2025-11-19T02:04:11Z EventID=4625 Logon Failure
  Workstation: wf-41.corp.example
  Target Server: fs-fin.corp.example
  LogonType=3 (Network)
  Account Used: CORP\svc-backup
  FailureReason: Unknown user name or bad password
  AuthPackage: NTLM

2025-11-19T02:04:17Z EventID=4648 A logon was attempted using explicit credentials
  CallerProcess: C:\Tools\psexec64.exe
  CallerProcessHash: SHA256: 9a...ff (synthetic)
  Target Server: fs-fin.corp.example
  Account: CORP\svc-backup
  Authentication Package: NTLM

2025-11-19T02:04:17Z EventID=4624 An account was successfully logged on
  SubjectLogonId: 0x5a2f13
  LogonType=3 (Network)
  User: CORP\svc-backup
  AuthPackage: NTLM
  Computer: wf-41.corp.example
      

2025-11-19T02:04:16Z EDR NOTICE
  Parent: C:\Windows\System32\cmd.exe (PID 1788)
  Child:  C:\Tools\psexec64.exe (PID 1842)
  Network: wf-41 -> fs-fin.corp.example:445 (SMB) / 5985 (WinRM)
  CredUsage: NTLM, account=CORP\svc-backup
      

2025-11-19T02:04:17Z SMB AUTH SUCCESS
  Client=10.24.7.41 (wf-41) User=CORP\svc-backup Auth=NTLM LogonType=3
2025-11-19T02:05:02Z SMB FILE ACCESS
  Share=\\fs-fin\Finance Path=\Q4\payroll.xlsx Operation=READ Bytes=185632
2025-11-19T02:05:06Z SMB FILE ACCESS
  Share=\\fs-fin\Finance Path=\Q4\payroll.xlsx Operation=COPY Dest=\Temp\payroll.xlsx
      

2025-11-19T02:06:30Z WinRM AUTH ATTEMPT
  Client=10.24.7.41 User=CORP\svc-backup Protocol=HTTP (5985)
  Kerberos=FAIL Fallback=NTLM SUCCESS
  Action=Invoke-Command { Get-ChildItem \\fs-fin\Finance\Q4 }
      

2025-11-19T02:04:11Z DC AUTH
  NTLM authentication failure for CORP\svc-backup
  Source=wf-41 Target=fs-fin
2025-11-19T02:04:17Z DC AUTH
  NTLM authentication success for CORP\svc-backup
  Source=wf-41 Target=fs-fin LogonType=3
  Note=No interactive logon events on wf-41 for CORP\svc-backup
      

2025-11-19T02:07:12Z PROXY ALLOW
  src=10.24.12.20 (fs-fin) suser=CORP\svc-backup method=POST
  host=finance-drop.nimbus.example dst=203.0.113.90:443 uri=/u bytes_out=2100 bytes_in=204
  ua="PowerShell/7.2" tls=TLS1.2
      

2025-11-19T02:07:12Z FW ALLOW
  policy=egress-web src=10.24.12.20 dst=203.0.113.90:443 app=HTTPS bytes=2304
      

2025-11-19T02:07:13Z ALERT [1:9201101:1] Small POST from file server – possible data sample
  flow=10.24.12.20:49182 -> 203.0.113.90:443 proto=TCP
  note="low entropy payload; markers 'Q4','payroll' observed"
      

Attack Timeline & Correlated Summary

Timeline (UTC)

1. 02:04:11 — WinSec: NTLM failures (4625) from wf‑41 to fs‑fin using CORP\svc-backup.
2. 02:04:17 — WinSec: 4648 explicit credentials by psexec64.exe, then 4624 success LogonType=3 via NTLM.
3. 02:04:17 — SMB: Auth success (NTLM) to fs‑fin.
4. 02:05:02 — SMB: READ/COPY Finance\Q4\payroll.xlsx.
5. 02:06:30 — WinRM: Kerberos fail, fallback NTLM success.
6. 02:07:12 — Proxy/FW: HTTPS POST (~2KB) to finance-drop.nimbus.example.
7. 02:07:13 — IDS: markers 'Q4','payroll' observed (sanitized).

Correlation — Why each artifact is malicious

• Pass‑the‑Hash pattern: non‑interactive LogonType=3 success via NTLM following 4648 explicit creds by tool (psexec‑like).
• Lateral movement: SMB/WinRM connections from workstation to the file server using a service account (over‑privileged).
• Data touch: SMB telemetry shows Finance\Q4\payroll.xlsx read & copy.
• Exfil attempt: coordinated DNS/proxy/firewall/IDS footprint of small HTTPS POST to external domain with contextual markers.

ATT&CK Mapping

Kill Chain Phases

Immediate Defensive Actions

• Containment: isolate wf‑41; lock/rotate CORP\svc-backup; disable NTLM where possible.
• Eradication: remove local admin for service accounts; enforce Kerberos‑only admin paths; enable LSA protection; require SMB signing.
• Detection hardening: rules for 4648+4624(LogonType 3)+Kerberos fail → NTLM success; EDR detection for psexec‑like tools; alert on unusual SMB reads by service accounts.

All artifacts are original and synthetic for training; not published elsewhere.