Analysis

CrowdStrike Alert Details Alert ID: CS-INDICATOR-REMOVAL-1027-7842 Alert Time: 2024-03-09 09:30:15 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Known Malicious Tool with Altered Indicators Detected” MITRE ATT&CK: T1027.005 – Obfuscated Files or Information: Indicator Removal from Tools Alert Details: Detection: Mimikatz executable with modified PE characteristics (stripped of original indicators) Host: ENG-WS-045 (Engineering Workstation) … Read more

Sysmon Alert Details Alert ID: SYSMON-RENAME-UTIL-1036-7842 Alert Time: 2024-03-09 14:15:33 EST Severity: HIGH (85/100) Source: Sysmon (Event ID 1 – Process Creation) Rule: “Suspicious Process Name – System Utility Renamed” MITRE ATT&CK: T1036.003 – Masquerading: Rename System Utilities Alert Details: Event ID: 1 (Process Creation) Time: 14:10 EST Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian … Read more

CrowdStrike Alert Details Alert ID: CS-SOFTWARE-PACK-1027-7842 Alert Time: 2024-03-08 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Packed Process Detected – Obfuscated Code in Memory” MITRE ATT&CK: T1027.002 – Obfuscated Files or Information: Software Packing Alert Details: Detection: Process with packed/obfuscated code detected in memory Host: DEV-WS-089 (Development Workstation) User: rpatel@company.com (Raj Patel, … Read more

FortiSandbox Alert Details Alert ID: FORTI-STEGO-1027-7842 Alert Time: 2024-03-08 10:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Steganography Detected – Hidden Payload in Image” MITRE ATT&CK: T1027.003 – Obfuscated Files or Information: Steganography Alert Details: File Analysis Report: File Name: conference_photo.jpgFile Size: 2.3 MBSHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4Source: Email attachment to marketing@company.comSubmission Time: 10:15 EST Steganography Analysis: … Read more

Palo Alto Alert Details Alert ID: PAN-DISABLE-FIREWALL-1562-7842 Alert Time: 2024-03-08 14:15:33 EST Severity: CRITICAL (96/100) Source: Palo Alto Networks Firewall + Cortex XDR Rule: “Windows Firewall Disabled – Potential Defense Evasion” MITRE ATT&CK: T1562.004 – Impair Defenses: Disable or Modify System Firewall Alert Details: Detection: Windows Firewall disabled on multiple critical servers Affected Hosts: SQL-SRV-01 … Read more

FortiSandbox Alert Details Alert ID: FORTI-BINARY-PACK-1027-7842 Alert Time: 2024-03-08 11:30:22 EST Severity: HIGH (88/100) Source: Fortinet FortiSandbox Rule: “Packed Binary Detected – Multiple Packers Used” MITRE ATT&CK: T1027.001 – Obfuscated Files or Information: Binary Packing Alert Details: File Analysis Report: File Name: update_installer.exeFile Size: 1.2 MB (unpacked size: 4.8 MB)SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4Source: Email attachment to engineering@company.comSubmission … Read more

Splunk Alert Details Alert ID: SPLUNK-DISABLE-LOGGING-1562-7842 Alert Time: 2024-03-08 09:30:15 EST Severity: CRITICAL (95/100) Source: Splunk Enterprise Security Rule: “Windows Event Logging Disabled – Defense Evasion” MITRE ATT&CK: T1562.002 – Impair Defenses: Disable Windows Event Logging Alert Details: Correlated Events: Windows Event ID 1102 (Security Log Cleared) – Not present because logging disabled first Event … Read more

Microsoft Defender for Identity Alert Details Alert ID: MDI-KERBEROAST-1558-7842 Alert Time: 2024-03-11 14:15:33 EST Severity: HIGH (85/100) Source: Microsoft Defender for Identity Rule: “Suspicious Kerberos Service Ticket Requests – Kerberoasting” MITRE ATT&CK: T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting Alert Details: Detection: Unusual number of Kerberos service ticket requests (TGS-REQ) from single host Source … Read more

Splunk Alert Details Alert ID: SPLUNK-ASREP-ROAST-1558-7842 Alert Time: 2024-03-11 11:30:22 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security + AD Logs Rule: “AS-REP Roasting Attack Detected” MITRE ATT&CK: T1558.004 – Steal or Forge Kerberos Tickets: AS-REP Roasting Alert Details: Correlated Events: Windows Event ID 4768 (Kerberos Authentication Ticket Request): Time: 11:15-11:30 ESTSource Host: 192.168.45.78 (Unknown … Read more

Cisco ISE Alert Details Alert ID: ISE-RDP-LATERAL-1021-7842 Alert Time: 2024-03-11 16:30:45 EST Severity: HIGH (85/100) Source: Cisco Identity Services Engine (ISE) Rule: “Unusual RDP Connection – Potential Lateral Movement” MITRE ATT&CK: T1021.001 – Remote Services: Remote Desktop Protocol Alert Details: Detection: RDP connection from non-admin workstation to critical server Connection Details: Source: 192.168.45.78 (ENG-WS-045 – … Read more