Analysis

FortiSandbox Alert Details Alert ID: FORTI-SANDBOX-EVASION-1497-7842 Alert Time: 2024-02-20 15:30:15 EST Severity: HIGH (85/100) Source: Fortinet FortiSandbox Rule: “Sandbox Evasion Techniques Detected – Malware Refuses to Run” MITRE ATT&CK: T1497.001 – Virtualization/Sandbox Evasion: System Checks Alert Details: File Analysis Report: File Name: invoice_7842.exeFile Size: 2.4 MBSHA256: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4Source: Email attachment to user in FinanceSubmission Time: 15:15 … Read more

CrowdStrike Alert Details Alert ID: CS-PROC-INJECT-1055-7842 Alert Time: 2024-03-06 09:30:15 EST Severity: CRITICAL (95/100) Source: CrowdStrike Falcon EDR Rule: “Process Injection Detected – Remote Thread Creation” MITRE ATT&CK: T1055 – Process Injection Alert Details: Detection: Process created remote thread in another process (code injection) Source Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Target … Read more

Cisco Umbrella Alert Details Alert ID: UMBRELLA-DGA-1568-7842 Alert Time: 2024-02-17 08:30:22 EST Severity: HIGH (82/100) Source: Cisco Umbrella Investigate + Security Graph Rule: “DGA Domain Query – Potential Malware Beaconing” MITRE ATT&CK: T1568.002 – Dynamic Resolution: Domain Generation Algorithms Alert Details: DNS Query Details: – Client IP: 192.168.45.78 (Internal – MKT-WS-023) – User: sjones (Sarah … Read more

Microsoft Defender Alert Details Alert ID: MD-ENDPOINT-DOS-1499-7842 Alert Time: 2024-03-04 16:30:45 EST Severity: HIGH (82/100) Source: Microsoft Defender for Endpoint Rule: “Fork Bomb Detected – Potential DoS” MITRE ATT&CK: T1499.001 – Endpoint Denial of Service: OS Exhaustion Flood Alert Details: Detection: Process creating excessive number of child processes (fork bomb) Host: DEV-WS-078 (Development Workstation) User: … Read more

Varonis Alert Details Alert ID: VARONIS-DATA-MANIP-1565-7842 Alert Time: 2024-03-04 10:30:22 EST Severity: CRITICAL (95/100) Source: Varonis Data Security Platform Rule: “Mass File Modification – Potential Data Manipulation” MITRE ATT&CK: T1565.001 – Data Manipulation: Stored Data Manipulation Alert Details: Detection: Large number of files modified with data changes (not metadata) User: kwilson@company.com (Karen Wilson, Finance Manager) … Read more

AWS GuardDuty Alert Details Alert ID: GUARDDUTY-RESOURCE-HIJACK-1496-7842 Alert Time: 2024-03-04 14:15:33 EST Severity: HIGH (88/100) Source: AWS GuardDuty Rule: “Unauthorized Cryptocurrency Mining Activity Detected” MITRE ATT&CK: T1496 – Resource Hijacking Alert Details: Detection: EC2 instance exhibiting cryptocurrency mining behavior Instance: i-0a1b2c3d4e5f67890 (Development EC2) Instance Type: c5.4xlarge (16 vCPU, 32 GB RAM) Region: us-east-1 Account: 123456789012 … Read more

Cloudflare Alert Details Alert ID: CLOUDFLARE-DDOS-1498-7842 Alert Time: 2024-03-04 11:30:22 EST Severity: HIGH (85/100) Source: Cloudflare DDoS Protection Rule: “Layer 7 DDoS Attack Detected – HTTP Flood” MITRE ATT&CK: T1498.001 – Network Denial of Service: Direct Network Flood Alert Details: Detection: HTTP flood DDoS attack against company website Target: www.company.com Time: 11:15-11:30 EST Attack Type: … Read more

Microsoft Defender Alert Details Alert ID: MD-INHIBIT-RECOVERY-1490-7842 Alert Time: 2024-03-04 09:30:15 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Endpoint Rule: “Shadow Copy Deletion Detected – Ransomware Precursor” MITRE ATT&CK: T1490 – Inhibit System Recovery Alert Details: Detection: Attempt to delete Volume Shadow Copies (system backups) on multiple hosts Hosts Affected: 12 workstations (Finance, Engineering, … Read more

Splunk Alert Details Alert ID: SPLUNK-SERVICE-STOP-1489-7842 Alert Time: 2024-03-03 16:30:45 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security Rule: “Critical Service Stopped – Potential Disruption” MITRE ATT&CK: T1489 – Service Stop Alert Details: Correlated Events: Windows Event ID 7036 (Service Status Change): Time: 16:15-16:30 ESTHost: SQL-SRV-01 (Primary SQL Server)Service: MSSQLSERVER (SQL Server)Action: STOPPEDReason: “The service … Read more

Tripwire Alert Details Alert ID: TRIPWIRE-DEFACE-1491-7842 Alert Time: 2024-03-03 10:30:22 EST Severity: HIGH (88/100) Source: Tripwire File Integrity Monitoring Rule: “Critical Web File Modified – Potential Defacement” MITRE ATT&CK: T1491.001 – Defacement: Internal Defacement Alert Details: File Integrity Alert: Host: WEB-SRV-01 (Public Web Server) Path: /var/www/html/index.html Expected Hash (baseline): 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b Current Hash: a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4 Modification Time: … Read more