Hello everyone, i know that this might be OT, but i'm experiencing a strange issue.
a corporate have contacted me today to notify me of an incident.
the description of the incident is
"randomly, with an absolutely non systemic algorythm, files are moved across the network, at the same time, on a random workstation on the network the NTLDR system file on windows XP SP3 machine is moved too to prevent the machine from booting and causing business continuity issues."
i'm conducting an analysis right now and from the data i was able to collect so far, i can see from the fileserver oudit log that the "moving files" procedure is operated from the workstation on wich the NTLDR file is altered.
the process is operated using samba protocol.
All the machines are members of a domain, and times are syncronized with the domain controller, so all timestamps are synced across all machines, and i also noticed that the workstation from wich the actions were committed wasn't in use a session was active (user logged in) but locked (win+L) and no operator was working on it.
From the analysis conducted so far i wasn't able to find evidences of running processes, or altered system files, and the registry was fine and didn't contain any sort of evidence of malware installation.
Now i'm trying to reproduce the incident in a test environment and i was going to perform the following
trigger a win32dd crash dump on the workstation machine if the NTLDR file is moved/altered in any way.
do you think that this should work and provide me with a dump of the running process cousing this mess?
how would you procede?
any sugestion is welcome.
thnx in advice.