Splunk Alert Details
Alert ID: SPLUNK-SHARE-DISCOVERY-1135-7842 Alert Time: 2024-02-24 16:30:45 EST Severity: MEDIUM (68/100) Source: Splunk Enterprise Security Rule: “Multiple Network Share Enumeration Attempts” MITRE ATT&CK: T1135 – Network Share Discovery
Alert Details:
Correlated Events:
Windows Event ID 5140 (Network Share Object Accessed):
Time: 16:15-16:30 EST
Source Host: HR-WS-023 (HR Workstation)
User: kwilson@company.com (HR Generalist)
Target: \filesrv\ (multiple shares)
Events: 47 share access attempts
Shares Accessed:
\filesrv\finance – accessed (unusual for HR)
\filesrv\it – accessed
\filesrv\executive – accessed
\filesrv\r&d – accessed
\filesrv\legal – accessed
\filesrv\hr – accessed (normal)
\filesrv\shared – accessed
\filesrv\backups – accessed
Process Creation (Event ID 4688):
Time: 16:14 EST
Process: cmd.exe
Command: net view \filesrv /all
Command: dir \filesrv*.* /s
Event ID 5145 (Share Access):
Time: 16:15-16:30
Detailed access to subfolders within shares
Detection Logic:
User kwilson (HR) accessing finance, IT, R&D shares (anomalous)
47 share access events in 15 minutes (high volume)
net view command executed (share discovery tool)
Pattern matches lateral movement reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed network share discovery
2. Process Investigation
Identify process on HR-WS-023
CrowdStrike Falcon
Found PowerShell script enumerating shares
3. User Interview
Contact kwilson
Teams, Phone
User did NOT perform this activity
4. Immediate Action
Isolate host
CrowdStrike
HR-WS-023 quarantined
5. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled
6. Threat Hunting
Check for similar activity
Splunk, CrowdStrike
No other hosts affected
Jira Incident Report
Ticket: SOC-2024-124 Summary: T1135 – Network Share Discovery from HR Workstation Status: RESOLVED Resolution: MALICIOUS – Account Compromised Priority: P2 – MEDIUM Labels: T1135, share-discovery, network-shares, splunk, compromised-account Components: Data-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security.
Alert: “Multiple Network Share Enumeration Attempts”.
Source Host: HR-WS-023 (HR Department).
User: kwilson@company.com (HR Generalist).
Time: 2024-02-24 16:30 EST.
Technique: MITRE ATT&CK T1135 – Network Share Discovery.
2. Technical Analysis:
Attack Chain:
15:45 – kwilson account credentials compromised (phishing)
15:50 – Attacker logs into HR-WS-023 via RDP
16:00 – Attacker runs PowerShell script for share discovery
16:05-16:30 – Script enumerates all network shares
16:30 – Splunk detects anomaly
Script Analysis:
File: C:\Users\kwilson\AppData\Local\Temp\enum.ps1
Content:
$shares = net view \\filesrv /all
foreach ($share in $shares) {
$path = “\\filesrv\” + $share
dir $path -Recurse -ErrorAction SilentlyContinue
$path >> C:\temp\share_contents.txt
}
Purpose: Enumerate all shares and list their contents
Shares Discovered:
Finance: 1,247 files (financial reports, budgets)
IT: 3,456 files (network diagrams, passwords, configs)
Executive: 234 files (board minutes, strategy docs)
R&D: 5,678 files (source code, designs)
Legal: 892 files (contracts, IP documents)
HR: 1,234 files (employee records, salaries)
Backups: 12,345 files (full system backups)
Attacker Actions After Discovery:
Created inventory file (C:\temp\share_contents.txt)
No exfiltration yet (detected before)
Preparing for data theft
3. Investigation Findings:
Timeline:
15:45 – Credentials compromised
15:50 – RDP access
16:00-16:30 – Share enumeration
16:30 – Splunk alert
16:32 – SOC investigates
16:35 – Host isolated
16:36 – Account disabled
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\enum.ps1
– C:\temp\share_contents.txt
Account:
– kwilson (compromised)
Network:
– Attacker RDP IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Isolated HR-WS-023 via CrowdStrike.
Disabled kwilson account.
Terminated RDP session.
Deleted enum.ps1 and share_contents.txt.
Data Protection:
Reviewed sensitive files discovered.
No exfiltration detected (DLP logs).
Rotated any exposed credentials.
User Remediation:
kwilson password reset.
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User credentials compromised via phishing.
Contributing Factors:
No MFA on HR account.
RDP allowed from internet.
HR account had broad access to network shares (over-privileged).
6. Business Impact:
Operational Impact: HR user offline for 2 hours.
Data Exposure: Full share inventory created but not exfiltrated.
7. Remediation & Prevention:
Completed Actions:
Account secured.
Host cleaned.
Share inventory deleted.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Restricted share permissions (least privilege).
Enhanced monitoring for share enumeration.
8. Conclusion:
An attacker compromised an HR user’s account and performed comprehensive network share discovery, creating an inventory of sensitive files across multiple departments. Splunk detected the anomalous access pattern before exfiltration could occur.
Closure Rationale: Account secured; enumeration stopped; data contained.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 17:30 EST