Analysis - SOCJournal

T1025 – Data from Removable Media (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-USB-DATA-1025-7842 Alert Time: 2024-02-27 09:30:15 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Mass File Copy to Removable Media – Potential Data Theft” MITRE ATT&CK: T1025 – Data from Removable Media Alert Details: Detection: Large number of files copied to USB device Host: RND-WS-078 (Research & Development) … Read more

T1570 – Lateral Tool Transfer (ExtraHop Detection)

May 31, 2026 by lowqe

ExtraHop Alert Details Alert ID: EXTRAHOP-TOOL-TRANSFER-1570-7842 Alert Time: 2024-02-26 14:15:33 EST Severity: HIGH (85/100) Source: ExtraHop Reveal(x) Rule: “Large File Transfer over SMB – Potential Tool Transfer” MITRE ATT&CK: T1570 – Lateral Tool Transfer Alert Details: Detection: Large executable file transferred over SMB between internal hosts Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 192.168.45.112 (SALES-WS-023 – … Read more

T1563 – Remote Service Session Hijacking (Microsoft Defender Detection)

May 31, 2026 by lowqe

Microsoft Defender Alert Details Alert ID: MD-RDP-HIJACK-1563-7842 Alert Time: 2024-02-26 11:30:22 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “RDP Session Hijacking Attempt Detected” MITRE ATT&CK: T1563.002 – Remote Service Session Hijacking: RDP Hijacking Alert Details: Detection: Attempt to hijack existing RDP session via tscon.exe Host: IT-WS-034 (IT Workstation) User: bjones (Brian Jones, … Read more

T1550 – Use Alternate Authentication Material (Microsoft Defender for Identity Detection)

May 31, 2026 by lowqe

Microsoft Defender for Identity Alert Details Alert ID: MDI-ALTERNATE-AUTH-1550-7842 Alert Time: 2024-02-26 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Pass-the-Hash Attack Detected” MITRE ATT&CK: T1550.002 – Use Alternate Authentication Material: Pass the Hash Alert Details: Detection: NTLM authentication using hash instead of password (Pass-the-Hash) Source Host: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: … Read more

T1210 – Exploitation of Remote Services (Palo Alto Detection)

May 31, 2026 by lowqe

Palo Alto Alert Details Alert ID: PAN-EXPLOIT-1210-7842 Alert Time: 2024-02-25 16:30:45 EST Severity: CRITICAL (95/100) Source: Palo Alto Networks Threat Prevention Rule: “EternalBlue Exploit Attempt (MS17-010) Detected” MITRE ATT&CK: T1210 – Exploitation of Remote Services Alert Details: Detection: EternalBlue (MS17-010) exploit attempt against internal host Threat ID: 38852 (EternalBlue SMB Exploit) Source IP: 192.168.45.78 (ENG-WS-045 … Read more

T1534 – Internal Spearphishing (Proofpoint Detection)

May 31, 2026 by lowqe

Proofpoint Alert Details Alert ID: PROOFPOINT-INTERNAL-PHISH-1534-7842 Alert Time: 2024-02-25 10:30:22 EST Severity: CRITICAL (98/100) Source: Proofpoint Email Security Rule: “Internal Spearphishing – Compromised Account Sending Malicious Emails” MITRE ATT&CK: T1534 – Internal Spearphishing Alert Details: Detection: Compromised internal account sending phishing emails to other employees Compromised Account: jwilson@company.com (John Wilson, IT Administrator) Recipients: 47 employees … Read more

T1021 – Remote Services (Cisco ISE Detection)

May 31, 2026 by lowqe

Cisco ISE Alert Details Alert ID: ISE-REMOTE-SERVICES-1021-7842 Alert Time: 2024-02-25 14:15:33 EST Severity: HIGH (85/100) Source: Cisco Identity Services Engine (ISE) Rule: “Unusual RDP Connection to Critical Server” MITRE ATT&CK: T1021.001 – Remote Services: Remote Desktop Protocol Alert Details: Detection: RDP connection from unusual endpoint to domain controller Connection Details: Source: 192.168.45.78 (ENG-WS-045 – Engineering … Read more

T1012 – Query Registry (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-REGQUERY-1012-7842 Alert Time: 2024-02-25 11:30:22 EST Severity: MEDIUM (68/100) Source: Sysmon (Event ID 1 – Process Creation, Event ID 12-13 – Registry Events) Rule: “Suspicious Registry Queries – Potential Reconnaissance” MITRE ATT&CK: T1012 – Query Registry Alert Details: Detection: Multiple registry queries of sensitive keys from suspicious process Host: FIN-WS-078 … Read more

T1187 – Forced Authentication (Microsoft Defender for Identity Detection)

May 31, 2026 by lowqe

Microsoft Defender for Identity Alert Details Alert ID: MDI-FORCED-AUTH-1187-7842 Alert Time: 2024-02-22 11:30:22 EST Severity: HIGH (85/100) Source: Microsoft Defender for Identity Rule: “Suspicious Network Connection – Potentially Forced Authentication” MITRE ATT&CK: T1187 – Forced Authentication Alert Details: Detection: Outbound SMB connection to attacker-controlled server (potentially for NTLM relay) Host: ENG-WS-078 (Engineering Workstation) User: alexchen … Read more

T1556 – Modify Authentication Process (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-AUTH-MOD-1556-7842 Alert Time: 2024-02-22 16:30:45 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “Authentication DLL Injection – Potential Credential Theft” MITRE ATT&CK: T1556.003 – Modify Authentication Process: Pluggable Authentication Modules Alert Details: Detection: Suspicious DLL injected into LSASS process Host: DC-01 (Primary Domain Controller) User: SYSTEM Time: 16:25 EST … Read more