Analysis - SOCJournal

T1074 – Data Staged (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-DATA-STAGED-1074-7842 Alert Time: 2024-02-28 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 11 – FileCreate) Rule: “Mass File Copy to Staging Directory” MITRE ATT&CK: T1074.001 – Data Staged: Local Data Staging Alert Details: Detection: Large number of files copied to a staging directory Host: ENG-WS-045 (Engineering Workstation) User: alexchen@company.com … Read more

T1123 – Audio Capture (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-AUDIO-CAPTURE-1123-7842 Alert Time: 2024-02-27 16:30:45 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “Microphone Access by Suspicious Process” MITRE ATT&CK: T1123 – Audio Capture Alert Details: Detection: Process accessing microphone without user interaction Host: CONF-ROOM-001 (Conference Room PC) User: SYSTEM (no user logged in) Time: 16:15-16:30 EST … Read more

T1125 – Video Capture (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-VIDEO-CAPTURE-1125-7842 Alert Time: 2024-02-27 10:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Webcam Access by Suspicious Process” MITRE ATT&CK: T1125 – Video Capture Alert Details: Detection: Process accessing webcam without user interaction Host: EXEC-WS-002 (CFO’s Laptop) User: kwilson@company.com (Karen Wilson, CFO) Time: 10:15-10:30 EST Process Details: Process: C:\Users\kwilson\AppData\Local\Temp\webcam_capture.exe … Read more

T1113 – Screen Capture (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-SCREEN-CAPTURE-1113-7842 Alert Time: 2024-02-27 11:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Screen Capture Activity Detected – Potential Surveillance” MITRE ATT&CK: T1113 – Screen Capture Alert Details: Detection: Process capturing screenshots repeatedly Host: EXEC-WS-001 (CEO’s Laptop) User: cjohnson@company.com (CEO) Time: 11:15-11:30 EST Process Details: Process: C:\Windows\Temp\capture.exe (PID: 4789)SHA256: … Read more

T1105 – Ingress Tool Transfer (Cisco Umbrella Detection)

May 31, 2026 by lowqe

Cisco Umbrella Alert Details Alert ID: UMBRELLA-TOOL-TRANSFER-1105-7842 Alert Time: 2024-02-29 14:15:33 EST Severity: HIGH (88/100) Source: Cisco Umbrella Secure Internet Gateway Rule: “Malicious File Download Blocked – Known Malware” MITRE ATT&CK: T1105 – Ingress Tool Transfer Alert Details: Detection: Attempt to download known malicious executable blocked User: bturner@company.com (Brian Turner, Finance) Source IP: 192.168.45.112 (FIN-WS-078) … Read more

T1571 – Non-Application Layer Protocol (Darktrace Detection)

May 31, 2026 by lowqe

Darktrace Alert Details Alert ID: DARKTRACE-NON-STANDARD-1571-7842 Alert Time: 2024-02-29 11:30:22 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Non-Standard Protocol over Common Port – Potential Tunneling” MITRE ATT&CK: T1571 – Non-Application Layer Protocol Alert Details: Detection: Non-HTTP traffic detected over port 443 (HTTPS port) Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 194.165.16[.]89:443 Time: 11:15-11:30 … Read more

T1132 – Data Encoding (Zeek Detection)

May 31, 2026 by lowqe

Zeek Alert Details Alert ID: ZEEK-DATA-ENCODING-1132-7842 Alert Time: 2024-02-29 10:30:22 EST Severity: HIGH (85/100) Source: Zeek (Bro) Network Security Monitor Rule: “Base64-Encoded Data in HTTP Requests – Potential Data Exfiltration” MITRE ATT&CK: T1132.001 – Data Encoding: Standard Encoding Alert Details: Detection: HTTP traffic containing large amounts of base64-encoded data Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: … Read more

T1567 – Exfiltration Over Web Service (Zscaler Detection)

May 31, 2026 by lowqe

Zscaler Alert Details Alert ID: ZSCALER-WEB-EXFIL-1567-7842 Alert Time: 2024-03-02 11:30:22 EST Severity: HIGH (85/100) Source: Zscaler Internet Access (ZIA) Rule: “Large Upload to Cloud Storage – Potential Data Exfiltration” MITRE ATT&CK: T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage Alert Details: Detection: Large file upload to Google Drive from internal user User: kwilson@company.com … Read more

T1029 – Scheduled Transfer (Darktrace Detection)

May 31, 2026 by lowqe

Darktrace Alert Details Alert ID: DARKTRACE-SCHEDULED-EXFIL-1029-7842 Alert Time: 2024-03-02 16:30:45 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Regular Scheduled Data Transfer – Potential Exfiltration” MITRE ATT&CK: T1029 – Scheduled Transfer Alert Details: Detection: Regular, scheduled data transfers to external IP every 24 hours Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 185.143.221[.]89:443 Pattern: Daily … Read more

T1048 – Exfiltration Over Alternative Protocol (Zeek Detection)

May 31, 2026 by lowqe

Zeek Alert Details Alert ID: ZEEK-EXFIL-ALT-PROTO-1048-7842 Alert Time: 2024-03-02 14:15:33 EST Severity: HIGH (88/100) Source: Zeek Network Security Monitor Rule: “Large Data Transfer over DNS – Potential DNS Tunneling” MITRE ATT&CK: T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Alert Details: Detection: Large volume of DNS queries with encoded data – DNS … Read more