Varonis Alert Details
Alert ID: VARONIS-DATA-MANIP-1565-7842 Alert Time: 2024-03-04 10:30:22 EST Severity: CRITICAL (95/100) Source: Varonis Data Security Platform Rule: “Mass File Modification – Potential Data Manipulation” MITRE ATT&CK: T1565.001 – Data Manipulation: Stored Data Manipulation
Alert Details:
Detection: Large number of files modified with data changes (not metadata)
User: kwilson@company.com (Karen Wilson, Finance Manager) Host: FIN-WS-112 Time: 10:15-10:30 EST
File Modification Events:
10:15-10:30: 847 files modified
File types: .xlsx, .csv, .txt, .pdf
Locations:
\filesrv\finance\reports\ – 345 files
\filesrv\finance\budgets\ – 234 files
\filesrv\finance\forecasts\ – 156 files
\filesrv\shared\finance\ – 112 files
Data Change Analysis:
Financial numbers altered (random values inserted)
Decimal points moved (e.g., 1,234.56 → 12,345.6)
Some files completely overwritten with garbage
PDF documents corrupted (cannot open)
Sample Change (from Varonis content analysis):
Original: “Q1 Revenue: $1,234,567”
Modified: “Q1 Revenue: $9,876,543”
Detection Logic:
847 files modified in 15 minutes (highly anomalous)
Changes are to data content (not metadata)
Financial data targeted (critical)
User kwilson has no legitimate reason for mass changes
Pattern matches data manipulation/sabotage
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Varonis alert
Varonis Console
Confirmed mass file manipulation
2. Process Investigation
Identify process modifying files
CrowdStrike Falcon
PowerShell script data_corrupt.ps1
3. User Interview
Contact kwilson
Teams, Phone
User did NOT run script (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
FIN-WS-112 quarantined
5. Data Restoration
Restore modified files from backup
Veeam Backup
All 847 files restored
6. Account Remediation
Disable kwilson account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-170 Summary: T1565 – Data Manipulation of 847 Financial Files Status: RESOLVED Resolution: MALICIOUS – Files Corrupted, Restored from Backups Priority: P1 – CRITICAL Labels: T1565, data-manipulation, financial-data, varonis, compromised-account Components: Data-Security, Backup-Recovery
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Varonis Data Security Platform.
Alert: “Mass File Modification – Potential Data Manipulation”.
User: kwilson@company.com (Finance Manager).
Files: 847 financial files modified/corrupted.
Time: 2024-03-04 10:30 EST.
Technique: MITRE ATT&CK T1565.001 – Data Manipulation: Stored Data Manipulation.
2. Technical Analysis:
Attack Chain:
09:30 – kwilson account compromised via phishing
09:45 – Attacker logs into FIN-WS-112 via RDP
09:50 – Attacker downloads data_corrupt.ps1 script
10:00 – Attacker runs script against finance shares
10:15-10:30 – 847 files modified
10:30 – Varonis detects
Script Analysis:
Name: data_corrupt.ps1
SHA256: a1b2c3d4e5f6…
Function: Reads Excel/CSV files, randomly alters numbers, corrupts PDFs
Targets: Financial data (reports, budgets, forecasts)
Files Affected (847):
Financial reports (345) – Q1-Q4 results altered
Budget spreadsheets (234) – department budgets corrupted
Forecast models (156) – projections invalid
Shared finance docs (112) – various
Total data corrupted: ~450 MB
Impact:
Financial reports now contain incorrect numbers
Some files completely unusable
Trust in data integrity compromised
Attacker Intent:
Sabotage financial reporting
Cause business disruption
Undermine confidence in data
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker logs in
09:50-10:00 – Script downloaded
10:15-10:30 – File manipulation
10:30 – Varonis alert
10:32 – SOC investigates
10:33 – Host isolated
10:35 – Backup restoration begins
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\Downloads\data_corrupt.ps1 (SHA256: a1b2c3d4…)
Commands:
– PowerShell script manipulating financial files
Account:
– kwilson (compromised)
4. Containment Actions:
Immediate Actions:
Isolated FIN-WS-112 via CrowdStrike.
Disabled kwilson account.
Reset password.
Deleted data_corrupt.ps1.
Data Recovery:
Restored all 847 corrupted files from Veeam backups.
Verified data integrity (compared with backups).
Finance team validated restored files.
Prevention:
No further manipulation occurred.
5. Root Cause Analysis:
Primary Cause: User account compromised, leading to data manipulation.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Finance data accessible to user (legitimate, but abused).
6. Business Impact:
Operational Impact: Finance team unable to use files for 2 hours.
Data Exposure: Data corrupted, not exfiltrated.
Financial Impact: Potential reporting delays; restored from backups.
7. Remediation & Prevention:
Completed Actions:
Data restored.
Account secured.
Malicious script removed.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented file integrity monitoring for critical data.
Enhanced Varonis alerting for mass modifications.
8. Conclusion:
An attacker compromised a finance manager’s account and ran a script that manipulated 847 financial files, corrupting critical data. Varonis detected the mass modifications, enabling rapid restoration from backups. No permanent data loss occurred.
Closure Rationale: Data corrupted; data restored from backups; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-04 11:30 EST
End of Batch 26
Ready for your next batch of prompts whenever you are.
Batch 27: Impact & Defense Evasion Incident Reports
Here are the next 5 detailed SOC incident reports.