Analysis

CrowdStrike Alert Details Alert ID: CS-CODE-SIGN-EVASION-1553-7842 Alert Time: 2024-03-10 16:30:45 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Unsigned or Maliciously Signed Driver Loaded” MITRE ATT&CK: T1553.002 – Subvert Trust Controls: Code Signing Alert Details: Detection: Driver loaded with invalid/forged digital signature Host: DC-01 (Domain Controller) User: SYSTEM File: C:\Windows\System32\drivers\legit.sys SHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Time: 16:25 … Read more

CloudTrail Alert Details Alert ID: CLOUDTRAIL-LOG-ENUM-1654-7842 Alert Time: 2024-03-14 16:30:45 EST Severity: MEDIUM (68/100) Source: AWS CloudTrail + GuardDuty Rule: “Anomalous CloudTrail Log Access” MITRE ATT&CK: T1654 – Log Enumeration Alert Details: Detection: IAM user enumerating CloudTrail trails and logs IAM User: dev_user (developer account) Source IP: 185.143.221[.]89 (Bulgaria) Time: 16:15-16:30 EST API Calls (CloudTrail): … Read more

AWS GuardDuty Alert Details Alert ID: GUARDDUTY-SERVERLESS-1648-7842 Alert Time: 2024-03-14 14:15:33 EST Severity: HIGH (85/100) Source: AWS GuardDuty + CloudTrail Rule: “Unauthorized Lambda Function Creation and Invocation” MITRE ATT&CK: T1648 – Serverless Execution Alert Details: Detection: Unauthorized creation and invocation of AWS Lambda function AWS Account: 123456789012 (Development) IAM User: dev_user (compromised developer account) Source … Read more

Azure AD Alert Details Alert ID: AAD-CLOUD-ADMIN-1651-7842 Alert Time: 2024-03-14 11:30:22 EST Severity: HIGH (88/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Suspicious Cloud Administration Commands from Unusual Location” MITRE ATT&CK: T1651 – Cloud Administration Command Alert Details: Detection: Global administrator running high-impact commands from unusual location User: jwilson@company.com (Global Administrator) Source IP: … Read more

CrowdStrike Alert Details Alert ID: CS-LOC-DISCOVERY-1614-7842 Alert Time: 2024-03-13 10:30:22 EST Severity: MEDIUM (72/100) Source: CrowdStrike Falcon EDR Rule: “System Location Discovery – Geolocation API Calls” MITRE ATT&CK: T1614 – System Location Discovery Alert Details: Detection: Process making external API calls to determine system geolocation Host: DEV-WS-089 (Development Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: … Read more

AWS GuardDuty Alert Details Alert ID: GUARDDUTY-STORAGE-DISCOVERY-1619-7842 Alert Time: 2024-03-14 09:30:15 EST Severity: MEDIUM (72/100) Source: AWS GuardDuty Rule: “Anomalous S3 Bucket Enumeration” MITRE ATT&CK: T1619 – Cloud Storage Object Discovery Alert Details: Detection: IAM user enumerated multiple S3 buckets and objects AWS Account: 123456789012 (Production) IAM User: svc_monitoring (Service Account) Source IP: 185.143.221[.]89 (Bulgaria) … Read more

Application Log Alert Details Alert ID: ERP-FRAUD-1657-7842 Alert Time: 2024-03-13 11:30:22 EST Severity: CRITICAL (99/100) Source: SAP ERP Application Logs + Splunk SIEM Rule: “Unauthorized Wire Transfer Initiated” MITRE ATT&CK: T1657 – Financial Theft (custom technique) Alert Details: Detection: Wire transfer request from unauthorized IP with compromised credentials Application: SAP ERP (Financial Module) User: jwilson@company.com … Read more

Azure AD Alert Details Alert ID: AAD-ACCT-REMOVAL-1531-7842 Alert Time: 2024-03-13 16:30:45 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection + Audit Logs Rule: “Mass Account Deletion Detected” MITRE ATT&CK: T1531 – Account Access Removal Alert Details: Detection: Bulk deletion of user accounts in Azure AD Time: 16:15-16:30 EST Action Performed By: bjones@company.com (Global Administrator) … Read more

Zeek Alert Details Alert ID: ZEEK-SMB-LATERAL-1021-7842 Alert Time: 2024-03-11 10:30:22 EST Severity: HIGH (85/100) Source: Zeek Network Security Monitor Rule: “SMB Admin Share Access – Potential Lateral Movement” MITRE ATT&CK: T1021.002 – Remote Services: SMB/Windows Admin Shares Alert Details: Detection: Access to ADMIN$ or C$ shares from non-admin workstation Connection Details: Source: 192.168.45.78 (ENG-WS-045 – … Read more

CrowdStrike Alert Details Alert ID: CS-RANSOMWARE-1486-7842 Alert Time: 2024-03-13 14:15:33 EST Severity: CRITICAL (99/100) Source: CrowdStrike Falcon EDR Rule: “Ransomware Behavior Detected – Mass File Encryption” MITRE ATT&CK: T1486 – Data Encrypted for Impact Alert Details: Detection: Process encrypting multiple files and appending .encrypted extension Host: FILESRV-02 (File Server) User: SYSTEM (via compromised admin account) … Read more