SITUATION
Client noticed irregular and random deletion of user profiles throughout their entire operation. Client needed to understand if they were hacked, if there were other issues at play, and how it happened. If an intrusion did occur, our client needed to prepare and issue necessary public disclosures and identify next steps.
OBJECTIVE
Identify computer systems that exhibit the deletion of user profiles. Establish a timeline of events across networks, departments, and computers. Triage particular computer systems and capture relevant data for analysis. Perform analysis to determine root cause of user profile deletion activity.
ANALYSIS
In collaboration with the client’s IT and network operations center staff, Proactive Discovery identified 12 systems of interest. Proactive Discovery proceeded to preserve crucial evidence – triage data – from those 12 computer systems. Since the triage data sets were more focused and smaller in size, it greatly improved the response time to begin analysis, compared to creating a forensic image of an entire hard drive. Equipped with the triage data, our analysis focused on file download, file interaction, user accounts and program execution timelines and artifacts. We needed to quickly identify what application or event could cause a Windows user profile to be deleted.
RESULT
As we were analyzing the triage data sets of 12 computers, we quickly identified a program of concern. The program in question was referenced on all 12 computer systems. Next, we needed to establish if or when the application of concern was executed on all computer systems. After additional analysis of Windows artifacts and the application itself, it was validated that the application was the root cause for the user profile deletion events.
We then identified the means by which the application was causing the user profile deletions and continued the interrogation of the triage data to reveal the true events that led to the deletion of nearly 1,000 user profiles.
Equipped with solid evidence we debriefed our client on the root cause – a misconfigured maintenance script was accidentally pushed to the entire organization via domain policy. While this incident caused major business disruptions, our client was able to rule out foul play by an external adversary against their organization.
