lowqe - SOCJournal

T1070.004 – File Deletion (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-FILE-DELETE-1070-7842 Alert Time: 2024-03-07 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Mass File Deletion – Potential Indicator Removal” MITRE ATT&CK: T1070.004 – Indicator Removal: File Deletion Alert Details: Detection: Large number of files deleted from Temp and Downloads folders Host: DEV-WS-078 (Development Workstation) User: rpatel@company.com (Raj Patel, … Read more

T1003.001 – LSASS Memory Credential Dumping (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-LSASS-DUMP-1003-7842 Alert Time: 2024-03-10 10:30:22 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “LSASS Memory Access – Potential Credential Dumping” MITRE ATT&CK: T1003.001 – OS Credential Dumping: LSASS Memory Alert Details: Detection: Process attempting to read LSASS process memory Host: IT-WS-034 (IT Workstation) User: bjones@company.com (Brian Jones, IT Admin) … Read more

T1003.002 – Security Account Manager Dumping (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-SAM-DUMP-1003-7842 Alert Time: 2024-03-11 09:30:15 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “SAM Registry Hive Access – Potential Credential Dumping” MITRE ATT&CK: T1003.002 – OS Credential Dumping: Security Account Manager Alert Details: Detection: Process accessing SAM (Security Account Manager) registry hive Host: DC-01 (Domain Controller) User: SYSTEM (via … Read more

T1562.001 – Disable or Modify Tools (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-DISABLE-TOOLS-1562-7842 Alert Time: 2024-03-07 10:30:22 EST Severity: CRITICAL (96/100) Source: Microsoft Defender for Endpoint Rule: “Tampering with Security Tools Detected” MITRE ATT&CK: T1562.001 – Impair Defenses: Disable or Modify Tools Alert Details: Detection: Attempt to disable multiple security tools on domain controller Host: DC-01 (Primary Domain Controller) User: SYSTEM … Read more

T1548.002 – Bypass User Account Control (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-UAC-BYPASS-1548-7842 Alert Time: 2024-03-10 11:30:22 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “UAC Bypass Attempt Detected – CMSTPLUA Technique” MITRE ATT&CK: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control Alert Details: Detection: Process attempted to bypass UAC using CMSTPLUA COM interface Host: HR-WS-023 (HR … Read more

T1218.011 – Rundll32 Proxy Execution (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-RUNDLL32-PROXY-1218-7842 Alert Time: 2024-03-10 14:15:33 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Rundll32.exe Executing Remote JavaScript – Potential Squiblydoo” MITRE ATT&CK: T1218.011 – System Binary Proxy Execution: Rundll32 Alert Details: Detection: Rundll32.exe executing JavaScript from remote URL Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 14:10 … Read more

T1218.005 – Mshta Proxy Execution (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-Mshta-Proxy-1218-7842 Alert Time: 2024-03-09 10:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Mshta.exe Executing Suspicious Script – Potential Proxy Execution” MITRE ATT&CK: T1218.005 – System Binary Proxy Execution: Mshta Alert Details: Detection: Mshta.exe (HTML Application host) executing script from remote URL Host: DEV-WS-045 (Development Workstation) User: alexchen@company.com (Alex … Read more

T1218.010 – Regsvr32 Proxy Execution (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-REGSVR32-PROXY-1218-7842 Alert Time: 2024-03-10 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Regsvr32.exe Executing Remote COM Object – Potential Squiblydoo” MITRE ATT&CK: T1218.010 – System Binary Proxy Execution: Regsvr32 Alert Details: Detection: Regsvr32.exe used to execute remote scriptlet (Squiblydoo technique) Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, … Read more

T1036.005 – Match Legitimate Name or Location (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-MATCH-NAME-LOC-1036-7842 Alert Time: 2024-03-09 11:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Process with System Name Running from User-Writable Path” MITRE ATT&CK: T1036.005 – Masquerading: Match Legitimate Name or Location Alert Details: Detection: Process named “svchost.exe” running from C:\Users\Public\ Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, HR) … Read more

T1218.001 – Compiled HTML File (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-CHM-EXEC-1218-7842 Alert Time: 2024-03-09 16:30:45 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Compiled HTML File (CHM) Executing Suspicious Code” MITRE ATT&CK: T1218.001 – System Binary Proxy Execution: Compiled HTML File Alert Details: Detection: CHM file executed with script that spawns PowerShell Host: SALES-WS-023 (Sales Workstation) User: … Read more