Analysis - SOCJournal

T1036 – Masquerading (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-MASQUERADE-1036-7842 Alert Time: 2024-02-20 09:30:22 EST Severity: HIGH (85/100) Source: CrowdStrike Falcon EDR Rule: “Process Masquerading – Suspicious Path for System Binary” MITRE ATT&CK: T1036.005 – Masquerading: Match Legitimate Name or Location Alert Details: Detection: Process with system binary name running from non-standard path Host: FIN-WS-045 (Finance Department) User: bturner … Read more

T1564 – Hide Artifacts (Sysmon Detection)

May 31, 2026 by lowqe

Sysmon Alert Details Alert ID: SYSMON-HIDE-ARTIFACTS-1564-7842 Alert Time: 2024-02-20 14:15:33 EST Severity: HIGH (82/100) Source: Sysmon (Event ID 15 – Alternate Data Stream Created) Rule: “NTFS Alternate Data Stream Created – Potential Hidden Data” MITRE ATT&CK: T1564.004 – Hide Artifacts: NTFS File Attributes Alert Details: Event ID: 15 (Alternate Data Stream Created) Time: 14:10 EST … Read more

T1552 – Unsecured Credentials (Varonis Detection)

May 31, 2026 by lowqe

Varonis Alert Details Alert ID: VARONIS-CREDS-1552-7842 Alert Time: 2024-02-22 09:30:15 EST Severity: HIGH (88/100) Source: Varonis Data Security Platform Rule: “Sensitive Keywords Found in File – Potential Password Exposure” MITRE ATT&CK: T1552.001 – Unsecured Credentials: Credentials in Files Alert Details: Detection: File containing plaintext credentials discovered on file share File Details: Path: \filesrv\shared\IT\backup_scripts\sql_backup.ps1Owner: jsmith (IT … Read more

T1606 – Forge Web Credentials (Azure AD Detection)

May 31, 2026 by lowqe

Azure AD Alert Details Alert ID: AAD-TOKEN-FORGE-1606-7842 Alert Time: 2024-02-22 14:15:33 EST Severity: CRITICAL (98/100) Source: Azure AD Identity Protection Rule: “Suspicious Token Usage – Anomaly Detected” MITRE ATT&CK: T1606.002 – Forge Web Credentials: SAML Tokens Alert Details: Detection: Suspicious SAML token usage from untrusted location User: kwilson@company.com (Karen Wilson – Finance Manager) Time: 14:10 … Read more

T1557 – Adversary-in-the-Middle (Darktrace Detection)

May 31, 2026 by lowqe

Darktrace Alert Details Alert ID: DARKTRACE-AITM-1557-7842 Alert Time: 2024-02-21 16:30:45 EST Severity: CRITICAL (95/100) Source: Darktrace Enterprise Immune System Rule: “ARP Spoofing Detected – Potential Man-in-the-Middle Attack” MITRE ATT&CK: T1557.002 – Adversary-in-the-Middle: ARP Cache Poisoning Alert Details: Detection: ARP cache poisoning activity on internal network Time: 16:25-16:30 EST Network Segment: VLAN 45 (Finance Department) ARP … Read more

T1539 – Steal Web Session Cookie (Zscaler Detection)

May 31, 2026 by lowqe

Zscaler Alert Details Alert ID: ZSCALER-COOKIE-STEAL-1539-7842 Alert Time: 2024-02-21 10:30:22 EST Severity: HIGH (88/100) Source: Zscaler Internet Access (ZIA) Rule: “Suspicious Outbound Traffic – Session Cookie Exfiltration” MITRE ATT&CK: T1539 – Steal Web Session Cookie Alert Details: Detection: Outbound traffic containing session cookies to suspicious destination User: rpatel@company.com (Raj Patel, Engineer) Source IP: 192.168.78.45 (Internal) … Read more

T1003 – OS Credential Dumping (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-LSASS-DUMP-1003-7842 Alert Time: 2024-02-20 10:30:45 EST Severity: CRITICAL (98/100) Source: CrowdStrike Falcon EDR Rule: “LSASS Process Access – Potential Credential Dumping” MITRE ATT&CK: T1003.001 – OS Credential Dumping: LSASS Memory Alert Details: Detection: Suspicious process attempting to access LSASS memory Host: IT-WS-034 (IT Department) User: msmith (Mike Smith – IT … Read more

T1558 – Steal or Forge Kerberos Tickets (Microsoft Defender for Identity Detection)

May 31, 2026 by lowqe

Microsoft Defender for Identity Alert Details Alert ID: MDI-KERBEROS-1558-7842 Alert Time: 2024-02-21 09:30:22 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Suspected Golden Ticket Attack – Anomalous Kerberos Ticket” MITRE ATT&CK: T1558.001 – Steal or Forge Kerberos Tickets: Golden Ticket Alert Details: Detection: Kerberos ticket with anomalous characteristics detected Domain Controller: DC-01 Time: … Read more

T1110 – Brute Force (Azure AD Detection)

May 31, 2026 by lowqe

Azure AD Alert Details Alert ID: AAD-BRUTEFORCE-1110-7842 Alert Time: 2024-02-21 14:15:33 EST Severity: HIGH (88/100) Source: Azure AD Identity Protection Rule: “Password Spray Attack Detected” MITRE ATT&CK: T1110.003 – Brute Force: Password Spraying Alert Details: Detection: Multiple failed login attempts followed by success – password spray pattern Time Window: 14:00 – 14:15 EST Source IP: … Read more

T1218 – System Binary Proxy Execution (CrowdStrike Detection)

May 31, 2026 by lowqe

CrowdStrike Alert Details Alert ID: CS-RUNDLL32-1218-7842 Alert Time: 2024-02-20 11:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Suspicious Rundll32 Execution – No Command Line Arguments” MITRE ATT&CK: T1218.011 – System Binary Proxy Execution: Rundll32 Alert Details: Detection: Rundll32.exe executed with suspicious parameters Host: MKT-WS-078 (Marketing Department) User: sjones (Sarah Jones, Marketing Manager) Time: … Read more