Varonis Alert Details
Alert ID: VARONIS-CREDS-1552-7842 Alert Time: 2024-02-22 09:30:15 EST Severity: HIGH (88/100) Source: Varonis Data Security Platform Rule: “Sensitive Keywords Found in File – Potential Password Exposure” MITRE ATT&CK: T1552.001 – Unsecured Credentials: Credentials in Files
Alert Details:
Detection: File containing plaintext credentials discovered on file share
File Details:
Path: \filesrv\shared\IT\backup_scripts\sql_backup.ps1
Owner: jsmith (IT Administrator)
Last Modified: 2024-02-21 22:15 EST
File Size: 4.2 KB
Sensitivity Score: 95/100 (Critical)
File Content (excerpt):
# SQL Backup Script
$sqlServer = “SQL-PROD-01”
$database = “FinanceDB”
$username = “sa”
$password = “P@ssw0rd123!” # CRITICAL: Plaintext password
$backupPath = “\\backupsrv\sql\finance.bak”
# Domain Admin credentials for backup service
$domainAdmin = “corp\svc_backup”
$domainPass = “Backup2024!” # CRITICAL: Domain account password
# Connect and run backup
Invoke-SqlBackup -Server $sqlServer -Database $database -Username $username -Password $password -Path $backupPath
Additional Findings:
File accessible to “Domain Users” group (2,500+ users)
File accessed by 3 users in last 24 hours (potentially compromised)
Contains credentials for:
SQL SA account (full database admin)
Domain service account (svc_backup) with backup privileges
No encryption or secure storage used
Detection Logic:
File contains keywords “password”, “pwd”, “pass” followed by plaintext
File on open share (excessive permissions)
Contains privileged account credentials
Pattern matches credential harvesting target
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis findings
Varonis Console
Confirmed plaintext credentials in PowerShell script
2. File Remediation
Remove/move file to secure location
File Server Admin
File moved to secure IT share; permissions restricted
3. Credential Rotation
Reset exposed passwords
Azure AD, SQL Admin
SQL SA password rotated; svc_backup password reset
4. Access Investigation
Identify users who accessed file
Varonis, File Server Logs
3 users accessed file; all investigated
5. User Notification
Notify file owner (jsmith)
Email, Teams
jsmith counseled on secure credential storage
6. Policy Update
Update secure coding guidelines
Documentation, Training
New policy: No plaintext credentials in scripts
Jira Incident Report
Ticket: SOC-2024-111 Summary: T1552 – Plaintext Credentials Found in PowerShell Script on File Share Status: RESOLVED Resolution: INFORMATION EXPOSURE – Remediated Priority: P2 – MEDIUM Labels: T1552, unsecured-credentials, plaintext-passwords, varonis, file-share Components: Data-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Sensitive Keywords Found in File – Potential Password Exposure”.
File: \filesrv\shared\IT\backup_scripts\sql_backup.ps1.
Owner: jsmith (IT Administrator).
Time: 2024-02-22 09:30 EST.
Technique: MITRE ATT&CK T1552.001 – Unsecured Credentials: Credentials in Files.
2. Technical Analysis:
Exposure Details:
File Type: PowerShell backup script
Location: Open file share accessible to all domain users (2,500+)
Contents: Two plaintext passwords:
SQL SA account: P@ssw0rd123! (full database admin)
Domain service account: Backup2024! (backup privileges)
Access History:
File accessed by 3 users in last 24 hours:
jsmith (owner) – legitimate
bturner (finance) – accessed 3 times (investigating)
rpatel (engineering) – accessed 2 times (investigating)
No evidence of data exfiltration (DLP logs clean)
Risk Assessment:
SQL SA account: Full access to all databases (customer data, financials)
svc_backup account: Can backup all domain data (including NTDS.dit)
Combined exposure: Potential for complete domain compromise
File Owner Response:
jsmith created script for legitimate backup automation
Used plaintext for convenience (violates policy)
Unaware of file share permissions
3. Investigation Findings:
Timeline:
02-21 22:15 – Script created/modified
02-22 09:30 – Varonis alert
09:32 – SOC investigates
09:35 – File secured
09:40 – Passwords rotated
Indicators of Compromise (IoCs):
File:
– \\filesrv\shared\IT\backup_scripts\sql_backup.ps1 (now secured)
Credentials:
– SQL SA: P@ssw0rd123! (rotated)
– svc_backup: Backup2024! (rotated)
Access:
– bturner (under investigation)
– rpatel (under investigation)
4. Containment Actions:
Immediate Actions:
Moved file to restricted IT share (IT admins only).
Removed access for Domain Users group.
Reset SQL SA password.
Reset svc_backup password.
User Investigation:
Interviewed bturner and rpatel.
Both accessed file accidentally while browsing shares.
No malicious intent; no data exfiltration.
Educated on security awareness.
Script Remediation:
Removed plaintext passwords from script.
Implemented secure credential storage (Windows Credential Manager).
Updated backup process.
5. Root Cause Analysis:
Primary Cause: IT admin stored plaintext credentials in script on open share.
Contributing Factors:
No secure credential storage policy.
File share permissions overly permissive.
No scanning for exposed credentials (until Varonis).
6. Business Impact:
Operational Impact: None (credentials rotated before misuse).
Data Exposure: Potential for credential theft; none confirmed.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
File secured.
Passwords rotated.
Users educated.
Technical Controls Enhanced:
Deployed Varonis scanning for all file shares.
Implemented secure credential storage policy.
Restricted file share permissions to least privilege.
Created automated alert for any files containing “password” + plaintext.
8. Conclusion:
An IT administrator stored plaintext credentials for privileged accounts in a PowerShell script on an open file share. Varonis detected the exposure before any compromise occurred. Credentials were rotated, and the file was secured.
Closure Rationale: File secured; credentials rotated; policy updated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 10:30 EST