lowqe - SOCJournal - Page 17 of 19

T1546 – Event Triggered Execution (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-EVENT-TRIGGER-1546-7842 Alert Time: 2024-02-16 10:30:15 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “WMI Event Subscription – Suspicious Command Line” MITRE ATT&CK: T1546.003 – Event Triggered Execution: WMI Event Subscription Alert Details: Event ID: 1 (Process Creation) – WMI Event Subscription Time: 10:25 EST Host: … Read more

T1134 – Access Token Manipulation (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-TOKEN-MANIP-1134-7842 Alert Time: 2024-02-17 09:30:22 EST Severity: CRITICAL (92/100) Source: CrowdStrike Falcon EDR Rule: “Access Token Manipulation – Privilege Escalation” MITRE ATT&CK: T1134.001 – Access Token Manipulation: Token Impersonation/Theft Alert Details: Detection: Process attempted to duplicate token of SYSTEM process for privilege escalation Host: IT-WS-078 (IT Department) User: bjones (Brian … Read more

T1548 – Abuse Elevation Control Mechanism (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-UAC-BYPASS-1548-7842 Alert Time: 2024-02-17 14:15:33 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “UAC Bypass Attempt Detected” MITRE ATT&CK: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control Alert Details: Detection: Process attempted to bypass UAC using CMSTPLUA COM interface Host: FIN-WS-112 (Finance Department) User: jdoe … Read more

T1574 – Hijack Execution Flow (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-DLL-HIJACK-1574-7842 Alert Time: 2024-02-17 16:30:15 EST Severity: HIGH (88/100) Source: Sysmon (Event ID 7 – Image Loaded) Rule: “DLL Loaded from Unusual Path by Trusted Process” MITRE ATT&CK: T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking Alert Details: Event ID: 7 (Image Loaded) Time: 16:25 EST Host: APP-SRV-045 (Application … Read more

T1068 – Exploitation for Privilege Escalation (Qualys Detection)

May 31, 2026 by lowqe

Qualys Alert Details Alert ID: QUALYS-EXPLOIT-1068-7842 Alert Time: 2024-02-17 11:30:45 EST Severity: CRITICAL (95/100) Source: Qualys Vulnerability Management + EDR Correlation Rule: “CVE-2024-1234 Exploit Attempt Detected” MITRE ATT&CK: T1068 – Exploitation for Privilege Escalation Alert Details: Vulnerability Context: – CVE: CVE-2024-1234 (Windows Kernel Privilege Escalation) – CVSS: 9.8 (Critical) – Affected Systems: Windows 10 21H2, … Read more

T1197 – BITS Jobs (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-BITS-1197-7842 Alert Time: 2024-02-15 14:15:22 EST Severity: HIGH (82/100) Source: CrowdStrike Falcon EDR Rule: “Suspicious BITS Job Creation” MITRE ATT&CK: T1197 – BITS Jobs Alert Details: Detection: BITS job created for downloading payload from suspicious URL Host: DEV-WS-112 (Development Department) User: rpatel (Raj Patel, Developer) Time: 14:10 EST BITS Job … Read more

T1547 – Boot/Logon Autostart Execution (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-AUTOSTART-1547-7842 Alert Time: 2024-02-15 16:30:45 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 13 – Registry Value Set) Rule: “Registry Run Key Modification by Suspicious Process” MITRE ATT&CK: T1547.001 – Boot/Logon Autostart Execution: Registry Run Keys Alert Details: Event ID: 13 (Registry Value Set) Time: 16:25 EST Host: FIN-WS-034 (Finance … Read more

T1098 – Account Manipulation (Microsoft Defender for Identity Detection)

May 31, 2026 by lowqe

Microsoft Defender for Identity Alert Details Alert ID: MDI-ACCT-MANIP-1098-7842 Alert Time: 2024-02-15 11:45:33 EST Severity: CRITICAL (95/100) Source: Microsoft Defender for Identity Rule: “Suspicious Service Account Modification” MITRE ATT&CK: T1098 – Account Manipulation Alert Details: Detection: Service account added to Domain Admins group Account: svc_sql_backup (SQL Backup Service Account) Action: Added to “Domain Admins” group … Read more

T1609 – Container Administration Command (Aqua Detection)

May 31, 2026 by lowqe

Aqua Alert Details Alert ID: AQUA-CONTAINER-ADMIN-1609-7842 Alert Time: 2024-02-13 14:30:22 EST Severity: HIGH (85/100) Source: Aqua Security Cloud Native Protection Rule: “Unauthorized kubectl exec into Production Container” MITRE ATT&CK: T1609 – Container Administration Command Alert Details: Detection: kubectl exec command executed in production environment Cluster: prod-eks-cluster-01 Namespace: payment-processing Pod: payment-api-v2-7d8f9c4d5-abcde Container: api Time: 14:28 EST … Read more

T1059 – Command & Scripting Interpreter (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-POWERSHELL-1059-7842 Alert Time: 2024-02-13 10:22:15 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Suspicious PowerShell Command Line – Encoded Execution” MITRE ATT&CK: T1059.001 – Command & Scripting Interpreter: PowerShell Alert Details: Detection: PowerShell executed with encoded command and hidden window Host: FIN-WS-045 (Finance Department) User: bturner (Brian Turner, Accountant) … Read more