Analysis

Aqua Alert Details Alert ID: AQUA-CONTAINER-ADMIN-1609-7842 Alert Time: 2024-02-13 14:30:22 EST Severity: HIGH (85/100) Source: Aqua Security Cloud Native Protection Rule: “Unauthorized kubectl exec into Production Container” MITRE ATT&CK: T1609 – Container Administration Command Alert Details: Detection: kubectl exec command executed in production environment Cluster: prod-eks-cluster-01 Namespace: payment-processing Pod: payment-api-v2-7d8f9c4d5-abcde Container: api Time: 14:28 EST … Read more

Prisma Cloud Alert Details Alert ID: PRISMA-DEPLOY-CONTAINER-1610-7842 Alert Time: 2024-02-13 09:15:33 EST Severity: HIGH (82/100) Source: Prisma Cloud Compute Rule: “Unauthorized Container Deployment – Crypto Mining” MITRE ATT&CK: T1610 – Deploy Container Alert Details: Detection: Unauthorized container deployed in Kubernetes cluster Cluster: dev-eks-cluster-02 Namespace: default (unauthorized namespace) Image: docker.io/monero/xmrig:latest Container Name: kube-system-worker (masquerading as system … Read more

SentinelOne Alert Details Alert ID: S1-EXPLOIT-CLIENT-1203-7842 Alert Time: 2024-02-13 15:30:45 EST Severity: CRITICAL (92/100) Source: SentinelOne Singularity Rule: “Browser Exploit Attempt – CVE-2024-1234 Detected” MITRE ATT&CK: T1203 – Exploitation for Client Execution Alert Details: Detection: Browser exploit attempt via compromised website Host: SLS-WS-112 (Sales Department) User: jharris (Jennifer Harris, Sales Rep) Time: 15:28 EST Process … Read more

Microsoft Defender Alert Details Alert ID: MD-IPC-1559-7842 Alert Time: 2024-02-13 11:45:22 EST Severity: HIGH (82/100) Source: Microsoft Defender for Endpoint Rule: “COM Hijacking for Persistence Detected” MITRE ATT&CK: T1559 – Inter-Process Communication Alert Details: Detection: COM object hijacking attempt for persistence Host: IT-WS-034 (IT Department) User: mrobinson (Mike Robinson, IT Admin) Time: 11:40 EST Registry … Read more

CrowdStrike Alert Details Alert ID: CS-NATIVE-API-1106-7842 Alert Time: 2024-02-14 09:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Direct Syscall Detection – Evasion Technique” MITRE ATT&CK: T1106 – Native API Alert Details: Detection: Process using direct system calls (syscall) to bypass user-mode hooks Host: DEV-WS-089 (Development Department) User: alexchen (Alex Chen, Developer) Time: 09:25 … Read more

Splunk Alert Details Alert ID: SPLUNK-SCHEDTASK-1053-7842 Alert Time: 2024-02-14 13:15:33 EST Severity: HIGH (82/100) Source: Splunk Enterprise Security Rule: “Suspicious Scheduled Task Creation” MITRE ATT&CK: T1053.005 – Scheduled Task Alert Details: Correlated Events: 1. Windows Event ID 4698 (Scheduled Task Created): – Time: 13:10 EST – Host: HR-WS-023 – User: SYSTEM – Task Name: “AdobeUpdateTask” … Read more

Sysmon Alert Details Alert ID: SYSMON-SHARED-MODULES-1129-7842 Alert Time: 2024-02-14 15:30:45 EST Severity: MEDIUM (68/100) Source: Sysmon (Event ID 7 – Image Loaded) Rule: “DLL Loaded from Unusual Path by System Process” MITRE ATT&CK: T1129 – Shared Modules Alert Details: Event ID: 7 (Image Loaded) Time: 15:28 EST Host: FIN-WS-089 Process: svchost.exe (PID: 1245) User: SYSTEM … Read more

SCCM Alert Details Alert ID: SCCM-SOFTWARE-DEPLOY-1072-7842 Alert Time: 2024-02-14 10:45:22 EST Severity: HIGH (82/100) Source: Microsoft Endpoint Configuration Manager (SCCM) Rule: “Unauthorized Software Package Deployment” MITRE ATT&CK: T1072 – Software Deployment Tools Alert Details: Detection: Unauthorized package deployed via SCCM to multiple endpoints Package Details: – Package ID: PKG00045 – Package Name: “Critical Security Update … Read more

Splunk Alert Details Alert ID: SPLUNK-SYSTEM-SERVICES-1569-7842 Alert Time: 2024-02-14 16:30:15 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Service Installation with Suspicious Binary Path” MITRE ATT&CK: T1569.002 – System Services: Service Execution Alert Details: Correlated Events: 1. Windows Event ID 7045 (Service Installed): – Time: 16:25 EST – Host: DEV-WS-045 – Service Name: “Windows … Read more

Microsoft Defender Alert Details Alert ID: MD-USER-EXEC-1204-7842 Alert Time: 2024-02-15 09:30:22 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Suspicious File Execution from Temp Folder” MITRE ATT&CK: T1204.002 – User Execution: Malicious File Alert Details: Detection: User executed malicious file from Temp folder Host: MKT-WS-078 (Marketing Department) User: sjohnson (Sarah Johnson, Marketing Manager) … Read more