Analysis - SOCJournal

T1497.001 – System Checks (Sandbox Evasion) – FortiSandbox Detection

May 31, 2026 by lowqe

FortiSandbox Alert Details Alert ID: FORTI-SANDBOX-EVASION-1497-7842 Alert Time: 2024-03-05 10:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Sandbox Evasion Techniques Detected – System Checks” MITRE ATT&CK: T1497.001 – System Checks (Virtualization/Sandbox Evasion) Alert Details: File Analysis Report: File Name: invoice_7842.docm (email attachment)File Size: 2.4 MBSHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4Source: Email to finance@company.comSubmission Time: 10:15 EST Sandbox Behavior … Read more

T1222 – File and Directory Permissions Modification (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-PERM-MOD-1222-7842 Alert Time: 2024-03-05 11:30:22 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 13 – Registry Value Set, Event ID 1 – Process Creation) Rule: “File Permissions Modification via icacls/cacls” MITRE ATT&CK: T1222.001 – File and Directory Permissions Modification: Windows File and Directory Permissions Modification Alert Details: Detection: Mass modification … Read more

T1561 – Disk Wipe (Carbon Black Detection)

May 31, 2026 by lowqe

Carbon Black Alert Details Alert ID: CB-DISK-WIPE-1561-7842 Alert Time: 2024-03-05 16:30:45 EST Severity: CRITICAL (99/100) Source: VMware Carbon Black Cloud Rule: “Disk Wiping Activity Detected – Raw Disk Access” MITRE ATT&CK: T1561.001 – Disk Wipe: Disk Content Wipe Alert Details: Detection: Process overwriting disk sectors with raw write access Host: SQL-SRV-01 (Primary SQL Server) User: … Read more

T1573 – Encrypted Channel (Blue Coat Detection)

May 31, 2026 by lowqe

Blue Coat Alert Details Alert ID: BLUECOAT-ENCRYPTED-1573-7842 Alert Time: 2024-02-29 09:30:15 EST Severity: HIGH (85/100) Source: Blue Coat ProxySG (Symantec Web Security Service) Rule: “Anomalous TLS Traffic – Custom Cipher Suite Detected” MITRE ATT&CK: T1573.001 – Encrypted Channel: Symmetric Cryptography Alert Details: Detection: TLS traffic using non-standard cipher suite to suspicious destination User: rpatel@company.com (Raj … Read more

T1537 – Transfer Data to Cloud Account (AWS GuardDuty Detection)

May 31, 2026 by lowqe

AWS GuardDuty Alert Details Alert ID: GUARDDUTY-CLOUD-EXFIL-1537-7842 Alert Time: 2024-03-02 10:30:22 EST Severity: CRITICAL (98/100) Source: AWS GuardDuty Rule: “Data Exfiltration to External AWS Account Detected” MITRE ATT&CK: T1537 – Transfer Data to Cloud Account Alert Details: Detection: Large data transfer from corporate S3 bucket to external AWS account Source: corporate-data-bucket (S3) Source Account: 123456789012 … Read more

T1020 – Automated Exfiltration (Varonis Detection)

May 31, 2026 by lowqe

Varonis Alert Details Alert ID: VARONIS-AUTO-EXFIL-1020-7842 Alert Time: 2024-03-03 09:30:15 EST Severity: CRITICAL (95/100) Source: Varonis Data Security Platform Rule: “Automated Data Collection Script Detected – Potential Mass Exfiltration” MITRE ATT&CK: T1020 – Automated Exfiltration Alert Details: Detection: PowerShell script automatically collecting and exfiltrating data at regular intervals User: kwilson@company.com (Karen Wilson, Finance Manager) Host: … Read more

T1071 – Application Layer Protocol (Zscaler Detection)

May 31, 2026 by lowqe

Zscaler Alert Details Alert ID: ZSCALER-C2-1071-7842 Alert Time: 2024-02-28 16:30:45 EST Severity: HIGH (88/100) Source: Zscaler Internet Access (ZIA) Rule: “Beaconing to Suspicious Domain – Potential C2” MITRE ATT&CK: T1071.001 – Application Layer Protocol: Web Protocols Alert Details: Detection: Periodic HTTPS connections to suspicious domain User: rpatel@company.com (Raj Patel, Engineer) Source IP: 192.168.45.78 (ENG-WS-045) Destination: … Read more

T1090 – Proxy (ExtraHop Detection)

May 31, 2026 by lowqe

ExtraHop Alert Details Alert ID: EXTRAHOP-PROXY-1090-7842 Alert Time: 2024-02-28 10:30:22 EST Severity: HIGH (85/100) Source: ExtraHop Reveal(x) Rule: “Internal Host Acting as Proxy – Traffic Relaying Detected” MITRE ATT&CK: T1090.001 – Proxy: Connection Proxy Alert Details: Detection: Internal host relaying traffic to external destination Proxy Host: 192.168.45.78 (ENG-WS-045 – Engineering) Client Host: 192.168.45.112 (SALES-WS-023 – … Read more

T1560 – Archive Collected Data (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-ARCHIVE-1560-7842 Alert Time: 2024-02-28 11:30:22 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 1 – Process Creation, Event ID 11 – FileCreate) Rule: “Archive Creation of Multiple Files – Potential Exfiltration Prep” MITRE ATT&CK: T1560.001 – Archive Collected Data: Archive via Utility Alert Details: Detection: Process creating archive containing many … Read more

T1074 – Data Staged (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-DATA-STAGED-1074-7842 Alert Time: 2024-02-28 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 11 – FileCreate) Rule: “Mass File Copy to Staging Directory” MITRE ATT&CK: T1074.001 – Data Staged: Local Data Staging Alert Details: Detection: Large number of files copied to a staging directory Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com … Read more