Analysis - SOCJournal

T1596 – Search Open Tech Databases (Shodan Detection)

May 31, 2026 by lowqe

Shodan Alert Details Alert ID: SHODAN-EXPOSED-ASSETS-7842 Alert Time: 2024-02-09 14:15:33 EST Severity: HIGH (85/100) Source: Shodan Monitor Rule: “New Exposed Asset Detected – Critical Infrastructure” MITRE ATT&CK: T1596 – Search Open Technical Databases Alert Details: Asset Discovery: New publicly exposed asset detected on Shodan IP Address: 203.0.113.142 Hostname: dev-gateway.company.com Ports Open: – 22: SSH (OpenSSH … Read more

T1593 – Search Open Web Sites (Brand Monitoring Detection)

May 31, 2026 by lowqe

Brand Monitoring Alert Details Alert ID: BRAND-OPENWEB-7842 Alert Time: 2024-02-09 11:30:45 EST Severity: MEDIUM (68/100) Source: ZeroFox Brand Protection Platform Rule: “Impersonating Social Media Account Detected” MITRE ATT&CK: T1593 – Search Open Websites/Domains Alert Details: Finding Type: Impersonation/Squatting Detection Platform: Twitter/X Account: @CompanySupport_US Created: 2024-02-08 Followers: 47 Following: 12 Tweets: 8 Account Content: – Profile … Read more

1. T1595 – Active Scanning (Palo Alto Detection)

May 31, 2026 by lowqe

Palo Alto Alert Details Alert ID: PAN-THREAT-78945-ACTIVESCANAlert Time: 2024-02-08 09:15:22 ESTSeverity: MEDIUM (65/100)Source: Palo Alto Networks Threat Prevention LogsRule: “Reconnaissance – Port Scan Detected”MITRE ATT&CK: T1595.001 – Active Scanning (Port Scan) Alert Details: Threat Type: Port Scan Application: nmap / masscan Direction: External to Internal Source IP: 203.0.113.89 (DigitalOcean – Singapore) Destination Range: Internal IP … Read more

T1078 – Valid Accounts (Microsoft Defender for Identity Detection)

May 31, 2026 by lowqe

Microsoft Defender for Identity Alert Details Alert ID: MDI-VALID-ACCTS-1078-7842 Alert Time: 2024-02-12 08:45:33 EST Severity: HIGH (85/100) Source: Microsoft Defender for Identity Rule: “Honeytoken Account Activity Detected” MITRE ATT&CK: T1078 – Valid Accounts Alert Details: Detection: Honeytoken account activity Honeytoken Account: svc_backup_old (Service Account) – Created: 2023-01-15 (as honeytoken) – Last Activity: Never (until now) … Read more

T1199 – Trusted Relationship (BeyondTrust Detection)

May 31, 2026 by lowqe

BeyondTrust Alert Details Alert ID: BT-TRUSTED-REL-1199-7842 Alert Time: 2024-02-12 13:30:45 EST Severity: HIGH (82/100) Source: BeyondTrust Privileged Access Management Rule: “Vendor Account Anomaly – Unusual Access Pattern” MITRE ATT&CK: T1199 – Trusted Relationship Alert Details: User: vendor_support@acme-partner.com (Acme Solutions Contractor) Account Type: Vendor Privileged Access Time: 13:15-13:30 EST Access Details: – Login Time: 13:15 EST … Read more

T1037 – Boot or Logon Initialization Scripts (Microsoft Defender for Identity Detection)

May 31, 2026 by lowqe

Microsoft Defender for Identity Alert Details Alert ID: MDI-LOGON-SCRIPT-1037-7842 Alert Time: 2024-02-15 08:30:22 EST Severity: HIGH (88/100) Source: Microsoft Defender for Identity Rule: “Suspicious Group Policy Object Modification” MITRE ATT&CK: T1037.001 – Boot or Logon Initialization Scripts: Logon Script Alert Details: Detection: Group Policy Object modified to include malicious logon script GPO Details: – GPO … Read more

T1176 – Browser Extensions (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-BROWSER-EXT-1176-7842 Alert Time: 2024-02-16 09:30:15 EST Severity: MEDIUM (72/100) Source: Microsoft Defender for Endpoint Rule: “Suspicious Browser Extension Installed” MITRE ATT&CK: T1176 – Browser Extensions Alert Details: Detection: Unauthorized browser extension installed with broad permissions Host: SLS-WS-045 (Sales Department) User: mwilson (Mike Wilson, Sales Rep) Browser: Google Chrome Time: … Read more

T1554 – Compromise Client Software Binary (Tripwire Detection)

May 31, 2026 by lowqe

Tripwire Alert Details Alert ID: TRIPWIRE-BIN-MOD-1554-7842 Alert Time: 2024-02-16 14:15:33 EST Severity: CRITICAL (95/100) Source: Tripwire File Integrity Monitoring Rule: “Critical System Binary Modified – Unexpected Change” MITRE ATT&CK: T1554 – Compromise Client Software Binary Alert Details: File Integrity Alert: Host: APP-SVR-023 (Application Server) Path: C:\Program Files\VendorApp\vendor_service.exe Expected Hash (baseline): 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b Current Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Modification … Read more

T1136 – Create Account (Splunk Detection)

May 31, 2026 by lowqe

Splunk Alert Details Alert ID: SPLUNK-CREATE-ACCT-1136-7842 Alert Time: 2024-02-16 11:30:45 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Local User Account Created on Multiple Systems” MITRE ATT&CK: T1136.001 – Create Account: Local Account Alert Details: Correlated Events: 1. Windows Event ID 4720 (User Account Created): – Time: 11:15-11:25 EST – Host: Multiple (12 workstations) … Read more

T1543 – Create or Modify System Process (Splunk Detection)

May 31, 2026 by lowqe

Splunk Alert Details Alert ID: SPLUNK-SYSTEM-PROCESS-1543-7842 Alert Time: 2024-02-16 15:45:22 EST Severity: HIGH (88/100) Source: Splunk Enterprise Security Rule: “Windows Service Created with Unusual Binary Path” MITRE ATT&CK: T1543.003 – Create or Modify System Process: Windows Service Alert Details: Correlated Events: 1. Windows Event ID 7045 (Service Installed): – Time: 15:40 EST – Host: FIN-SRV-089 … Read more