Wi-Fi Networks Attack Analysis: T1669 – Rogue Access Point & Evil Twin

SIEM Alert Details: Wireless Intrusion Detection Alert ID: SIEM-WIDS-ROGUEAP-7842Alert Time: 2024-01-30 14:18:32 ESTSeverity: HIGH (85/100)Source: Aruba Wireless Intrusion Detection System (WIDS) + Splunk CorrelationRule: “Rogue Access Point with Corporate SSID Spoofing”MITRE ATT&CK: T1669 – Wi-Fi NetworksSub-technique: T1669.001 – Evil Twin Attack Alert Details: Primary Detection Source: Aruba WIDS Sensor (Location: Building 1, Floor 3) Secondary Detection: Cisco Identity Services Engine (ISE) RADIUS … Read more

Valid Accounts Attack Analysis: T1078 – Default Credentials on IoT Devices

SIEM Alert Details Alert ID: SIEM-DEFAULT-CREDS-7842Alert Time: 2024-01-29 22:45:18 ESTSeverity: HIGH (82/100)Source: Splunk Enterprise Security CorrelationRule: “Default Credential Usage Detected on Network Device”MITRE ATT&CK: T1078 – Valid Accounts (Default Credentials) Alert Details: Correlated Events: 1. Network Authentication Attempt: – Time: 22:40 EST – Device: HVAC-Controller-04 (Building Automation System) – IP: 192.168.30.45 – Protocol: SSH – Username: admin – Password: (attempt matching … Read more

Trusted Relationship Attack Analysis: T1199 – Compromised Contractor Credentials

SIEM Correlation Alert Details Alert ID: SIEM-CORR-7842-T1199Alert Time: 2024-01-28 03:15:47 ESTSeverity: HIGH (85/100)Source: Splunk Enterprise Security Correlation SearchRule: “Contractor Account Anomaly: VPN from Unusual Location + Immediate RDP”MITRE ATT&CK: T1199 – Trusted Relationship Correlated Events: Event 1: VPN Authentication – Time: 03:00 EST – User: tsmith (Tom Smith – Contoso Solutions Contractor) – Source IP: 89.248.165[.]23 (Moscow, Russia) – VPN Gateway: … Read more

Supply Chain Compromise Analysis: T1195 – Compromised Software Update

CrowdStrike Falcon Alert Details Alert ID: CS-ALERT-7842-SUPPLYCHAINAlert Time: 2024-01-26 09:42:18 ESTSeverity: CRITICAL (92/100)Detection: “Software Updater Executing Suspicious Child Process”MITRE ATT&CK: T1195 – Supply Chain Compromise, T1059.001 – PowerShell Host Information: Alert Details: Detection Logic: Living Off the Land (LotL) Behavior – Legitimate Updater Spawning Unusual Child Process Process Chain: Parent Process: C:\Program Files\ChartTool\Updates\ChartToolUpdater.exe – Publisher: “ChartTool Inc.” (Valid certificate, expires … Read more

SOC Incident Report: Replication Through Removable Media (T1091)

Alert Details: EDR + DLP Correlation Alert EDR Alert (Microsoft Defender for Endpoint): Alert ID: MDE-USB-WORM-7842Alert Time: 2024-01-24 11:18:42 ESTSeverity: HIGH (82/100)MITRE ATT&CK: T1091 – Replication Through Removable MediaDetection: “Worm-like behavior via removable media” Details: Host: RND-WS-023 (R&D Department) User: drajput (Deepak Rajput, Research Scientist) Process: C:\Windows\Temp\usb_sync.exe Parent: explorer.exe Command Line: usb_sync.exe /autorun /silent /propagate File Activity: – Created: C:\Windows\Temp\usb_sync.exe … Read more

Phishing Incident Analysis: User-Reported via PhishMe

Email Details: Reported Via: PhishMe (Cofense) Reporter Button in OutlookReporting User: asmith (Alex Smith, HR Department)Report Time: 2024-01-22 09:45 ESTConfidence: High (User commented: “Suspicious sender, not our IT team”) Sender: payroll-update@hronboarding[.]netSubject: ACTION REQUIRED: Your Payroll Direct Deposit Information Needs VerificationReceived: Today, 09:30 AM Email Body: Dear Employee, The HR and Payroll Department has identified inconsistencies in your direct deposit information for the … Read more

Phishing Incident Report: User-Reported Email Analysis

PhishMe Alert Details Report Time: 2024-01-19 14:32:18 ESTReport Method: PhishMe (Cofense) Reporter Button in OutlookUser: swilliams (Sarah Williams, Finance Department)Reporting Confidence: High (User marked “Definitely Phishing”)Report ID: PHISHME-REPORT-4587 Reported Email Details: From: security@microsoft-support[.]net Reply-To: support@account-verify[.]online Subject: URGENT: Your Microsoft 365 Account Requires Immediate Verification Received: 2024-01-19 14:25 EST To: swilliams@ourcompany.com CC: None Headers Analysis: – Return-Path: bounce-7842@newsletter[.]hosting-service[.]co – SPF: softfail … Read more

Hardware Additions Attack (T1200)

EDR Alert Details: Unauthorized Hardware Detection Alert Time: 2024-01-18 10:15:34 ESTAlert Source: CrowdStrike Falcon EDRAlert ID: FALCON-ALERT-HW-7842Severity: HIGH (87/100)MITRE ATT&CK: T1200 – Hardware Additions Affected System: Alert Description: Detection: Unauthorized USB Mass Storage Device Installation with Malicious Payload Execution Rule: “Hardware-Based Persistence Attempt” Confidence: 98% Event Chain: 10:14:22 – Unknown USB Device Connected (VID_0781&PID_55A3) 10:14:35 – Driver Installation: “Generic Mass … Read more

External Remote Services (T1133) Incident

SIEM Alert Alert Source: Splunk SIEM Correlation RuleAlert Time: 2023-10-28 03:15:47 UTCSeverity: HighRule: “Multiple RDP Connections from Unusual External IP”Alert ID: SIEM-CORR-8923 Alert Details: SIEM Correlation Rule Triggered: T1133 – External Remote Services Time Range: 03:00-03:15 UTC Correlated Events: 1. VPN Authentication: User jsmith successfully authenticated via Pulse Secure VPN from IP 89.248.165[.]23 (Moscow, Russia) 2. RDP Connection: User jsmith … Read more

Exploit Public-Facing Application

WAF Alert Alert Source: AWS WAF / Cloudflare WAFAlert Time: 2023-10-27 08:45:22 UTCSeverity: CriticalApplication: Public Customer Portal (customer.ourcompany.com)Alert Title: “SQL Injection Attempt Bypassing Authentication”Alert ID: WAF-ALERT-45678 Alert Details: WAF Rule: SQLi_Bypass_Attempt_1 Source IP: 45.134.225[.]67 (DigitalOcean, Netherlands) HTTP Method: POST Target URL: /api/v1/auth/login User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Request Headers: – Content-Type: application/json – X-Forwarded-For: 45.134.225[.]67 Request Body/Payload: { … Read more