Analysis - SOCJournal

T1486 – Data Encrypted for Impact (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-RANSOMWARE-1486-7842 Alert Time: 2024-03-03 11:30:22 EST Severity: CRITICAL (99/100) Source: CrowdStrike Falcon EDR Rule: “Ransomware Behavior Detected – Mass File Encryption” MITRE ATT&CK: T1486 – Data Encrypted for Impact Alert Details: Detection: Process encrypting multiple files and appending .locked extension Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: … Read more

T1485 – Data Destruction (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-DATA-DESTROY-1485-7842 Alert Time: 2024-03-03 14:15:33 EST Severity: CRITICAL (98/100) Source: Sysmon (Event ID 11 – FileCreate, Event ID 23 – FileDelete) Rule: “Mass File Deletion Detected – Potential Data Destruction” MITRE ATT&CK: T1485 – Data Destruction Alert Details: Detection: Mass file deletion from critical file server Host: FILESRV-01 (Primary File … Read more

T1531 – Account Access Removal (Azure AD Detection)

May 31, 2026 by lowqe

Azure AD Alert Details Alert ID: AAD-ACCOUNT-REMOVAL-1531-7842 Alert Time: 2024-03-05 09:30:15 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Mass Account Disable/Deletion Detected” MITRE ATT&CK: T1531 – Account Access Removal Alert Details: Detection: Bulk disabling/deletion of user accounts in Azure AD Time: 09:15-09:30 EST Action Performed By: jwilson@company.com (Global Administrator) … Read more

T1529 – System Shutdown/Reboot (Splunk Detection)

May 31, 2026 by lowqe

Splunk Alert Details Alert ID: SPLUNK-SHUTDOWN-1529-7842 Alert Time: 2024-03-05 14:15:33 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Multiple System Shutdowns Detected – Potential DoS” MITRE ATT&CK: T1529 – System Shutdown/Reboot Alert Details: Correlated Events: Windows Event ID 1074 (System Shutdown): Time: 14:00-14:15 ESTHosts: 12 servers (list below)User: SYSTEM (via script)Reason: “Other (Unplanned)”Shutdown Type: … Read more

T1055.012 – Process Hollowing (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-PROCESS-HOLLOW-1055-7842 Alert Time: 2024-03-07 09:30:15 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “Process Hollowing Detected – Code Injection into Suspended Process” MITRE ATT&CK: T1055.012 – Process Injection: Process Hollowing Alert Details: Detection: Legitimate process created in suspended state, memory unmapped, and replaced with malicious code Source Host: FIN-WS-078 … Read more

T1112 – Modify Registry (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-REG-MOD-1112-7842 Alert Time: 2024-03-07 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 13 – Registry Value Set) Rule: “Suspicious Registry Modification – Run Key” MITRE ATT&CK: T1112 – Modify Registry Alert Details: Detection: Multiple registry modifications for persistence and configuration changes Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, … Read more

T1055.003 – Thread Execution Hijacking (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-THREAD-HIJACK-1055-7842 Alert Time: 2024-03-06 16:30:45 EST Severity: CRITICAL (96/100) Source: CrowdStrike Falcon EDR Rule: “Thread Hijacking Detected – APC Injection Variation” MITRE ATT&CK: T1055.003 – Process Injection: Thread Execution Hijacking Alert Details: Detection: Attacker suspended a thread and redirected its execution Source Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, … Read more

T1055.004 – Asynchronous Procedure Call Injection (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-APC-INJECT-1055-7842 Alert Time: 2024-03-06 10:30:22 EST Severity: CRITICAL (95/100) Source: CrowdStrike Falcon EDR Rule: “APC Injection Detected – QueueUserAPC to Alertable Thread” MITRE ATT&CK: T1055.004 – Process Injection: Asynchronous Procedure Call Alert Details: Detection: APC (Asynchronous Procedure Call) queued to thread in another process Source Host: DEV-WS-089 (Development Workstation) User: … Read more

T1055.001 – Dynamic-link Library Injection (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-DLL-INJECT-1055-7842 Alert Time: 2024-03-06 14:15:33 EST Severity: CRITICAL (96/100) Source: CrowdStrike Falcon EDR Rule: “DLL Injection Detected – LoadLibrary Remote Thread” MITRE ATT&CK: T1055.001 – Process Injection: Dynamic-link Library Injection Alert Details: Detection: Process forcing target process to load malicious DLL Source Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com (Alex Chen, … Read more

T1055.002 – Portable Executable Injection (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-PE-INJECT-1055-7842 Alert Time: 2024-03-06 11:30:22 EST Severity: CRITICAL (97/100) Source: CrowdStrike Falcon EDR Rule: “PE Injection Detected – Executable Code in Remote Process” MITRE ATT&CK: T1055.002 – Process Injection: Portable Executable Injection Alert Details: Detection: Malicious PE file injected into memory of legitimate process Source Host: SALES-WS-023 (Sales Workstation) User: … Read more