lowqe - SOCJournal - Page 4 of 19

T1550.002 – Pass the Hash (Microsoft Defender for Identity Detection)

May 31, 2026 by lowqe

Microsoft Defender for Identity Alert Details Alert ID: MDI-PASS-HASH-1550-7842 Alert Time: 2024-03-12 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Pass-the-Hash Attack Detected” MITRE ATT&CK: T1550.002 – Use Alternate Authentication Material: Pass the Hash Alert Details: Detection: NTLM authentication using hash instead of password (Pass-the-Hash) Source Host: 192.168.45.78 (ENG-WS-045 – Engineering Workstation) … Read more

T1550.003 – Pass the Ticket (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-PASS-TICKET-1550-7842 Alert Time: 2024-03-12 14:15:33 EST Severity: CRITICAL (97/100) Source: CrowdStrike Falcon EDR Rule: “Kerberos Ticket Replay – Potential Pass-the-Ticket” MITRE ATT&CK: T1550.003 – Use Alternate Authentication Material: Pass the Ticket Alert Details: Detection: Kerberos ticket from unusual source IP used for authentication Event Details: User: kwilson@company.com (Karen Wilson, Finance … Read more

T1071.001 – Web Protocols C2 Beaconing (Zscaler Detection)

May 31, 2026 by lowqe

Zscaler Alert Details Alert ID: ZSCALER-C2-WEB-1071-7842 Alert Time: 2024-03-12 11:30:22 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “Beaconing to Suspicious Domain – Potential C2” MITRE ATT&CK: T1071.001 – Application Layer Protocol: Web Protocols Alert Details: Detection: Periodic HTTPS connections to suspicious domain (beaconing) User: alexchen@company.com (Alex Chen, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) … Read more

T1071.004 – DNS C2/Exfiltration (ExtraHop Detection)

May 31, 2026 by lowqe

ExtraHop Alert Details Alert ID: EXTRAHOP-DNS-C2-1071-7842 Alert Time: 2024-03-12 16:30:45 EST Severity: HIGH (88/100) Source: ExtraHop Reveal(x) Rule: “DNS Tunneling Detected – Potential C2 or Exfiltration” MITRE ATT&CK: T1071.004 – Application Layer Protocol: DNS Alert Details: Detection: High volume of DNS queries with encoded subdomains – DNS tunneling Source: 192.168.45.78 (ENG-WS-045 – Engineering) DNS Server: … Read more

T1567.002 – Exfiltration to Cloud Storage (Zscaler Detection)

May 31, 2026 by lowqe

Zscaler Alert Details Alert ID: ZSCALER-CLOUD-EXFIL-1567-7842 Alert Time: 2024-03-13 09:30:15 EST Severity: CRITICAL (95/100) Source: Zscaler Internet Access (ZIA) – Cloud App Control Rule: “Sensitive Data Upload to Personal Cloud Storage” MITRE ATT&CK: T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage Alert Details: Detection: Large upload of sensitive files to personal Google Drive … Read more

T1048.003 – Exfiltration Over Unencrypted/Non-Standard Protocol (Palo Alto Detection)

May 31, 2026 by lowqe

Palo Alto Alert Details Alert ID: PAN-EXFIL-ALT-PROTO-1048-7842 Alert Time: 2024-03-12 10:30:22 EST Severity: HIGH (85/100) Source: Palo Alto Networks Firewall + WildFire Rule: “Data Exfiltration over Non-Standard Port Detected” MITRE ATT&CK: T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Alert Details: Detection: Large data transfer over TCP port 444 (not standard) to … Read more

T1046 – Network Service Discovery (ExtraHop Detection)

May 31, 2026 by lowqe

ExtraHop Alert Details Alert ID: EXTRAHOP-SERVICE-SCAN-1046-7842 Alert Time: 2024-02-24 11:30:22 EST Severity: MEDIUM (72/100) Source: ExtraHop Reveal(x) Rule: “Internal Port Scan – Horizontal Movement Detected” MITRE ATT&CK: T1046 – Network Service Discovery Alert Details: Detection: Horizontal port scan originating from internal host Source Host: 192.168.45.78 (DEV-WS-045 – Engineering) Time Window: 11:15-11:30 EST Scan Pattern: TCP … Read more

T1135 – Network Share Discovery (Splunk Detection)

May 31, 2026 by lowqe

Splunk Alert Details Alert ID: SPLUNK-SHARE-DISCOVERY-1135-7842 Alert Time: 2024-02-24 16:30:45 EST Severity: MEDIUM (68/100) Source: Splunk Enterprise Security Rule: “Multiple Network Share Enumeration Attempts” MITRE ATT&CK: T1135 – Network Share Discovery Alert Details: Correlated Events: Windows Event ID 5140 (Network Share Object Accessed): Time: 16:15-16:30 ESTSource Host: HR-WS-023 (HR Workstation)User: kwilson@company.com (HR Generalist)Target: \filesrv\ (multiple … Read more

T1538 – Cloud Service Dashboard Discovery (Azure AD Detection)

May 31, 2026 by lowqe

Azure AD Alert Details Alert ID: AAD-CLOUD-DASHBOARD-1538-7842 Alert Time: 2024-02-24 09:30:15 EST Severity: HIGH (85/100) Source: Azure AD Identity Protection + Cloud App Security Rule: “Unusual Azure Portal Access – Privileged Account Reconnaissance” MITRE ATT&CK: T1538 – Cloud Service Dashboard Discovery Alert Details: Detection: Privileged account accessing multiple Azure management areas from unusual location User: … Read more

T1083 – File and Directory Discovery (Varonis Detection)

May 31, 2026 by lowqe

Varonis Alert Details Alert ID: VARONIS-FILE-DISCOVERY-1083-7842 Alert Time: 2024-02-24 14:15:33 EST Severity: HIGH (82/100) Source: Varonis Data Security Platform Rule: “Mass File Enumeration – Potential Data Harvesting” MITRE ATT&CK: T1083 – File and Directory Discovery Alert Details: Detection: User accessing unusually high number of files/folders across multiple shares User: bturner@company.com (Brian Turner, Finance) Source Host: … Read more