lowqe - SOCJournal - Page 14 of 19

T1588 – Obtain Capabilities (Anomali TIP Detection)

May 31, 2026 by lowqe

Anomali TIP Alert Details Alert ID: ANOMALI-CAPABILITY-ACQ-7842 Alert Time: 2024-02-10 13:30:45 EST Severity: HIGH (75/100) Source: Anomali Threat Intelligence Platform Rule: “Known Malware Framework Offered for Sale” MITRE ATT&CK: T1588 – Obtain Capabilities Alert Details: Threat Intelligence Finding: Commercial access to Cobalt Strike licensed to new actor Source: Dark Web Marketplace “exploit[.]market” Listing Date: 2024-02-09 … Read more

T1608 – Stage Capabilities (Zscaler Detection)

May 31, 2026 by lowqe

Zscaler Alert Details Alert ID: ZSCALER-STAGE-CAP-7842 Alert Time: 2024-02-11 09:45:18 EST Severity: HIGH (78/100) Source: Zscaler Internet Access (ZIA) Rule: “Suspicious File Download – Potential Payload Staging” MITRE ATT&CK: T1608 – Stage Capabilities Alert Details: Transaction Details: – User: jdoe@company.com (John Doe, Marketing) – Device: MKT-WS-023 (Windows 11) – Time: 09:42 EST – Action: BLOCKED … Read more

T1189 – Drive-by Compromise (Zscaler Detection)

May 31, 2026 by lowqe

Zscaler Alert Details Alert ID: ZSCALER-DRIVEBY-7842 Alert Time: 2024-02-11 14:22:35 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) + Cloud Sandbox Rule: “Drive-by Compromise – Exploit Kit Activity” MITRE ATT&CK: T1189 – Drive-by Compromise Alert Details: Transaction Details: – User: rsmith@company.com (Robert Smith, Sales) – Device: SLS-WS-089 (Windows 10) – Time: 14:18-14:22 EST – … Read more

T1133 – External Remote Services (Okta Detection)

May 31, 2026 by lowqe

Okta Alert Details Alert ID: OKTA-EXTERNAL-REMOTE-7842 Alert Time: 2024-02-11 07:30:45 EST Severity: HIGH (88/100) Source: Okta Identity Cloud Rule: “Suspicious VPN Login – New Location + Impossible Travel” MITRE ATT&CK: T1133 – External Remote Services Alert Details: User: awilson@company.com (Alex Wilson, IT Administrator) Application: Palo Alto GlobalProtect VPN Time: 07:28 EST Risk Signals: 1. New … Read more

T1200 – Hardware Additions (ForeScout Detection)

May 31, 2026 by lowqe

ForeScout Alert Details Alert ID: FORESCOUT-HW-ADD-7842 Alert Time: 2024-02-11 13:45:22 EST Severity: HIGH (82/100) Source: ForeScout CounterACT Rule: “Unauthorized USB Device – BadUSB Characteristics” MITRE ATT&CK: T1200 – Hardware Additions Alert Details: Device Detection: – Host: RND-WS-056 (Research & Development) – User: cpark (Chris Park, Research Scientist) – Time: 13:42 EST – USB Port: Front … Read more

T1566 – Phishing (Proofpoint Detection)

May 31, 2026 by lowqe

Proofpoint Alert Details Alert ID: PROOFPOINT-PHISH-1566-7842 Alert Time: 2024-02-12 09:30:15 EST Severity: HIGH (85/100) Source: Proofpoint Targeted Attack Protection (TAP) Rule: “Credential Phishing – Brand Impersonation” MITRE ATT&CK: T1566 – Phishing Alert Details: Email Analysis Report: Sender: noreply@docusign-verify[.]net Reply-To: support@document-processing[.]com Subject: “Action Required: Document Ready for Signature – DocuSign” Recipients: 124 employees (All departments) Time: … Read more

T1091 – Replication via Removable Media (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-WORM-USB-1091-7842 Alert Time: 2024-02-12 14:15:33 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Replication Through Removable Media – Worm Behavior” MITRE ATT&CK: T1091 – Replication Through Removable Media Alert Details: Detection: Worm-like file replication to USB devices Host: ENG-WS-078 (Engineering) User: npatel (Neha Patel, Engineer) Time: 14:10-14:15 EST Process … Read more

T1195 – Supply Chain Compromise (GitHub Detection)

May 31, 2026 by lowqe

GitHub Alert Details Alert ID: GITHUB-SUPPLY-CHAIN-7842 Alert Time: 2024-02-12 10:45:22 EST Severity: CRITICAL (95/100) Source: GitHub Advanced Security Rule: “Compromised Maintainer Account – Malicious Commit” MITRE ATT&CK: T1195 – Supply Chain Compromise Alert Details: Repository: company/internal-toolkit (Private) Action: Malicious commit detected Commit Details: – Commit Hash: 8f7e6d5c4b3a2a1b9c8d7e6f5a4b3c2d1e0f9a8b – Author: “jsmith” (John Smith – Legitimate maintainer) … Read more

T1598 – Phishing for Information (Proofpoint Detection)

May 31, 2026 by lowqe

Proofpoint Alert Details Alert ID: PROOFPOINT-PHISH-INFO-7842 Alert Time: 2024-02-10 10:15:22 EST Severity: HIGH (82/100) Source: Proofpoint Targeted Attack Protection (TAP) Rule: “Credential Phishing Attempt Detected” MITRE ATT&CK: T1598 – Phishing for Information Alert Details: Email Analysis Report: Sender: noreply@adp-payroll[.]net Reply-To: support@payroll-verify[.]com Subject: “ACTION REQUIRED: Your Q1 Payroll Statement Requires Verification” Recipients: 47 employees (Finance, HR, … Read more

T1583 – Acquire Infrastructure (Passive DNS Detection)

May 31, 2026 by lowqe

Passive DNS Alert Details Alert ID: PDNS-INFRA-ACQUIRE-7842 Alert Time: 2024-02-09 08:15:33 EST Severity: HIGH (75/100) Source: Farsight Security DNSDB (Passive DNS) Rule: “New Domains Registered with Company Name Pattern” MITRE ATT&CK: T1583 – Acquire Infrastructure Alert Details: Passive DNS Discovery: Newly registered domains matching company naming patterns Domain 1: company-secure-login[.]com – Registrar: Namecheap – Registration … Read more