234 files (various)
Downloads: 123 files (various)
Network Share (R&D): 434 files (source code, IP)
KeePass Database: 1 file (password vault)
Total: 1,247 files, 2.8 GB
Attacker Intent:
Stage data for later exfiltration
Possibly compress and exfiltrate via FTP/HTTP
No exfiltration yet (detected before)
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
13:30 – Account compromised
13:45 – Attacker logs in
13:55-14:15 – Data staging
14:15 – Sysmon alert
14:17 – SOC investigates
14:18 – Host isolated
14:19 – Staged files deleted
Indicators of Compromise (IoCs):
Files:
– C:\temp\staging\ (1,247 files, 2.8 GB)
Commands:
– for /r C:\Users\alexchen %i in (*.docx *.xlsx *.pdf *.py *.ipynb) do copy %i C:\temp\staging\
Account:
– alexchen (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Deleted staging folder and all files.
Disabled alexchen account.
Reset password.
Data Protection:
Staged data contained sensitive IP.
No exfiltration occurred.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to stage data.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
No monitoring for bulk file copies.
6. Business Impact:
Operational Impact: Engineering user offline for 2 hours.
Data Exposure: 2.8 GB of IP staged but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Staged data deleted.
Account secured.
Host cleaned.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented DLP for bulk file operations.
Enhanced Sysmon monitoring for staging directories.
8. Conclusion:
An attacker compromised an engineering user’s account and staged 2.8 GB of intellectual property for exfiltration. Sysmon detected the mass file copy activity and enabled rapid deletion before any data left the host.
Closure Rationale: Staged data deleted; account secured; host cleaned.
Analyst: [Your Name], SOC Analyst Date: 2024-02-28 15:30 EST