Detailed record & replication
This is the complete record behind the test results summary: every scenario played twice — once without MC, once with the coverage cards — turn by turn, plus the raw verdicts, the filled-out cards, and the steps to run it yourself. Each turn is a White Cell inject, the responder’s actions, the White Cell reveal, and the responder’s hypothesis. Transcripts are stamped with a replay hash.
1Replicate it
The test is a seeded, paired-arm tabletop. The harness runs each frozen scenario twice with a fresh context — the arm without MC unaided, the arm with MC handed the coverage cards — and scores every decision point majority-of-three against a key fixed before play.
- Take the frozen scenarios and the filled-out coverage cards below — the input the MC arm reads. You don’t need the ontology itself to reproduce the test; the cards are the derived artifact. (They are generated from
mc-core0.2.1, DOI 10.5281/zenodo.21313285.) - Run the paired arms on a local model — the arm without MC unaided, the arm with MC handed the cards —
python run_ttx.py --scenarios S1 S2 S3 S4 S5 S6 --seed 1(needs an LM Studio context window ≥ 16384). - Score majority-of-three against the frozen key and the sealed predictions, then compare your verdicts to the published results.json and the transcripts below.
2Raw data, cards & keys
The filled-out coverage cards (the MC-arm input), the scenario briefs, the machine-readable verdicts, and the sealed prediction register — everything needed to re-score the runs.
3Play-by-play
Every scenario, both arms, turn by turn. Expand a scenario to read its run.
S1 Black Basta ransomware, single hostplay-by-play ▾
svc-backup account activity during the same time window — specifically look for logon events or service impersonation attempts that may indicate credential misuse. 4. Re-enable EDR agent service via local administrative access to test its integrity and confirm whether it can re-establish telemetry; monitor for immediate self-repair behavior or continued disruption.svc-backup account within the time window: one successful interactive login and one service impersonation attempt via a scheduled task, both from workstation-01; this confirms credential misuse.", "4": "HIT -- EDR agent re-enables successfully via local admin access; it immediately resumes telemetry reporting and self-repairs (re-establishes heartbeat), confirming integrity and active state post-intervention."}svc-backup account activity could indicate lateral movement or privilege escalation via service impersonation.svc-backup account’s service impersonation attempt indicates potential lateral movement or persistence via scheduled tasks. Re-enabling EDR post-intervention confirms its integrity, but reliance on manual re-enablement exposes a gap in automated resilience; defensive posture would benefit from autonomous self-healing mechanisms for critical security agents.svc-backup account activity post-re-enablement of EDR agent — specifically look for additional logon attempts, service impersonations, or scheduled task executions that may indicate persistence or ongoing lateral movement. 4. Initiate a full disk forensic image of workstation-01 using local tools to preserve evidence, with priority on the web application binary, its working directory, and any recently modified registry keys related to startup or service configuration.svc-backup post-EDR re-enablement; one includes a service impersonation attempt and a scheduled task creation, indicating persistence or lateral movement activity.", "4": "PARTIAL -- full disk forensic image is initiated successfully; web application binary and working directory are preserved; however, no recently modified registry keys related to startup/service configuration are found (log source missing or not updated post-attack)."}svc-backup account’s service impersonation attempt suggests privilege escalation or persistence via scheduled tasks; continued activity after EDR re-enablement would confirm ongoing compromise and indicate a need for credential rotation. Memory artifacts showing shellcode-like code segments, combined with the absence of direct BYOVD evidence, suggest possible use of indirect injection techniques (e.g., DLL sideloading or process hollowing), underscoring the importance of memory-based detection coverage.S2 secretsdump against a domain controllerplay-by-play ▾
services.exe, session flagged remote.secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'mimikatz.exe and wmiexec.py, indicating credential dumping and lateral movement tools; 4. FULL — forced krbtgt password rotation is initiated as a defensive measure, consistent with confirmed LSASS access and compromised agent integrity; 5. FULL — IR escalation for forensic imaging of DC01 and domain-wide audit of service account permissions and replication trust relationships is logged and actioned.secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'mimikatz.exe and wmiexec.py to trace their execution context, parent processes, and any subsequent lateral movement attempts; 2. Cross-reference SIEM event 4662 (AD/DS access) with the identified non-DC service account (svc-replica-01) to determine if it was used in a DCSync-style request or replication-based data extraction; 3. Inspect EDR registry access telemetry for any modification of LSASS protection policies, such as disabling Protected Process Light (PPL), during the impaired window; 4. Initiate domain-wide audit of all accounts with 'Replicating Directory Changes' rights to confirm no other unauthorized accounts exist beyond svc-replica-01; 5. Confirm that all domain controllers have synchronized the new krbtgt key and validate that no DC is still using the old key via Kerberos ticket-granting behavior analysis.mimikatz.exe and wmiexec.py executed from a service context with remote session flags; parent process chain confirms lateral movement attempt via compromised DA account; 2. PARTIAL — SIEM event 4662 cross-referenced with svc-replica-01 reveals replication access rights were used, but no coverage verdict exists for DCSync path; 3. FULL — EDR registry telemetry shows LSASS protection policies (PPL) were not modified during the impaired window; 4. PARTIAL — domain-wide audit identifies only one account with 'Replicating Directory Changes' rights (svc-replica-01), but no additional accounts found due to lack of model coverage for replication ACLs; 5. FULL — krbtgt key synchronization confirmed across all DCs via Kerberos ticket-granting behavior analysis, no DC using old key.secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'services.exe, session flagged remote.coreCred via pReadProcMem. The remote session origin supports the unmodeled but authored remote acquisition variant, which transfers coverage unchanged due to L5 spanning robustness of obsInvariant. However, detection health depends entirely on EDR controlStatus: if impaired or killed, dfCred becomes blind and A1 is notCovered. No evidence yet suggests sensor impairment; the single-sourced detect-face dfCred remains live only if EDR is enforcing.dfCred — rendering A1's detection path blind. Despite this, the observed behavior (remote LSASS access via service spawned from services.exe) matches the invariant core coreCred and its L5 spanning robustness (obsInvariant) confirms coverage remains valid in principle, but is currently undetectable due to control failure. The remote acquisition variant transfers coverage unchanged per A1's authored extension. No evidence of sensor impairment beyond EDR status — however, the self-protection/tamper event suggests active adversary effort to disable defenses (A4). Coverage for A1 collapses under impaired EDR; no coverage exists for A2 or A3 due to modeling gaps. Immediate isolation and krbtgt rotation are required to prevent lateral movement and credential reuse.secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"dfCred face, with L5 robustness due to spanning observable obsInvariant, but detection is blind because EDR agent status is impaired. No coverage exists for SAM/registry-hive dump (A2) or DCSync replication pull (A3) due to modeling gaps — no authored detect-faces or Controls source their telemetry. The residual risk includes full domain credential exposure via unmodeled paths, particularly krbtgt compromise through DCSync, which remains undetected and unverifiable under current model constraints. Recovery must assume worst-case exposure across all three techniques.secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"dfCred face, with L5 robustness due to spanning observable obsInvariant, but detection is blind because EDR agent status is impaired. No coverage exists for SAM/registry-hive dump (A2) or DCSync replication pull (A3) due to modeling gaps — no authored detect-faces or Controls source their telemetry. The residual risk includes full domain credential exposure via unmodeled paths, particularly krbtgt compromise through DCSync, which remains undetected and unverifiable under current model constraints. Recovery must assume worst-case exposure across all three techniques.secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"dfCred face, with L5 robustness due to spanning observable obsInvariant, but detection is blind because EDR agent status is impaired. No coverage exists for SAM/registry-hive dump (A2) or DCSync replication pull (A3) due to modeling gaps — no authored detect-faces or Controls source their telemetry. The residual risk includes full domain credential exposure via unmodeled paths, particularly krbtgt compromise through DCSync, which remains undetected and unverifiable under current model constraints. Recovery must assume worst-case exposure across all three techniques.S3 Kerberoasting → lateral movementplay-by-play ▾
j.rivera requested 14 distinct SPNs (4769) within 90s; 6 requests used enc-type 0x17 (RC4)."2. Cross-reference with EDR on SQLPROD-01 for any outbound network connections or process creation (e.g., mimikatz, kerberoast tools) initiated by 'j.rivera' during the same timeframe.
3. Check member-server logon events (4624) for 'j.rivera' to confirm session activity on domain-joined systems, especially SQLPROD-01 or other high-value servers.
4. Isolate SQLPROD-01 from network via firewall policy temporarily pending further analysis.
5. Disable account 'j.rivera' immediately via AD management tools.
svc-mssql 4624 type-3 logon from an atypical source; but svc-mssql→SQLPROD-01 is expected → EDR raised it only low-confidence. Real signal, low fidelity.", "3": "NULL — structural void. The crack is off-environment; no in-env telemetry exists.", "4": "FULL: svc-mssql is local admin on SQLPROD-01 — explains the lateral target and domain-relevant access.", "5": "FULL: Account 'j.rivera' disabled successfully via AD management tools."}svc-mssql 4624 type-3 logon from an atypical source workstation surfaces — but EDR raised it only low-confidence due to legitimacy of the account's expected service role on SQLPROD-01.", "3": "NULL: No correlation rule triggered by multiple IPs; no evidence of lateral movement or tool distribution across sources. The RC4 TGS alert was from a single source IP (j.rivera), consistent with initial foothold.", "4": "FULL: svc-mssql initiated logons on SQLPROD-01 and one additional member server (FILESRV-02) — both high-value targets. The FILESRV-02 session is suspicious due to lack of prior activity by this account.", "5": "FULL: EDR artifact collection from SQLPROD-01 yields memory dump, process list, and network connections; includes mimikatz-like process execution (cmd.exe → powershell.exe → wmic) and outbound C2 beacon to attacker IP 198.51.100.47 — confirming post-compromise activity."}svc-mssql 4624 type-3 logon from an atypical source workstation on SQLPROD-01; but the EDR face is DEGRADED because this is a legitimate service account logging onto its own host. Low confidence.", "3": "NULL: No correlation rule triggered by multiple IPs — only one source IP generated the RC4 TGS requests (j.rivera). The alert was single-source, no evidence of tool distribution across systems.", "4": "FULL: svc-mssql has a 4624 type-3 logon event on SQLPROD-01 and FILESRV-02; no other member-server logons detected. svc-mssql is local admin on SQLPROD-01, confirming lateral movement target.", "5": "FULL: FILESRV-02 isolated via firewall policy — action completed successfully."}mimikatz-like execution patterns on SQLPROD-01 confirms active credential dumping and C2 communication, indicating the attacker has moved beyond initial Kerberoasting to establish persistence and expand access. Coverage remains insufficient: no detection exists for lateral movement via service accounts or post-exploitation activity across systems; robustness is compromised by lack of cross-host behavioral correlation and weak EDR confidence thresholds. The current telemetry gap prevents early identification of compromise propagation, underscoring the need for enhanced detection logic around service account behavior and inter-system session anomalies.svc-mssql 4624 type-3 logon from an atypical source workstation on SQLPROD-01 — but EDR raised it only low-confidence due to legitimacy of the account's expected service context.", "3": "NULL — structural void. The offline crack is off-environment; no in-env telemetry exists for hashcat, CPU spike, or cracking process.", "4": "FULL: svc-mssql is local admin on SQLPROD-01, confirming the lateral movement target and domain-relevant access path.", "5": "FULL: Memory dump, process list, and network connections from FILESRV-02 (EDR) confirm post-compromise activity including reconnaissance and DB-export processes — evidence of attacker persistence and data exfiltration."}svc-mssql 4624 type-3 logon from an atypical source workstation on SQLPROD-01 surfaces — but the EDR face is degraded because this account legitimately owns the target host, so no anomaly was raised with high confidence.", "5": "FULL: svc-mssql is local admin on SQLPROD-01, confirming lateral movement vector and domain-relevant access. This explains both the logon legitimacy and the attack’s crown-jewel objective."}j.rivera requested 14 distinct SPNs (4769) within 90s; 6 requests used enc-type 0x17 (RC4)."svc-mssql is local admin on SQLPROD-01 — explains the lateral target and the domain-relevant access.", "verify_ad-siem_control_status_and_check_for_recent_impairment_alerts": "FULL: AD-SIEM control status is healthy; no recent impairment alerts. The 4769 rule is active, but keyed on enc-type=RC4 (L2 robustness)."}svc-mssql logon event from an atypical source (previously low-confidence) is now flagged as high-risk. With the service account disabled, any subsequent valid-credential logon becomes anomalous — confirming that degradation-by-legitimacy was masking detection. The EDR face has reactivated to 'degraded' due to loss of expected context."}svc-mssql on SQLPROD-01 is no longer degraded; it is now clearly anomalous (no valid service context), confirming that prior legitimacy was masking detection.S4 Cloud OAuth illicit-consent + token abuseplay-by-play ▾
Mail.Read, Mail.ReadWrite, offline_access, granted by the user, from the user's own device.2. Check Unified audit log for any other OAuth-related events involving 'MeetingNotes Sync' or similar apps within the last 7 days.
3. Inspect Microsoft Graph activity logs for mailbox access attempts by the user or service principal associated with 'MeetingNotes Sync'.
4. Query EDR and network egress monitor on the user’s device (identified in sign-in log) for suspicious outbound connections, especially to domains linked to Nimbus Data Solutions or known third-party OAuth providers.
5. Temporarily disable the app registration 'MeetingNotes Sync' in Azure AD to prevent further token issuance.
Mail.Read, Mail.ReadWrite, offline_access)."}, "action_4": {"surface": "FULL", "ground_truth": "bulk MailItemsAccessed events spanning multiple folders, attributable to the app, confirming collection."}, "action_5": {"surface": "FULL", "ground_truth": "subsequent Graph API calls using that app's tokens are rejected outright; no further MailItemsAccessed events attributed to the app appear after this point. Data already collected before revocation is not undone."}}, "next_inject": "{\"clock\": \"Turn 2\", \"inject\": \"Azure AD sign-in log: non-interactive sign-in, client application = MeetingNotes Sync (same client ID as the Turn-1 consent), acting as the user, source IP/ASN outside the org's normal ranges, no MFA challenge (none is required for a non-interactive app call).\"}", "end": false, "end_reason": ""}**CISO / SOC coverage debrief: Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?", "end": false, "end_reason": ""} JSON {
MailItemsAccessed events spanning multiple mail folders, attributable to the app's client ID, confirming collection"}, "action_2": {"surface": "FULL", "ground_truth": "threat intelligence repository contains prior incidents involving 'Nimbus Data Solutions' — known for abusing high-privilege OAuth scopes in similar M365 environments; one prior case of mailbox exfiltration via offline_access consent grant within the last 18 months"}, "action_3": {"surface": "FULL", "ground_truth": "one conditional access policy allows non-interactive sign-ins with Mail.ReadWrite and offline_access scopes without MFA or device compliance checks, applied to all apps in the 'Untrusted Publishers' group (which includes 'Nimbus Data Solutions')"}, "action_4": {"surface": "FULL", "ground_truth": "two other service principals from unknown publishers granted Mail.ReadWrite and offline_access scopes within the past 90 days; one of them has been inactive for 60+ days, but its consent remains valid"}, "action_5": {"surface": "FULL", "ground_truth": "ontology/modeling team confirms that 'consent-based OAuth data exfiltration' is not currently represented in the Maneuver Calculus ontology; request accepted with priority tag for formal modeling of trigger conditions and detection logic gaps"}}, "next_inject": "CISO / SOC coverage debrief: Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?", "end": false, "end_reason": ""}**Mail.Read, Mail.ReadWrite, offline_access, granted by the user, from the user's own device.CISO / SOC coverage debrief: "Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?"
Channel for cloud API paths (D7), and no Control instances for audit/log telemetry (D5). The CASB alert firing does not imply coverage — it is a real-world signal, but the ontology cannot derive any CoverageVerdict, so the honest projection remains SILENT / no authored coverage record. Robustness assessment is impossible: no invariant core or primitive exists to ground an evasion-resistant observable (D6). The residual risk is structural: detection and response are entirely manual, telemetry-driven, and model-agnostic — the tooling cannot provide any automated verdicts, robustness ratings, or control-status feedback for this domain. Immediate remediation must be driven by human judgment, not ontology-derived signals.S5 Multi-stage ransomware with a chokepointplay-by-play ▾
workstation-01): suspicious child process spawned by the internet-facing web application (exploit-behavior detection; live).bb:dfCred (L5 spanning invariant) indicating LSASS memory read, confirming the choke step (bb:mCred) occurred. 3. Check Active Directory logs for recent service installations (Event ID 7045) on workstation-01: NULL — no such event logged; this mechanism is not used in the attack path. 4. Search SIEM for any outbound connections from workstation-01 in last 10 minutes: PARTIAL — detects internal SMB/WinRM session to file-server-01 and hr-workstation-02, but no external C2; this correlates with lateral movement, though not directly tied to the credential harvest. 5. Initiate credential rotation for all local admin accounts on workstation-01: NULL — only affects workstation-01; the shared svc-backup account is domain-wide and unaffected by host-local rotation (per §2 reaction logic).workstation-01): 'process read the memory of LSASS,' the same L5 spanning-invariant signature as the base model — the choke-step alert.workstation-01 in the last 30 minutes with parent processes matching known web server binaries (e.g., IIS worker processes, Apache httpd); 2. Search SIEM for Event ID 4688 (Process Creation) entries on workstation-01 involving lsass.exe as a target process; 3. Check Active Directory logs for any recent Kerberos pre-authentication failures (Event ID 4768) or ticket-granting ticket requests (Event ID 4769) from workstation-01; 4. Initiate forensic memory dump of workstation-01 via EDR agent; 5. Deploy temporary detection rule in SIEM to flag any process spawning child processes with command-line arguments containing '-wmi' or 'powershell -enc', indicative of common lateral movement techniquesworkstation-01 in the last 30 minutes with parent processes matching known web server binaries (e.g., IIS worker processes, Apache httpd): HIT — returns no results; the exploit was a direct code execution via public-facing app, not through a spawned web server child process. The EDR logs show only the initial bb:mExploit payload and its immediate descendants, none of which are web-server-related. 2. Search SIEM for Event ID 4688 (Process Creation) entries on workstation-01 involving lsass.exe as a target process: HIT — returns one entry matching the L5 spanning-invariant signature (bb:dfCred) from Turn 2; this is the choke-step alert, confirmed. 3. Check Active Directory logs for any recent Kerberos pre-authentication failures (Event ID 4768) or ticket-granting ticket requests (Event ID 4769) from workstation-01: PARTIAL — returns no Event ID 4768/4769 entries; however, the lateral movement was achieved via direct service account authentication (svc-backup) using a cached credential, not Kerberos pre-auth. The detection is silent on this path. 4. Initiate forensic memory dump of workstation-01 via EDR agent: HIT — successful; full memory image captured and available for offline analysis. This includes the process that read LSASS memory (confirmed by command-line hash match). 5. Deploy temporary detection rule in SIEM to flag any process spawning child processes with command-line arguments containing '-wmi' or 'powershell -enc', indicative of common lateral movement techniques: NULL — no such activity observed on workstation-01 at this time; the adversary has not yet initiated WMI or PowerShell-based lateral movement. The rule is deployed but currently inactive.svc-backup), and isolation did not disrupt internal pivoting paths. Immediate memory forensics are critical to confirm artifact persistence and identify potential post-exploitation tools.file-server-01 and hr-workstation-02 in the last 30 minutes with parent processes matching known lateral movement patterns (e.g., wmic.exe, powershell.exe, schtasks.exe); 2. Search SIEM for Event ID 4688 entries involving lsass.exe as a target process on any host other than workstation-01; 3. Initiate forensic memory dump of file-server-01 and hr-workstation-02 via EDR agent; 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags (indicative of scheduled task persistence); 5. Force credential rotation for the domain-wide svc-backup account and disable its current session tokens across all hostsfile-server-01 and hr-workstation-02 in the last 30 minutes with parent processes matching known lateral movement patterns (e.g., wmic.exe, powershell.exe, schtasks.exe): NULL — no authored detect-face exists for remote-service/scheduled-task creation on either host; activity occurred but is unmonitored. 2. Search SIEM for Event ID 4688 entries involving lsass.exe as a target process on any host other than workstation-01: HIT — the domain-controller auth log (ad1) and internal network sensor (netmonLat) both emit s5:dfLateralAuth, which correlates to lsass.exe access via svc-backup on file-server-01 and hr-workstation-02; this is a live, L3 robustness-level detection. 3. Initiate forensic memory dump of file-server-01 and hr-workstation-02 via EDR agent: NULL — no detectable impact on adversary’s lateral movement or encryption paths; the EDR agents are functional but cannot extract evidence from unmonitored deployment mechanisms (no authored face for scheduled-task creation). 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags: PARTIAL — the rule is deployed and will fire on future events, but no such activity has occurred yet; it does not retroactively detect past behavior (no inject for Turn 4). 5. Force credential rotation for the domain-wide svc-backup account and disable its current session tokens across all hosts: HIT — this action triggers a §2 reaction that prevents O4/O5 from occurring, thus breaking the chain; however, it is too late to stop O6/O6b (which require the credential *after* lateral movement), but still stops further spread. The rotation does not affect O9 (self-encryption on workstation-01), which never depended on the credential.workstation-01 to file-server-01 and hr-workstation-02 via svc-backup suggests a stealthy, credential-based pivot with no new service creation or external C2. The absence of WMI/PowerShell alerts on workstation-01 indicates the adversary may be using alternative execution vectors (e.g., scheduled tasks) to avoid detection. Coverage is weak in detecting post-exploitation persistence mechanisms like task scheduling and credential reuse across hosts; robustness remains compromised due to reliance on host-local hardening rather than domain-wide account control. Immediate memory forensics on lateral targets are critical to confirm presence of dumping tools or additional artifacts, while forcing svc-backup rotation mitigates ongoing risk from the shared credential.file-server-01 and hr-workstation-02 involving schtasks.exe with /ru or /u flags in the last 30 minutes; 2. Search SIEM for Event ID 4688 entries on file-server-01 and hr-workstation-02 where the target process is lsass.exe; 3. Initiate forensic memory dump of ad1 (domain controller) via EDR agent, given its role in authentication and potential exposure to credential reuse; 4. Deploy new SIEM detection rule to flag any use of wmic.exe with /node: or \ syntax for remote execution; 5. Disable all active sessions associated with the svc-backup account on file-server-01, hr-workstation-02, and ad1file-server-01 and hr-workstation-02 involving schtasks.exe with /ru or /u flags in the last 30 minutes: NULL — no authored detect-face for remote-service/scheduled-task creation on either host; activity occurred but not logged by any EDR agent. 2. Search SIEM for Event ID 4688 entries on file-server-01 and hr-workstation-02 where the target process is lsass.exe: NULL — no such event recorded in telemetry (no direct LSASS access via scheduled task or other mechanism). 3. Initiate forensic memory dump of ad1 (domain controller) via EDR agent: HIT — EDR agent on ad1 supports memory dumping; operation completes successfully and returns raw memory image for analysis. 4. Deploy new SIEM detection rule to flag any use of wmic.exe with /node: or
syntax for remote execution: PARTIAL — rule deployed, but no historical data exists in the SIEM to validate its effectiveness; future detections will be possible, but current telemetry lacks such events (no inject at clock:4). 5. Disable all active sessions associated with the svc-backup account on file-server-01, hr-workstation-02, and ad1: HIT — AD audit log confirms session termination; no further authentication attempts from svc-backup are observed post-action.svc-backup credential, likely leveraging scheduled tasks or WMI for persistence and lateral movement without triggering known detection patterns. The absence of EDR alerts on file-server-01 and hr-workstation-02 despite active lateral movement indicates a critical coverage gap in monitoring post-exploitation execution vectors like task scheduling and remote WMI invocation. Robustness is still compromised: while credential rotation mitigated further spread, the persistence mechanism remains undetected and unmitigated. The domain controller (ad1) may now be at risk due to potential authentication reuse via svc-backup, necessitating immediate memory forensics to detect any LSASS access or credential dumping activity. Proactive detection of WMI-based execution is essential to close the gap in behavioral coverage.ad1 involving schtasks.exe with /ru or /u flags in the last 30 minutes; 2. Search SIEM for Event ID 4688 entries on ad1 where the target process is lsass.exe; 3. Analyze forensic memory dump from ad1 using offline tools to detect presence of LSASS memory access artifacts, credential dumping tools (e.g., Mimikatz), or anomalous processes; 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags across all hosts in the environment; 5. Initiate full domain-wide audit of scheduled tasks on all critical hosts (including ad1, file-server-01, hr-workstation-02) via PowerShell script to identify any unauthorized or suspicious task definitionsad1 involving schtasks.exe with /ru or /u flags in the last 30 minutes: NULL — no authored detect-face for scheduled-task creation on ad1; the deployment mechanism is unmonitored across all hosts, including ad1, per §4. 2. Search SIEM for Event ID 4688 entries on ad1 where the target process is lsass.exe: PARTIAL — no such entry exists in the telemetry; the LSASS memory access occurred only on workstation-01, not on ad1. 3. Analyze forensic memory dump from ad1 using offline tools to detect presence of LSASS memory access artifacts, credential dumping tools (e.g., Mimikatz), or anomalous processes: NULL — no evidence of such activity was present; the adversary never accessed lsass.exe on ad1. 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags across all hosts in the environment: NULL — this action is a future control, not an observable; no detectable impact yet, but it will be effective if triggered later. 5. Initiate full domain-wide audit of scheduled tasks on all critical hosts (including ad1, file-server-01, hr-workstation-02) via PowerShell script to identify any unauthorized or suspicious task definitions: PARTIAL — the script runs and returns results, but no malicious tasks were found; the adversary used a different mechanism (direct remote-service push) that is not captured by scheduled-task audits.svc-backup account across multiple hosts, including potentially on ad1, which remains undetected due to lack of EDR telemetry for task creation and absence of LSASS access logs. Coverage is severely limited in detecting post-exploitation execution vectors such as task scheduling and WMI-based remote execution; robustness is compromised because credential rotation alone does not eliminate existing persistence mechanisms, especially when they are stealthy and unmonitored by current detection logic. The successful memory dump from ad1 provides a critical opportunity to confirm whether the domain controller has been compromised via LSASS access or credential dumping — if confirmed, this would indicate an elevated risk of lateral movement and privilege escalation across the entire environment. Immediate forensic analysis and proactive rule deployment are essential to close coverage gaps and prevent further compromise.workstation-01): suspicious child process spawned by the internet-facing web application (exploit-behavior detection; live).workstation-01): "process read the memory of LSASS," the same L5 spanning-invariant signature as the base model — the choke-step alert.s5:mDeployHost2 or s5:mEncrypt2 on edr2; the deployment mechanism is unmonitored, and encryption detection fires only at/after impact. Query EDR telemetry on hr-workstation-02 for mass-file-modification events: NULL — same as above; no authored face for s5:mDeployHost3 or s5:mEncrypt3 on edr3. Initiate query of network telemetry (SMB/WinRM) for session establishment between hosts: HIT — the redundant trigger path via netmonLat surfaces s5:dfLateralAuth, live and robust at L3. Verify controlStatus of edr2 and edr3: PARTIAL — both EDR agents are live, but no telemetry is available to confirm their status beyond basic health; no failure or impairment detected, but this does not validate detection coverage for unmonitored maneuvers. Force credential rotation for the shared service account (bb:acct1): HIT — action executed successfully; bb:pCredAdmin becomes invalid, preventing all downstream lateral and deployment steps. Deploy a new detection rule on netmonLat to monitor for multiple authenticated logons from one account across distinct hosts using redundant triggers: PARTIAL — the rule is deployed but not yet active in telemetry; no alert has fired yet, so it cannot be validated as effective against current activity.bb:dfCred) confirms that the choke-step maneuver bb:mCred is active and covered, with robustness at L5 (invariant core), validating the chain-break coverage of composite s5:compDomainSpread. The absence of any detectable lateral movement or encryption activity on the lateral targets so far suggests the adversary has not yet triggered downstream actions. However, the credential access event enables domain-wide spread via bb:acct1, and its reuse across multiple hosts is already being detected by s5:dfLateralAuth (via redundant sources ad1 and netmonLat). The residual bb:mEncrypt on workstation-01 remains covered, but independent of the composite. No control impairment observed; all EDR agents (edr1, edr2, edr3) are enforcing. Proactive credential rotation for bb:acct1 is justified to disrupt future lateral movement attempts, and reinforcing detection on netmonLat strengthens redundancy against potential loss of ad1. The composite remains covered due to the choke step's live L5 face.s5:mDeployHost2 or s5:mEncrypt2 on edr2; the deployment mechanism is unmonitored, and similarly on hr-workstation-02, no detect-face exists for s5:mDeployHost3 or s5:mEncrypt3 on edr3. The query surfaces nothing despite the activity occurring. Initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1) post-credential rotation: HIT — the account was rotated after Turn 2, so no further authentications to file-server-01 or hr-workstation-02 are possible; this confirms that lateral movement is blocked. Verify controlStatus of netmonLat and ad1: both are live (L3 robustness), but netmonLat has redundant triggers with ad1, so the detection remains functional despite potential evasion vectors. Deploy a new detection rule on edr2 and edr3 to monitor for remote-service or scheduled-task creation using redundant triggers: PARTIAL — the rule is deployed, but no telemetry exists in the current environment that would trigger it; the deployment mechanism itself has no authored detect-face, so even with the new rule, coverage remains untested and ineffective.s5:mDeployHost2 or s5:mDeployHost3 on edr2 or edr3; the deployment mechanism is unmonitored, and no such event surfaces despite occurring. Initiate query of network telemetry (SMB/WinRM) for session establishment between hosts post-credential rotation: PARTIAL — the session establishment events occurred pre-rotation (Turn 3), so no new sessions are observed post-rotation; however, the absence of new activity is consistent with containment but does not confirm detection or visibility of prior lateral movement. Verify controlStatus of edr2 and edr3 with respect to the new detection rule deployment: PARTIAL — the new detection rule was deployed, but edr2 and edr3 have no authored detect-face for remote-service/scheduled-task creation; thus, their status is not updated to reflect coverage, despite the rule being active. Deploy a permanent, high-priority alert on netmonLat and ad1 to monitor for any future authenticated logons from the shared service account (bb:acct1), even if rotated: HIT — the alert is successfully deployed and will trigger on any future authentication attempts by bb:acct1, regardless of rotation status.s5:mDeployHost2 or s5:mDeployHost3 on edr2/edr3; the deployment mechanism is unmonitored, and this action surfaces nothing despite the activity having occurred. Initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1) post-credential rotation: HIT — the account was rotated after Turn 2, so no further authentications from bb:acct1 are possible; however, the prior logon events to file-server-01 and hr-workstation-02 were already captured in the clock:3 inject (before rotation), confirming lateral movement occurred. Verify controlStatus of edr2 and edr3 with respect to the new detection rule deployment: PARTIAL — both EDR agents are operational, but no new detection rule was deployed for remote-service/scheduled-task creation; thus, their status remains unchanged, and no coverage improvement is observed. Deploy a permanent, high-priority alert on netmonLat and ad1 to monitor for any future authenticated logons from the shared service account (bb:acct1), even if rotated: HIT — this action successfully configures persistent monitoring on both telemetry sources; however, since bb:acct1 has already been rotated, no real-time alerts will fire unless a new session occurs with that or another credential.S6 Compromised valid admin, legitimate-tool abuseplay-by-play ▾
FS-CORP01 by d.alvarez (Domain Admins) from WKS-0442, 22:40 local. No SIEM rule matches (valid creds, no blocklist hit, no failed-logon pattern) — the event sits in the raw log stream only.FS-CORP01 around the window: FULL; Pull Sysmon/WMI-Activity for the three hosts: FULL; Query the SIEM for an alert/ticket on this activity: NULL; Pull the BackupOps audit log for JOB-88231: FULL; Query netmon for the egress flow: FULL observable, LOW SIGNAL; Check d.alvarez's AD account for compromise indicators: NULL; Ask the cards/detection posture for a coverage or anomaly verdict on the RDP→WMI→BackupOps chain: "Covered"; Manually correlate RDP source + WMI host-breadth + BackupOps scope + new destination profile across all four logs: FULL, but MANUAL; Check for a CAB/change-management ticket authorizing this maintenance window: NULL; Query a host/account outside the six-entity topology above: NULLFS-CORP01 by d.alvarez (Domain Admins) from WKS-0442, 22:40 local. No SIEM rule matches (valid creds, no blocklist hit, no failed-logon pattern) — the event sits in the raw log stream only.S1 Black Basta ransomware, single hostplay-by-play ▾
Severity: Medium-High | Detection type: Exploit-behavior (process anomaly) | Sensor: Endpoint EDR agent (live, enforcing)
A child process was spawned by the internet-facing web application service on workstation-01. The parent-child relationship and process lineage do not match this application's known-good baseline behavior, tripping an exploit-behavior signature.
- Host: workstation-01 (internet-facing)
- Parent process: web application service
- Trigger: anomalous child-process creation, consistent with exploitation of the hosted application
- EDR agent status: reporting normally, sensor fully enforcing
- No related alerts yet from netmon, service-control log, or identity/auth logs
Ticket opened for Incident Commander triage.
1. EDR — full process-tree query on workstation-01 for the alerting PID: pull parent (web app service) PID/image/hash, the child process's full image path, command line/arguments, code-signing status, and process-start timestamp. I want to see whether the child is a shell/interpreter (cmd.exe, powershell.exe, wscript, bash-equivalent) or a distinct dropped binary, and whether the command line contains encoded/obfuscated content (base64, -enc, certutil, IEX, etc.) — that distinguishes "interactive post-exploitation shell" from "dropper executing a payload" from a false-positive benign subprocess.
2. EDR — query for any grandchild processes, file-write events, or module/DLL loads attributed to that child PID in the same time window, to see if it already spawned further children, wrote a file to disk, or loaded anything abnormal (would indicate progression past initial execution).
3. Netmon — pull raw outbound connection metadata (destination IP/domain, port, protocol, volume, first-seen time) for workstation-01 specifically for the window bracketing the alert, even though no netmon alert fired — I want to check for a beacon/C2 callback or data transfer that simply hasn't crossed an alerting threshold yet, since absence of a fired alert isn't the same as absence of activity.
4. Service-control / Windows service-state log — check workstation-01 for (a) any EDR agent service state transitions (start/stop/pause) around the alert time, since the brief flags that an attacker with sufficient privilege can kill the agent, and this log is host-local and independent of EDR liveness; and (b) any restart/reconfiguration of the web application service itself.
5. Identity/auth logs — check logons and privilege use for the host's service accounts (the account the web app runs as, plus any other host service accounts such as svc-backup) in the same window, looking for the web-app service context being used to authenticate elsewhere or for any new/elevated logon session tied to this host.
6. Containment — isolate workstation-01 from the network via the EDR agent's network-isolation/quarantine mode now (not a shutdown), while leaving the process and host running so the above forensic queries and any live-response collection remain possible. Rationale: this is an internet-facing host, the signature is a genuine exploit-behavior detection (not a heuristic/anomaly-only score) with a lineage mismatch against a known baseline, and the tooling brief itself flags that a sufficiently privileged attacker could disable the EDR agent — so the cost of waiting outweighs the cost of a false-positive isolation (a temporary service disruption we can reverse in seconds once cleared). I do not yet disable or rotate any account and do not yet block a specific egress destination — no identity or netmon signal has named a specific account or destination to act on; doing so now would be acting ahead of evidence. I also do not kill the suspicious process — isolating at the network layer preserves it for the next round of live forensics without tipping off the actor through a process-kill (isolation is quieter and reversible).
1) EDR full process-tree pull on the alerting PID: Parent confirmed as the web application service process, matching the ticket. The child process was created at a distinctly different (elevated/interactive) integrity level relative to the web app's documented baseline — consistent with the lineage mismatch that already tripped the exploit-behavior signature — and its start timestamp aligns exactly with the alert. The raw process-creation record returns, but nothing in it sharpens the classification beyond what's already on the ticket: no hash-reputation hit, no clear code-signing verdict, and no command-line content that definitively distinguishes "interactive shell," "dropped binary," or "benign subprocess." This pull confirms the anomalous lineage; it does not resolve which of those three it is.
2) EDR query for grandchildren / file-writes / module loads from that child PID, same window: Nothing returned. No further child processes, no file-write events, and no module/DLL loads are attributed to that PID at this time. No progression beyond the initial process-creation event is observed.
3) Netmon raw outbound connection metadata for workstation-01, window bracketing the alert: Nothing anomalous. Outbound traffic in the window matches the host's expected baseline — no new/unfamiliar destination, no elevated volume, no beaconing cadence.
4) Service-control / Windows service-state log, workstation-01:
a. EDR agent service: no start/stop/pause transition recorded in the window; service shows continuously running and enforcing.
b. Web application service: no restart or reconfiguration event recorded in the window.
5) Identity/auth logs, workstation-01 service accounts (the web-app service account, svc-backup, and other host service accounts): Nothing returned. No anomalous logons, no new privilege-use events, no new or elevated session tied to this host in the queried window.
6) Containment: Network isolation/quarantine via the EDR agent is applied to workstation-01 and confirmed active. Host and process remain running for forensics; the EDR agent itself remains live and fully enforcing — isolation did not touch agent state. No other change of state resulted from the command.
Kill-chain placement: on current evidence this looks like the Initial Access → Execution boundary. There is no corroborating signal yet of lateral movement, credential access, persistence, or exfil — netmon, service-control, and identity/auth are all silent so far. I explicitly do NOT treat that silence as exoneration: it may mean those stages haven't happened yet, or simply that they haven't been queried against the right window/asset yet (which is why actions 3–5 target workstation-01 and its service accounts specifically rather than waiting for those systems to alert on their own).
Coverage/robustness assessment: detection coverage on this turn rests on a single sensor family (EDR) tripping a genuine exploit-behavior signature — that's a meaningful, credible detection, not a low-confidence anomaly score, which is why I'm containing now rather than waiting for a second corroborating alert. But I recognize a structural robustness gap: the brief states an attacker with sufficient privilege can stop the EDR agent, making EDR a single point of failure for ongoing visibility. My mitigation for that gap is procedural, not just technical: I'm treating the service-control log (host-local, EDR-liveness-independent) and SIEM (retains already-forwarded alerts even if the source sensor later dies) as the durable backstops, and I'm isolating the host now, before an attacker who notices detection would have an opportunity to move to disable the agent. I cannot render a containment/eradication verdict yet — this is turn 1, and my priority is preserving visibility and stopping outbound progression while the next round of queries confirms whether this is a live interactive intrusion, an automated exploit/dropper, or a benign application anomaly.
Severity: High | Detection type: Behavioral (durable, evasion-resistant signature) | Sensor: Endpoint EDR agent (live, enforcing)
The EDR agent flagged a process reading the memory of the LSASS process on workstation-01. This is a durable behavioral signature designed to be resistant to variation in exactly how the read is carried out — not a heuristic or artifact-matching score.
- Host: workstation-01 (currently network-isolated per prior containment action; isolation remains in effect)
- Trigger: process-memory read of lsass.exe
- Confidence: high — durable/evasion-resistant behavioral signature
- EDR agent status: reporting normally, sensor fully enforcing
- No related alerts yet from netmon or service-control log
Ticket opened for Incident Commander triage.
1. EDR — full process detail for the PID that triggered the LSASS memory-read signature: image path/name, parent PID and full lineage back to the web application service, hash/code-signing status, command line, integrity level, and start timestamp. Priority question: is this the same child process flagged in Turn 1 (or a direct descendant of it), or a distinct/new process (e.g., a living-off-the-land binary invoked via a new logon or scheduled task)? That answer determines whether this is the same intrusion progressing or a second, separate event on the same host.
2. EDR — query for any file-write, module-load, or further process-creation events attributed to that same PID in the window immediately following the memory-read event — specifically looking for a dump-style artifact written to disk. A read-only access stays in that process's memory; a subsequent file write would mean the harvested material has been externalized to persistent storage.
3. Netmon — re-pull outbound connection metadata for workstation-01 for the window bracketing this new alert, to (a) confirm isolation is holding with zero egress and (b) check for any connection attempt (even a blocked/failed one) that straddles the moment isolation engaged.
4. Service-control / Windows service-state log — re-check specifically for an EDR-agent or web-app-service state transition in the window bracketing the LSASS-read event. This is exactly the moment a privileged attacker might try to kill the agent, and I want that ruled in or out before leaning further on continued EDR telemetry.
5. Identity/auth log — query logon sessions on workstation-01 at the time of the LSASS read: which accounts (the web-app service account, svc-backup, and any interactive session) were logged on and therefore had credential material resident in LSASS at the moment of the read.
6. Response actions taken now: (a) workstation-01 remains network-isolated, no change; (b) disable / force-expire the credentials of the web application service account immediately — it is already directly implicated in the compromised process lineage, and any secret it held must be treated as burned the instant LSASS was read, since host isolation does not stop those credentials from being replayed against other systems; (c) do not yet block a specific egress destination — netmon has not named one; (d) do not kill or terminate the LSASS-reading process — leave it live for the item 1–2 forensic pulls, consistent with isolated-but-running rather than powered off.
1) EDR full process-detail pull for the PID that triggered the LSASS memory-read signature: CONFIRMED — this is the same child process identified in Turn 1's process-tree pull (identical PID/lineage), not a new or distinct process. Full lineage is unchanged: web application service (parent) -> the Turn-1 child process -> this PID performed the LSASS read directly. No additional intermediate process, no new logon session, and no separate scheduled-task or LOLBin invocation distinct from the Turn-1 chain was found. Integrity level and code-signing status are consistent with what Turn 1 already surfaced; start timestamp for this PID has not changed. Assessment per available telemetry: this is the same intrusion progressing, not a second/separate event.
2) EDR query for file-write / module-load / further process-creation events attributed to that PID in the window following the memory-read: NULL — no such events found. No dump-style artifact write to disk, no new module load, and no child-process creation attributed to this PID in the queried window. The read has not produced any on-disk artifact visible to current telemetry.
3) Netmon re-pull for workstation-01, window bracketing this alert: Zero egress detected. Isolation is confirmed holding throughout the window — no outbound connection attempts, blocked or otherwise, straddle the isolation boundary. No exfil-relevant flow of any kind is present.
4) Service-control / Windows service-state log, EDR-agent and web-app-service, window bracketing the LSASS-read event: NULL — no state transition found for either service. EDR service shows continuous RUNNING status with current heartbeat; web-app service likewise shows no state change.
5) Identity/auth log query, logon sessions on workstation-01 at time of LSASS read: Returns (i) the web application service account — active service logon, consistent with the process lineage already identified; (ii) svc-backup — an active/cached logon session present on the host at the time of the read, i.e. its credential material was resident in memory at that moment; (iii) no additional interactive/human logon sessions present on the host in that window.
6) Response actions: (a) Isolation status check — no change, isolation remains in effect, continuous since the prior action. (b) Directory/IAM action executed as requested: the web application service account's credentials have been disabled/force-expired effective immediately; action confirmed by IAM. (c) No egress-destination block issued this turn (no destination named by netmon). (d) No process-termination action issued this turn; the LSASS-reading process remains live and unterminated.
Working theory: same actor, same intrusion, continuing directly from the Turn 1 foothold — the anomalous child process (or something it subsequently spawned) has moved to harvest credentials from the host, most plausibly to escalate privilege or pivot laterally using stolen material rather than continuing to rely on the original web-app foothold. I can't yet confirm the lineage tie (action #1), so I hold open the alternative that this is a second, unrelated process — but same host, immediately following an unresolved Turn 1 alert with no intervening all-clear, makes the shared-intrusion read far more likely, and I'm acting on that assumption rather than waiting for confirmation.
Critical asymmetry driving this turn's response: network isolation (already active) stops this host from reaching other systems, but does nothing to protect other systems from being accessed using credentials already harvested from LSASS before or at the moment of this read. Isolation solved last turn's problem (halting outbound progression from this host); it does not solve this turn's problem (stolen-credential replay elsewhere). That's why this turn's decisive action is credential rotation, not just continued containment.
Coverage/robustness: the service-control/EDR-liveness check remains my backstop against the single-point-of-failure risk flagged in Turn 1 — no agent-stop event through Turn 1 is reassuring but not dispositive for this new window, which is why I'm re-checking it rather than assuming continuity. I still can't render a containment/eradication verdict: I don't yet know whether harvested material left the process's memory (action #2), whether the LSASS-reader shares lineage with Turn 1's child process (action #1), or the full set of accounts exposed (action #5). Those three answers will determine whether Turn 3 is about hunting for lateral movement/credential replay elsewhere, or standing down from what turns out to be a contained single-host event.
Severity: High | Detection type: Out-of-band secondary telemetry (service-state transition, independent of EDR agent) | Sensor: Windows service-control log
The EDR agent on workstation-01 has stopped reporting (last heartbeat at the end of the prior window). A service-control log entry independently confirms the EDR service transitioned to STOPPED at approximately that time.
- Host: workstation-01 (network-isolated; isolation remains in effect)
- Trigger: EDR service state change (running -> stopped)
- Confidence: 0.9 (single-source, out-of-band observation; no corroboration/decay model)
- No EDR alert accompanies this transition — this is the sensor itself going down
- No related alerts yet from netmon or identity/auth logs
Ticket opened for Incident Commander triage.
1. EDR — attempt one live query against workstation-01 (agent heartbeat / process-list request) purely as a reachability canary. I expect no response, consistent with the service-control log's STOPPED finding; if it *does* respond, that's a significant anomaly (partial agent functionality, or a spoofed/incomplete service-control entry) that would need immediate follow-up. Either way, I stop treating this channel as a reliable ongoing telemetry source after this check — I am not relying on it going forward.
2. Service-control log — pull full detail on the STOPPED transition: exact timestamp relative to (a) Turn 2's LSASS-read event and (b) the last good EDR heartbeat; the account/session context that issued the stop, if the service-control manager captured a caller identity; and the mechanism (clean service stop vs. process kill vs. service/driver deletion). Goal: establish temporal linkage to the LSASS read as cause, and confirm whether the acting principal required SYSTEM/admin-equivalent privilege — i.e., did privilege escalation occur using material harvested in Turn 2.
3. Netmon — pull *current, real-time* outbound connection metadata for workstation-01, not just the prior window. Turn 1's isolation was applied via the EDR agent's own quarantine mode; if that control is enforced by the same service that just went down, I can no longer trust EDR's self-reported "isolation remains in effect." Netmon is my only EDR-independent way to confirm zero egress is still actually true right now, not merely still true as of the last trusted reading.
4. Identity/auth logs — (a) query for any new or elevated/interactive logon session on workstation-01 in the window bracketing the EDR-stop event; (b) separately and more urgently, query whether the (already-disabled) web-app service account or svc-backup's credentials were used to authenticate anywhere else in the environment — any other host or resource — during this same window, since host-level containment does nothing to stop credential replay elsewhere, and that is now the top unresolved risk.
5. SIEM — (a) pull any EDR-forwarded telemetry from workstation-01 in the final moments before the last heartbeat, in case a tamper-relevant event (e.g., attempted protected-process access, an attempted service-stop) fired but hasn't surfaced as a ticket yet; (b) query across the rest of the environment for any other host currently showing EDR heartbeat loss or a similar service-stop pattern in the same timeframe — to determine whether this is isolated to workstation-01 or part of a broader coordinated move against multiple agents.
6. Containment (response decision) — escalate to an EDR-independent containment layer now: apply a network-infrastructure-level block on workstation-01 (perimeter firewall/switch-port block on its IP/MAC), under my "block an egress channel" authority, redundant to and independent of the EDR-based isolation from Turn 1. I am not willing to rely solely on a control enforced by the exact channel the attacker has just demonstrated the capability to kill.
7. Credential response decision — disable/force-expire svc-backup's credentials now (web-app service account was already disabled in Turn 2). svc-backup's session was confirmed resident on this host at the moment of the LSASS read; this turn's evidence (successful kill of a protected security service) is consistent with escalation via harvested material. Same asymmetry as Turn 2: a disrupted backup job is far cheaper than replayed backup-service credentials elsewhere.
8. I do not power off or forcibly reboot workstation-01 this turn — that destroys volatile forensic state for marginal benefit given the new infra-level block (action 6) is already going in independent of host state. Held in reserve for Turn 4/5 if evidence of active data destruction or confirmed lateral movement changes that calculus.
1) EDR live reachability canary (heartbeat/process-list request) against workstation-01: NULL — no response. The agent does not answer. No partial functionality observed, no signs of a spoofed/incomplete service-control entry — the non-response is fully consistent with the STOPPED transition already reported. Channel confirmed unreliable going forward.
2) Service-control log, full detail on the STOPPED transition:
- Ordering vs. the Turn-2 LSASS-read event: the STOPPED transition is confirmed to have occurred AFTER the LSASS-read event (step-order only — this log carries no wall-clock/duration field, so no relative time-delta figure, e.g. "N seconds later," is available).
- Ordering vs. last good heartbeat: the transition coincides with the loss of heartbeat, consistent with the ticket's "approximately that time" language; no finer timestamp resolution is available.
- Acting-principal / session / caller identity for the stop: NOT CAPTURED. This log records only the service running→stopped state change; it has no caller/session/account field. No identity returned.
- Mechanism (clean service stop vs. process kill vs. driver/service deletion): NOT DETERMINABLE from this or any other queried source. Only the state change itself is logged, not the method. No driver-load signal is available anywhere in the queried telemetry.
Net: PARTIAL. Confirms relative order and re-confirms the stop (unchanged single-source confidence, 0.9). Does not yield timing deltas, caller identity, or mechanism.
3) Netmon, current real-time outbound connection metadata for workstation-01: HIT — zero outbound connections currently observed, from this point in time, from a source structurally independent of the EDR agent. No anomalous or resumed egress detected. This is a live, EDR-independent read, not a replay of the earlier trusted-as-of reading.
4) Identity/auth logs:
(a) New/elevated/interactive logon session on workstation-01 in the window bracketing the EDR-stop event: NULL — none recorded.
(b) svc-backup or the web-app service account authenticating anywhere else in the environment in this window: NULL — no such authentication activity observed on any other host or resource.
5) SIEM:
(a) EDR-forwarded telemetry from workstation-01 in the final moments before last heartbeat: only the already-known Turn-2 LSASS-read alert is present (re-confirmed as forwarded/persisted). No additional tamper-relevant event (attempted protected-process access, attempted service-stop, etc.) was forwarded before the sensor went down — consistent with the ticket's statement that no EDR alert accompanies the STOPPED transition.
(b) Environment-wide check for other hosts showing EDR heartbeat loss or a similar service-stop pattern: NULL — no other host shows this pattern in this timeframe.
6) Containment — infrastructure-level (perimeter/switch-port) block on workstation-01: applied and confirmed active, enforced independently of the EDR agent/service.
7) Credential response — svc-backup disabled/force-expired: executed; confirmed disabled at the identity provider as of this turn.
8) No power-off/reboot taken — logged as a standing decision; nothing to reveal.
Coverage/robustness: this realizes the single-point-of-failure risk I flagged as open after Turns 1 and 2 — EDR is no longer a trustworthy ongoing telemetry source for workstation-01. I'm explicitly treating "no new EDR alerts" from here forward as an artifact of the channel's death, not as reassurance. Service-control log and SIEM (the brief notes SIEM specifically retains alerts forwarded before a sensor dies) are now my durable sources for this host, which is why this turn's queries lean on them, plus netmon and identity, rather than EDR. I'm also flagging a risk created by my own Turn 1 decision: if network isolation was enforced through the EDR agent itself, its "still active" status is exactly the kind of self-report I can no longer take at face value from a channel the attacker just proved they can kill — hence pushing containment to an EDR-independent infrastructure control this turn rather than trusting the existing state unverified.
I still can't render a containment/eradication verdict. Three open questions carry into Turn 4: (a) did the infra-level block actually need to be applied, i.e. had the EDR-enforced isolation actually lapsed (netmon/action 3+6); (b) does the escalation trace to a specific account/session (service-control + identity, actions 2/4); (c) has harvested material already been used elsewhere in the environment or against other hosts' agents (identity action 4b, SIEM action 5b) — a "yes" there means this stops being a single-host incident and the response scope must broaden immediately. With only two turns left after this one, resolving those three is the priority, and any positive hit on lateral spread or multi-host EDR tampering takes precedence over further single-host forensics.
- Netmon: workstation-01 remains at zero outbound connections; no large-transfer or unfamiliar-destination alert has fired.
- EDR: still unreachable, no heartbeat, no new alerts (channel remains dead — consistent with Turn 3).
- Service-control log: no further state changes recorded since the STOPPED transition.
- SIEM: nothing new forwarded from workstation-01.
- Identity/auth: svc-backup remains disabled; no authentication attempts logged against it anywhere in the environment.
- Containment status: both the infrastructure-level block and the pre-existing network isolation on workstation-01 remain in effect, confirmed by this period's netmon read.
Ticket remains open with the Incident Commander; environment otherwise quiet this period.
1. EDR — attempt a remote agent-restart/redeploy command against workstation-01 through the EDR management/policy plane (distinct from Turn 3's on-host reachability canary). Goal: determine whether the management-plane channel itself survived the agent kill and can revive the sensor or push a fresh agent, independent of the dead host-local process. If this succeeds, it's the single fastest path back to host-level visibility; if it fails, it confirms the channel is fully and durably dark, not just quiet.
2. Service-control / Windows service-state log — re-pull for the full period since the STOPPED transition, specifically filtering for ANY new service creation/install, driver load, or scheduled-task-backed service entry (not just further EDR/web-app state changes, which the White Cell already reported as nil). Persistence mechanisms built via a new service or driver would surface here even with EDR dead, since this log is host-local and EDR-liveness-independent — this is the one channel that could still catch a defense-evasion-era persistence step.
3. Identity/auth — broaden the query past the two already-flagged accounts: (a) check for any local or domain account CREATION event tied to workstation-01 or issued from a session that touched this host, since a freshly minted account is a common privilege-escalation/persistence move that wouldn't show as "authentication using svc-backup/web-app-account"; (b) check environment-wide for authentication by any OTHER account that had a session on workstation-01 in the relevant window (i.e., confirm Turn 2's identity pull — web-app account, svc-backup, no human session — was truly exhaustive, not just the two we've been tracking).
4. Netmon — pull a full retrospective window from the LSASS-read/EDR-stop event through now (not just "current instant"), specifically to close Turn 3's open question: was there any brief egress spike in the gap between the EDR agent dying and the infra-level block landing, i.e., a window where EDR-based isolation was the only control and its "active" status was unverifiable. This is an EDR-independent check on whether containment actually held gap-free or whether there's a brief exposure window already in the past that needs accounting for.
5. SIEM — broaden the environment-wide sweep beyond Turn 3's narrow "same EDR-heartbeat-loss pattern" query: pull any new alert of any severity/type, any host, in the current period, to check for a different-shaped follow-on action elsewhere (e.g., a new exploit alert, a new anomalous-lineage alert, a new credential-access alert on a different asset) that might indicate this is part of a broader campaign rather than confirming the narrow single-pattern replay again.
6. Containment/response decisions this turn: (a) no change to either containment layer — EDR-based isolation and the infra-level perimeter/switch block both remain in effect, unlifted; (b) no change to the two disabled accounts (web-app service account, svc-backup) — remain disabled; (c) do not power off or reboot the host — still preserving volatile state in case action #1 revives the agent for live-response collection; (d) formally flag, for Turn 5 disposition, that in-place remediation is not an option I'm considering — killing a protected security service requires SYSTEM/kernel-level privilege, so this host must be treated as fully compromised at the highest privilege tier, and the only acceptable terminal action is forensic image + rebuild from known-good, not attempting to "clean" it live.
1) EDR remote agent-restart/redeploy command via the management/policy plane: NULL — no acknowledgment, no response of any kind. The management-plane channel to workstation-01 is as unresponsive as the host-local agent. No sensor revival, no fresh-agent push confirmation, no partial handshake. Whatever severed the host-local agent has left this path equally dark — the channel reads as fully and durably down, not merely quiet.
2) Service-control / Windows service-state log — full period since the STOPPED transition, filtered for new service creation/install, driver load, or scheduled-task-backed service entries: NULL on all three filters. Nothing beyond the already-known EDR-service STOPPED transition is present in this log for the entire window. No new service record, no driver-load entry, no scheduled-task artifact.
3) Identity/auth, broadened: (a) account-creation events tied to workstation-01, or issued from any session that touched it — NULL, none found; (b) authentication by any account other than the two already tracked, anywhere in the environment, in the relevant window — NULL, none found. Turn 2's identity pull stands confirmed as exhaustive: only the web-app service account and svc-backup (now disabled) show any association with this host; no human session, no third account, no fresh account creation.
4) Netmon, full retrospective window from the LSASS-read/EDR-stop event through now: clean across the entire span — no egress spike, no large-transfer signature, no unfamiliar-destination connection at any point, including the interval between the EDR agent going dark and the infra-level block's confirmation. Zero anomalous outbound activity is recorded for the whole retrospective period; no gap-exposure window is found in the log.
5) SIEM, environment-wide sweep for any new alert of any severity/type, any host, this period: NULL — nothing returned beyond the already-known workstation-01 chain. No alert of any kind on any other asset; no exploit, anomalous-lineage, or credential-access alert elsewhere. No signal of a broader campaign.
6) Containment/response decisions: logged as a status quo continuation, not new queries — no observable results attach to these. EDR-based isolation and the infra-level block remain in effect, both disabled accounts remain disabled, and the host remains powered on and unrebooted, per your stated rationale.
Coverage/robustness conclusions: Containment is now genuinely robust — two independent, mutually corroborating controls (EDR-enforced isolation since Turn 1, infra-level block since Turn 3), both re-confirmed via an EDR-independent netmon read showing zero egress in two separate windows. That gives high confidence egress/lateral-spread is actually blocked at the network layer, not merely self-reported by a channel the attacker already proved it can kill. Credential-layer response also looks effective so far: both accounts with resident sessions at the time of the LSASS read (web-app service account, svc-backup) are disabled, and zero replay/authentication attempts have been observed anywhere in the environment across two consecutive check windows. But host-level detection coverage has been at zero since the Turn 3 EDR kill, and this period's silence must be characterized precisely: it is "no detected badness at the network/identity perimeter," not "no ongoing host activity." That is the single largest open risk heading into the final turn — if either containment layer were ever lifted before eradication, we have no independent way to know what state the host is actually in.
Response decision for this turn: hold both containment layers and both account-disablements exactly as-is, do not touch host power state, and use this turn's queries (persistence-oriented service-control pull, broadened identity pull, gap-window netmon pull, broadened SIEM sweep) to close the specific residual unknowns from Turn 3 rather than re-confirming what's already been re-confirmed. Given only one turn remains after this, I'm explicitly setting up Turn 5 to be a disposition turn: absent a positive hit on lateral spread or a wider campaign from this turn's broadened queries, the recommended terminal action is forensic evidence preservation followed by full rebuild of workstation-01 from known-good — not in-place cleanup — because the confirmed ability to kill a protected security service means the host must be treated as compromised at SYSTEM/kernel privilege, a tier from which "clean and return to service" is not a credible remediation path.
- Help-desk has escalated multiple tickets tied to workstation-01: users report files renamed with an unfamiliar extension and contents inaccessible. A ransom note has appeared on the desktop.
- EDR: still unreachable, no heartbeat, no mass-encryption alert or any other alert generated this period (channel remains fully dark, consistent with Turn 4).
- Netmon: no new anomalous egress since last period; workstation-01 remains at zero anomalous outbound activity.
- Service-control log: no further state changes recorded.
- Identity/auth: no change — svc-backup and the web-app service account remain disabled; no new authentication or account-creation activity anywhere.
- SIEM: nothing new forwarded from workstation-01 or any other host.
- Containment status: both the infrastructure-level block and the network isolation on workstation-01 remain in effect.
This is the final scheduled inject window (Turn 5 of 5). Ticket remains open with the Incident Commander.
1. SIEM — environment-wide sweep, broadened beyond "EDR heartbeat-loss pattern," for ANY alert, ticket-correlation flag, or ransom-note/mass-file-rename signature on any other host this period. Goal: confirm single-host vs. multi-host impact before disposition.
2. Netmon — pull the FULL historical connection log for workstation-01 to internal file-share/backup/domain-controller destinations, specifically for the window BEFORE Turn 1 isolation took effect (pre-containment), to assess whether SMB/share-based propagation could have reached other storage or hosts before the network was cut — the isolation/infra-block record only proves nothing spread AFTER containment, not before it.
3. Identity/auth — targeted query: did svc-backup's credentials (confirmed LSASS-resident at the Turn 2 read, disabled in Turn 3) authenticate against backup infrastructure/repositories at any point before disablement? This determines whether the backup set is trustworthy for a rebuild, or whether it must be treated as potentially compromised/encrypted/deleted too.
4. Request ticket-level detail from the help-desk/out-of-band channel that surfaced this: exact file extension and ransom-note content (for strain identification), first-user-report timestamp (to bound when encryption began relative to the Turn 3 EDR kill), and whether affected files are confined to workstation-01's local/mapped scope or reported by users on other hosts/shares.
5. Response — containment: leave EDR-isolation and the infra-level block exactly as-is; no lifting, no change. Both have held clean (zero anomalous egress) across every retrospective window checked, so the network layer is not the open question anymore.
6. Response — decisive host-state action: HIBERNATE (suspend-to-disk) workstation-01 rather than continuing to leave it running or hard-powering it off. Rationale: the two reasons I deferred any power-state change in Turns 3-4 — preserving the option that EDR might be revived, and preserving optionality for further live forensics — are both gone now (Turn 4's management-plane revival attempt already failed, and Impact-stage damage is now confirmed, not hypothetical). Hibernation halts any still-in-progress encryption immediately (stops further file damage now, not later) while preserving RAM to disk for memory forensics (potential key/process-artifact recovery), which a hard power-off would destroy and which pure "leave it running" does nothing to stop. This is the one available action that both curtails ongoing damage and preserves evidence.
7. Do not attempt in-place remediation, decryption, or file recovery on the host. Do not interact with or respond to the ransom note. Escalate for forensic disk image + memory capture, and hand disposition to full IR/forensics for strain attribution and legal/exec breach-assessment — outside IC's remaining tooling/authority for this exercise.
1) SIEM environment-wide sweep for any alert, ticket-correlation flag, or ransom-note/mass-file-rename signature on any host other than workstation-01: NULL. No matching alerts, correlations, or signatures anywhere else in the retained SIEM data, this period or historically. No evidence of spread beyond workstation-01.
2) Netmon — full historical connection log, workstation-01 → internal file-share/backup/domain-controller destinations, for the window before Turn-1 isolation: NULL. No connections to any internal file-share, backup repository, or domain-controller destination appear at any point in netmon's history for this host. The only outbound flow netmon has ever recorded from workstation-01 is the single HTTPS transfer to the external staging host already surfaced at Turn 4. There is no internal share/backup/DC infrastructure in this host's observed network graph to have propagated toward.
3) Identity/auth — did svc-backup authenticate against backup infrastructure/repositories before disablement: NULL. No authentication events for svc-backup against any backup-infrastructure or repository host appear in the identity/auth log, before or after disablement. The only record identity/auth holds for this account is its local presence and its disablement; there is no external-system authentication trail to query.
4) Help-desk/out-of-band ticket detail request (extension, ransom-note content, first-report timestamp, single-host vs. multi-host): PARTIAL. Confirmed: an unfamiliar/unrecognized file extension and a ransom note are present on workstation-01, and every impact report this period traces to workstation-01 users only — no reports from any other host or share (consistent with the SIEM sweep in item 1). Not available: a first-user-report timestamp finer than "this period" (no sub-period timing is tracked), and the literal extension string or ransom-note text/branding beyond "unfamiliar" — that level of detail isn't captured in what help-desk has on hand.
5) Containment — leave EDR-isolation and the infra-level block exactly as-is: CONFIRMED, no change executed. Both controls remain active; zero anomalous egress continues to be observed, matching the status already reported this period.
6) HIBERNATE (suspend-to-disk) workstation-01: FAILED — command not delivered, no acknowledgment, host power-state unchanged. As in Turns 3 and 4, the only channel capable of issuing a remote host-state command is the EDR agent/management plane, and both remain fully dark. Your granted response latitude (isolate host, disable/rotate svc-backup, block egress, query telemetry) does not include a separate out-of-band host-power channel, and none exists here. Workstation-01 remains running and network-isolated; no power-state action has taken effect.
7) Escalation to forensic disk-image + memory capture, hand-off to full IR/forensics/legal: LOGGED. Ticket updated and escalation recorded with the Incident Commander; no remediation, decryption, or ransom-note interaction was performed, per your instruction. (Given item 6, any memory acquisition will require an access path outside this exercise's remote tooling — that acquisition itself falls beyond this turn's scope.)
Observable-effect read of Turn 4's "quiet" period: it was not dormancy, it was the encryption stage executing invisibly in exactly the blind spot flagged after Turn 3. File encryption is a local filesystem operation — it generates no netmon egress, no identity/auth event, and no service-control transition, and the one sensor that could have seen it natively (EDR: process/file/memory behavior) was already dead. So "no mass-encryption alert" this period was never evidence of absence — it was an artifact of a dead channel, exactly as predicted — and today's help-desk ground truth (actual ransom note, actual inaccessible files) is what finally surfaces what telemetry structurally could not.
Coverage/robustness verdict (final): the detection stack performed well at what each sensor was built to see — Turn 1's exploit-behavior signature and Turn 2's durable LSASS-read signature were both genuine, correctly-timed behavioral detections; Turn 3's service-control log correctly caught the EDR kill out-of-band, which is real defense-in-depth working as designed; and network/identity containment (isolation + infra block + account disablement) fully achieved its actual job — zero anomalous egress and zero credential replay across every window checked, Turns 1 through 5. But the architecture had exactly one structural gap, and the intrusion walked through it: nothing in the stack (netmon, service-control, SIEM, identity/auth) is capable of observing or blocking on-host file-content changes, so once EDR was killed in Turn 3, Impact-stage behavior had zero remaining coverage — not degraded coverage, zero. That is a coverage-model gap (no file-integrity monitoring/canary-file layer, no EDR-independent host behavioral backstop such as Sysmon/ETW forwarding), not a tuning or response-latency failure — every IC decision along the way (immediate isolation, credential rotation ahead of confirmed replay, independent infra-level block the instant EDR's self-reported isolation became untrustworthy) was correct given the evidence available at the time, and none of it could have prevented an impact mechanism the sensor set was never built to see.
Disposition: workstation-01 must be treated as compromised at SYSTEM/kernel privilege with confirmed Impact-stage execution. Terminal path is forensic image + memory capture, backup-integrity verification (contingent on action 3, since svc-backup specifically is one of the two harvested accounts), and full rebuild from verified-clean backup — not in-place cleanup. Residual open question carried past this exercise: whether encryption began before or after the Turn 3 EDR kill, and whether any propagation occurred before Turn 1 isolation — both bounded by this turn's queries but not fully resolved within the 5-turn cap.
Severity: Medium | Detection type: Exploit-behavior (process-anomaly)
The endpoint sensor on workstation-01 has flagged a suspicious child process spawned by the internet-facing web application process. The web-app parent process, which normally does not spawn shell or scripting interpreters, has launched an unexpected child process shortly after handling an inbound request. EDR classifies this as exploit-behavior consistent with anomalous process ancestry (parent-child spawn deviation from the application's established baseline).
Status: EDR agent on workstation-01 is live and enforcing; alert forwarded to SIEM.
No other telemetry (netmon, service-control, identity/auth) shows any related activity at this time.
1. EDR — process-tree pull: Full detail on the flagged alert — web-app parent PID/image/hash, the child process's full path, command line, digital signature status, and any further descendants it spawned (children-of-children). Looking specifically for interpreter/shell indicators (cmd.exe, powershell.exe, wscript, etc.), encoded/obfuscated command-line arguments, or writes to disk (dropped webshell/payload).
2. EDR — process-memory-access query on the same process lineage: Any
OpenProcess/ReadProcessMemory/handle-duplication events by the child process or its descendants against another process (LSASS in particular). This directly checks whether mCred (A2) is already in progress — its precondition (≥user integrity) would just have been supplied by this exploit if real.3. EDR — driver-load query, same host, same time window: Any newly loaded/unsigned or known-vulnerable driver. A precursor check for
mEdrKill (A3), even though its stated precondition (admin credential) hasn't been established yet as far as we know.4. Netmon — egress query for workstation-01: Any outbound connections initiated by or shortly after the child process's spawn — destination, volume, protocol. Checks (a) whether the egress channel is reachable (
mExfil precondition) and (b) whether any anomalous outbound flow is already underway.5. Service-control log — EDR service-state check on workstation-01: Confirm the EDR service is currently
running, independent of the SIEM-forwarded alert. This is a cheap, independent hedge against the structural blind spot where mEdrKill would sever dfEdrTelemetry and blind dfExploit/dfCred/dfEncrypt all at once — I want this checked every turn, not just after suspicion.6. Identity/auth logs: Any new logon, privilege-escalation, or
svc-backup account activity on workstation-01 around the alert timestamp.7. SIEM — correlation query: Any other alerts, on any host, from the same source IP as the inbound request that triggered the web-app child spawn (checks for opportunistic scanning vs. targeted, single-host vs. multi-host activity).
No containment action this turn (no isolation, no account action, no egress block) — see response decisions below for why and for the trigger conditions that would change that immediately.
2. EDR — process-memory-access query (OpenProcess/ReadProcessMemory/handle-dup) on the same lineage: NULL. No memory-access events by the flagged child process or any descendant against LSASS or any other process are observed at this time.
3. EDR — driver-load query, same host/window: NULL. No new, unsigned, or otherwise flagged driver-load events on workstation-01 in this window.
4. Netmon — egress query for workstation-01: NULL. No anomalous outbound connections associated with the flagged process; egress pattern for the host is at baseline.
5. Service-control log — EDR service-state check: HIT (confirmatory). EDR service on workstation-01 is confirmed running, no state transition observed — consistent with the alert's own "live and enforcing" status.
6. Identity/auth logs: NULL. No new logon, privilege-escalation event, or
svc-backup account activity on workstation-01 around the alert timestamp.7. SIEM — cross-host correlation on source IP: NULL. No other alerts, on any other host, from the source IP that triggered this inbound request. No evidence yet of broader scanning or multi-host targeting.
dfExploit for A1 — Exploit of a public-facing application (bb:mExploit, T1190): the observable effect is "code execution obtained on the target host through a public-facing application," and the reported behavior — the web-app parent spawning an unexpected interpreter/shell child shortly after an inbound request, deviating from its established baseline — is exactly that maneuver's signature (parent-child spawn deviation), not a specific exploit-string match. If real, its postcondition is that the adversary process now holds ≥ user integrity, which per the standing precondition-supply structure (Part C.0) is exactly what's needed to unlock the next two maneuvers in the graph: mCred (credential harvest) and mEncrypt (ransomware impact) — both currently gated only on that integrity level, not on anything else yet in evidence.Coverage/robustness read, per the cards:
-
dfExploit is single-sourced directly from the EDR, with no independent trigger and no authored robustness ceiling (D-7) — evasion-resistance of this specific detection isn't rankable from the library. Given the White Cell confirms EDR is live and enforcing, this face is presently covered (live) per the coverage matrix (C.1) — the alert firing is exactly what the model predicts for this control state.- This coverage is entirely contingent on EDR staying enforcing. Per B1/C.1, if EDR transitions to impaired/killed,
dfExploit loses its sole trigger → blind → notCovered, with no secondary source to catch it (unlike dfExfil, which survives on the independent netmon trigger). Same fate for dfCred (even at its L5 robustness ceiling — L5 does not save it, per A2's headline caveat) and dfEncrypt. So the chokepoint I actually care about across this whole scenario isn't this alert — it's whether mEdrKill (A3) ever fires, since a single control-plane event would simultaneously blind exploit, credential, and encryption detection, leaving only a degraded exfil face standing. That's why query #5 (service-control liveness check) is going in every turn regardless of what else the White Cell surfaces — it's the cheapest available hedge against that single point of failure, though per D-9 it only ever yields an out-of-band confidence-0.9 investigation result for A3, never a coverage verdict.- No telemetry yet (netmon, identity, service-control) corroborates progression past this single alert — so as of now this reads as an isolated, live-detected foothold attempt, not a confirmed multi-stage intrusion. One alert, one face, no chain confirmed yet.
Response decision this turn: Hold on isolation/account action/egress block pending the process-lineage and cross-telemetry results — a single medium-severity exploit-behavior alert on an internet-facing app, with EDR confirmed live and enforcing and no corroborating signal elsewhere, doesn't yet justify disrupting the production web app. That calculus changes immediately, and I isolate workstation-01 without waiting for further confirmation, if any of: (a) the process-memory query shows a read against another process's memory (mCred in progress), (b) service-control shows the EDR service state is anything other than running (mEdrKill — self-blinding, acted on instantly), (c) netmon shows an anomalous outbound flow, or (d) the command-line/lineage pull shows overtly malicious tooling (webshell write, encoded C2 stager). Absent those, next turn's posture is driven by whatever the White Cell returns.
Severity: High | Detection type: Credential-access behavior (LSASS memory access)
The endpoint sensor on workstation-01 has flagged the process descended from the earlier exploit-behavior alert reading the memory of the LSASS process. EDR classifies this as a durable, evasion-resistant behavioral signature (low forgeability).
Status: EDR agent on workstation-01 is live and enforcing; alert forwarded to SIEM.
1. Isolate workstation-01 — network containment via the EDR agent. This is a targeted network isolation (sever the host's network reachability), explicitly *not* an EDR agent stop — the sensor keeps running/enforcing locally so
dfEdrTelemetry (and everything that trigger-depends on it: dfExploit, dfCred, dfEncrypt) stays intact. This executes the trigger condition (a) I pre-committed to last turn ("process-memory query shows a read against another process's memory") — the White Cell's own inject satisfies it, so I act immediately rather than waiting for further confirmation.2. Account containment — disable/force-logoff + begin rotation for the credential(s) exposed to this LSASS read. Pending query #3 below to confirm exact scope, I am proactively disabling/rotating the two most likely-exposed candidates visible in my telemetry: the
svc-backup service account and any local administrator account with a live session on workstation-01. Rationale: the admin credential is the *shared* precondition for both mEdrKill (A3) and mExfil (A4) — invalidating it now cuts a precondition of both next-stage maneuvers regardless of which branch the adversary intends, even though this lever isn't card-prescribed (no authored respond/prevent maneuver) — it's within my IR latitude and the chokepoint logic is sound structural doctrine (C.0).Investigative queries this turn:
3. EDR — logon-session / credential-scope enumeration on the flagged LSASS process: which account SIDs have cached credential material resident in this LSASS instance right now. This tells me exactly which accounts to prioritize for rotation beyond my precautionary pick in #2.
4. EDR — full re-pull across all categories on workstation-01, same battery as turn 1: process lineage/hash/signature for the LSASS-reading process back through the original web-app parent; any *new* child-process creation; any *additional* memory-access events against processes other than LSASS; any driver-load events. Escalating severity warrants re-running the whole battery, not just following the one face that fired.
5. Service-control log — EDR service-state check (repeated every turn, standing hedge): confirm
running, independent of the SIEM alert. This is the most important query this turn — if the credential read succeeded, the adversary may now hold the precondition for mEdrKill, and a state transition here means treat as maximum severity instantly.6. Netmon — egress re-query for workstation-01: any outbound attempt at or after the LSASS-read timestamp, including anything the isolation action itself is now blocking — establishes whether
mExfil's reachable-egress precondition was ever satisfiable and whether an exfil attempt was already inflight.7. Identity/auth logs: any logon, privilege-escalation, or service-account (
svc-backup and others) activity on workstation-01 *or any other host*, from the LSASS-read timestamp forward — checks whether harvested material is already in use (postcondition realized) rather than merely read.8. SIEM — cross-host correlation on the account names surfaced by #3/#7 — any authentication or alert activity elsewhere using those identities, checking for lateral movement beyond this host.
1. Network isolation of workstation-01 (via EDR agent): EXECUTED. Host is now network-contained (no reachable egress, no reachable ingress) while the EDR agent itself continues to heartbeat and enforce locally — service-control confirms the sensor process was never stopped, only the network path was severed. Isolation, as executed, does not touch host-local process state.
2. Account containment (disable/force-logoff + begin rotation,
svc-backup + local admin session): EXECUTED for svc-backup — account disabled immediately; credential rotation is in progress (not yet confirmed complete). For "any local administrator account with a live session on workstation-01": session enumeration surfaces no distinct local-admin identity beyond the service-account credential already acted on — there is no second admin identity in this environment's telemetry to additionally contain.Investigative queries:
3. EDR — logon-session/credential-scope enumeration on the flagged LSASS process: HIT. Live enumeration (EDR still enforcing, pre-kill) resolves cached credential material in this LSASS instance to a single account SID:
svc-backup. No other account SIDs show cached material resident in this LSASS instance right now.4. EDR — full re-pull, all categories, workstation-01: Clean/no new findings. Process lineage unchanged from Turn 1 (single child interpreter off the web-app parent). No new child-process creation since the LSASS-read event. No memory-access events against any process other than the already-flagged LSASS read. No driver-load events observed.
5. Service-control — EDR service-state check: HIT (nominal). State = RUNNING. Continuous heartbeat since Turn 1, no stop/transition event logged.
6. Netmon — egress re-query, workstation-01: NULL. No outbound connection attempts recorded at or after the LSASS-read timestamp — nothing pending for the isolation to have interrupted; no exfil-shaped flow was in flight.
7. Identity/auth logs — svc-backup and other activity, workstation-01 and elsewhere: NULL/clean. Only
svc-backup's normal scheduled backup-job logons appear in the window from the LSASS-read timestamp forward. No privilege-escalation events, no anomalous interactive/RDP logons, no activity on any other host.8. SIEM — cross-host correlation on surfaced identities: NULL. No authentication or alert activity elsewhere using
svc-backup or any other identity surfaced this turn — footprint remains single-host, consistent with Turn 1.bb:mCred, T1003.001) firing in direct chain from turn 1's A1 (mExploit): the process that spawned as an unexpected interpreter/shell child of the web-app is the same lineage now reading LSASS memory. A1's postcondition (adversary process ≥ user integrity) supplied exactly the precondition A2 needed — this is corroborated, chained progression, not two unrelated events. The White Cell's framing ("durable, evasion-resistant behavioral signature, low forgeability") is a direct match for the card's grading of this exact observable: dfCred is keyed to the invariant primitive pReadProcMem (the process-memory-read residue shared by both authored variants, LSASS-dump and handle-duplication), rated robustness L5 (spanning/invariant) — the highest ceiling in this library, and the only maneuver here with any authored robustness grade at all.Coverage conclusion: right now this reads as covered @ L5 (live) — EDR is confirmed enforcing,
dfCred trigger-depends on dfEdrTelemetry, and that dependency is currently satisfied. But per the card's sharpest relation (C.2): this L5 rating buys *zero* protection against an EDR kill — robustness and coverage are orthogonal, and dfCred would go blind→notCovered the instant EDR is impaired/killed, L5 notwithstanding. That's exactly why query #5 (service-state liveness) stays non-negotiable every turn.Why I'm containing now, not just watching: if this maneuver completes (or has completed — the read is already flagged, meaning the mechanism has executed), its postcondition is the account holding the admin credential. Per the standing precondition-supply structure (C.0), that credential is the shared precondition for both
mEdrKill (A3) and mExfil (A4) — the single highest-leverage branch point in the whole graph. I don't need to know which branch the adversary intends to justify acting: cutting network reachability (removes mExfil's second precondition, reachable egress) and invalidating/rotating the exposed credential (removes the shared precondition for both A3 and A4) degrades both branches at once, without touching the EDR sensor itself — so dfExploit/dfCred/dfEncrypt telemetry stays live through the containment action.Residual/structural risk I'm flagging, not solving:
mEncrypt (A5)'s precondition is local process integrity *only* — no credential, no network reachability required. Neither the account action nor the network isolation I'm taking this turn removes that precondition; dfEncrypt stays covered *only* as long as EDR stays enforcing, independent of anything else I do this turn. So containment here reduces the self-blinding and exfil branches but leaves the encryption branch's exposure exactly where it was — gated solely on EDR liveness, which is why that single check remains the standing chokepoint of this entire exercise regardless of what else progresses.Posture for turn 3+: any service-control result other than "running" means treat
dfExploit/dfCred/dfEncrypt as blind/notCovered immediately (per B1's simultaneous-blinding failure mode) and fall back to the sole surviving face, dfExfil — which itself only degrades (loses EDR-sourced enrichment) rather than blinding, because its trigger is netmon, a control independent of EDR. Any egress hit despite the isolation action is treated as an isolation-bypass requiring escalation beyond host-agent containment (e.g., upstream network-layer block).Reaction inject: Identity/auth log — a failed authentication attempt against the
svc-backup account is logged from workstation-01, timestamped in the window immediately following your disable action. Credential presented was rejected (account disabled / already superseded by rotation). No successful logon follows it, no privilege-escalation event, no driver-load event, and no new EDR alert accompanies this entry.1. Identity/auth logs — deep dive on the failed svc-backup authentication attempt. Pull source process/PID and host-session context on workstation-01, logon type (interactive / network / service / batch / cached-offline-domain), and precise timestamp offset from the Turn-2 disable action. Goal: determine whether this attempt originated from the flagged intrusion lineage (the web-app-spawned child that later read LSASS) versus an unrelated benign source (e.g., the normal scheduled
svc-backup job, already seen running in Turn 2's pull, retrying with a stale cached credential after the account state changed underneath it).2. EDR — process-lineage/state re-pull on workstation-01, windowed on the failed-auth timestamp. Any process creation, further memory-access, or credential-store touch coincident with the attempt. This is the corroborating half of query #1 — ties (or rules out) the auth attempt to the already-flagged lineage.
3. Rotation-completion check for
svc-backup. Turn 2 reveal left this "in progress, not yet confirmed complete" — task an explicit status query this turn rather than assuming it finished; if still incomplete, treat completing it as a live action item, not a settled fact.4. Netmon — isolation-integrity + egress re-query. Confirm workstation-01's network containment is still holding (no reachable egress/ingress) and check for any outbound attempt at/after the failed-auth timestamp — since a fully isolated host still produced an evaluable identity-log entry, I want to confirm that entry didn't correspond to any attempted network call the isolation had to block.
5. SIEM — cross-host correlation, repeated. Any auth activity (successful or failed) using
svc-backup or any other identity, on any other host, since the Turn-2 rotation began. Also check for any distinct alert generated by the identity system itself off this specific failed-auth event (separate from the EDR-sourced alerts seen so far).6. Standing battery, restated: driver-load query (host, this window) and EDR service-control liveness — both already answered NULL/RUNNING by the White Cell's own Turn-3 inject, so no re-query needed this cycle, but both remain on the fixed per-turn checklist going forward regardless of what else fires.
No lifting of isolation, no further account action beyond confirming rotation completion — nothing this turn crosses any of the escalation triggers already pre-committed in Turns 1–2.
1. Identity/auth logs — deep dive on the failed svc-backup auth attempt: PARTIAL. The log's native fields resolve two of your asks: logon type — recorded as a non-interactive/service-type logon (consistent with automated
svc-backup account usage patterns generally; this alone does not distinguish attacker-sourced from a benign scheduled retry, since both would present similarly at this field's granularity), and timestamp offset — a few seconds/minutes after the Turn-2 disable/rotation action, consistent with "immediately following." Source process/PID and host-session context are NOT surfaced — the identity/auth log schema doesn't carry process attribution; that data class doesn't exist at this layer regardless of query specificity.2. EDR — process-lineage/state re-pull windowed on the failed-auth timestamp: PARTIAL. EDR is still enforcing on workstation-01 (confirmed live this cycle — no telemetry gap, service-control shows RUNNING throughout), so the query returns real data rather than a severed-telemetry NULL. It shows: the previously-flagged lineage (the web-app-spawned child process from Turn 1) remains resident/running on the host through this window. No new process creation, no further memory-access event, no driver-load event, and no new EDR alert is logged coincident with the auth-attempt timestamp — matching what the reaction inject already stated. EDR does not natively observe authentication attempts (that's the identity log's domain), so this ties the *timing and host* circumstantially to the existing flagged lineage's continued presence, but produces no EDR-native event that itself proves that process issued the auth attempt. Source attribution remains unresolved by either query #1 or #2 individually or combined.
3. Rotation-completion check for
svc-backup: HIT. Account status now reads disabled/credential-rotated — complete, no longer "in progress." This is corroborated by the auth-rejection reason itself (credential superseded/disabled), which is only possible once the rotation state had taken effect.4. Netmon — isolation-integrity + egress re-query: HIT (clean). Workstation-01's containment continues to hold: no reachable egress, no reachable ingress. No outbound connection attempt of any kind — successful, blocked, or attempted — is logged at or after the failed-auth timestamp.
5. SIEM — cross-host correlation, repeated: NULL on the cross-host ask — single-host scenario, no second host or domain controller exists to correlate against. No distinct identity-system-generated alert exists on top of the raw failed-auth log entry already reported; that entry is the totality of what the identity system produced for this event.
6. Standing battery: Not re-queried, per your own note — no new reveal (already answered this cycle by the clock update: driver-load NULL, EDR service RUNNING).
mc:Control: they source no detect-face and yield no covered/notCovered verdict (same non-coverage status the cards give the service-control log for A3, D-9/D-10). So this failed-auth event can't be scored against any maneuver card directly — but it's high-value operational corroboration of the precondition-structure argument (C.0) I've been running on since Turn 2.Leading hypothesis: the process/actor holding the harvested
svc-backup credential material (A2/mCred's postcondition — pCredAdmin, the account holds the admin credential) just attempted to *exercise* that credential, and failed because Turn 2's response (disable + begin rotation) had already invalidated it. Per C.0, that credential is the shared precondition for mEdrKill (A3) and mExfil (A4) — so a reuse attempt at this exact moment is precisely what the doctrine predicts an adversary would try next, regardless of which of those two branches they're aiming for. If this reads out as originating from the flagged lineage (query #1/#2), it's the first *direct observed evidence* that the Turn-2 chokepoint action is functioning as designed, not just structurally sound in theory — the precondition was invalidated in time to fail an actual attempt on it.Alternative hypothesis I have not ruled out: benign collision. Turn 2's identity pull showed
svc-backup's own normal scheduled backup-job logons as the only account activity in the window. A scheduled job retrying with a now-invalid cached credential immediately after a disable/rotate action would produce an identical signature — failed auth, account-disabled rejection, no follow-on activity, no privesc, no new EDR alert. Nothing in this turn's inject distinguishes the two; that's exactly what query #1's logon-type/source-process pull is for. I am not treating this as confirmed malicious credential-reuse yet — only as the leading, better-fitting read given the timing.Coverage/robustness — unchanged this turn, restated because nothing moved it: EDR is confirmed enforcing (White Cell explicit, no gap this cycle), so per C.1's enforcing regime
dfExploit (A1) and dfCred (A2, still at its L5 ceiling — C.2's sharpest relation, robustness ≠ coverage) remain covered/live; dfExfil (A4) remains covered-live with both netmon-trigger and EDR-enrichment intact; and — the point worth restating on its own, per A5/C.2's chokepoint note — dfEncrypt's coverage is still gated solely on EDR liveness, and *nothing that happened this turn touches that*. The credential invalidation and the isolation both degrade the mEdrKill/mExfil branches (per C.0's chokepoint doctrine) but do nothing to mEncrypt's precondition (local process integrity only, per A5's Hoare triple) — that exposure is exactly where it was at the end of Turn 2.Response decision: hold current posture — isolation and account containment stand, no new lever pulled. This turn's queries are aimed at disambiguating malicious-reuse-attempt from benign-job-collision, not at deciding whether to act (I've already acted on the relevant precondition). Escalation triggers carried forward unchanged from Turn 2 (any EDR state-transition off "running," any driver-load event, any successful logon/privesc, any netmon egress hit), plus one new one for this turn: a second or repeated auth attempt — against
svc-backup again or against any other identity — after this failure would tip the balance firmly toward active, adapting adversary behavior rather than a one-off job collision, and would warrant treating the host as still actively contested even though its two committed containment levers are already in place.1. EDR — service-control liveness check, explicit re-task. Even though this turn's clock update states "no new service-control transition," I task the query directly rather than inferring RUNNING from the absence of a transition-mention — this is the non-negotiable hedge against
mEdrKill (A3) simultaneously blinding dfExploit/dfCred/dfEncrypt, and it stays on the fixed checklist every turn regardless of what else is quiet (per B1/C.1).2. EDR — driver-load query, workstation-01, this window. Unlike netmon/SIEM/service-control/identity, this turn's clock update did not explicitly null this one — tasking it directly. Precursor check for the BYOVD path to
mEdrKill (A3's sole authored variant); still gated on an admin credential I've already invalidated, but I check the mechanism itself, not just the precondition.3. EDR — full process-lineage/memory-access re-pull, workstation-01. Confirm no new child process off the flagged lineage, no memory-access event beyond the already-flagged LSASS read, nothing new since Turn 3's window. Standing battery completeness — I want the underlying lineage data, not just "no new EDR alert" at the summary level.
4. New this turn — EDR persistence-mechanism sweep, workstation-01. Scheduled-task creation, registry Run/RunOnce key writes, new service installation, WMI event subscription — any tied to the flagged lineage, or any at all, since Turn 1. This hasn't been explicitly asked in any prior turn's battery (which covered process/memory/driver-load, not persistence). Rationale for raising it now: four turns in, the immediate escalation-trigger checklist is flat, which makes this the right moment to broaden the aperture toward eradication-readiness — before any future de-isolation decision, I want to know whether a foothold exists that survives the account rotation and the network cut.
5. Netmon — isolation-integrity confirm. Already answered flat this cycle by the clock update (no egress, no ingress, no new destination) — logging as satisfied, no re-query needed.
6. Identity/auth — repeat/new-attempt check. Already answered NULL this cycle by the clock update (no new identity/auth event) — this resolves the standing watch-item I flagged at the end of Turn 3 (a second or repeated auth attempt would have tipped the balance toward active reuse). No re-query needed; folding the result into this turn's hypothesis below.
7. SIEM — cross-host correlation, repeated. Same ask as prior turns (any auth or alert activity elsewhere using
svc-backup or any other identity) — expect NULL again given the single-host scenario, but keeping it on the checklist rather than assuming.No containment change, no account action, no isolation lift this turn.
1. EDR — service-control liveness check (explicit re-task): HIT. Service-control log shows the EDR service on workstation-01 has remained in a continuous RUNNING state since Turn 1 — no stop/kill transition exists anywhere in the log. Heartbeat is unbroken. Confirms directly (not by inference) that
mEdrKill has not landed.2. EDR — driver-load query, workstation-01, this window: NULL. No driver-load events (signed, unsigned, kernel-mode or otherwise) recorded on workstation-01 in this or any prior window. No BYOVD precursor activity found.
3. EDR — full process-lineage/memory-access re-pull, workstation-01: HIT (confirms, nothing new). Lineage is unchanged from what's already on record: exactly one child interpreter/script process off the flagged web-app parent (Turn 1), exactly one flagged LSASS memory-read event (Turn 2). No new child process, no new memory-access event, nothing since Turn 3's window.
4. EDR persistence-mechanism sweep, workstation-01 (new this turn): NULL. No scheduled-task creation, no registry Run/RunOnce writes, no new service installation, no WMI event subscription — tied to the flagged lineage or otherwise — anywhere on workstation-01 since Turn 1.
5. Netmon isolation-integrity: No separate query fired, per your own note — the Turn 4 clock update's flat egress/no-new-destination result stands as the answer.
6. Identity/auth repeat/new-attempt check: No separate query fired, per your own note — the Turn 4 clock update's "no new identity/auth event" stands as the answer.
7. SIEM — cross-host correlation (repeated): NULL. No correlated alert or auth activity involving
svc-backup or any other identity outside workstation-01. Single-host scope holds.mEdrKill and mExfil) and the branch gated on reachable egress (mExfil) had their preconditions invalidated in Turn 2 (credential disabled/rotated; host network-isolated). This turn's flat battery — no driver-load, no anomalous egress, no new EDR alert, no new process activity — is exactly what that precondition-invalidation predicts if it worked: there is currently nothing observable consistent with either branch progressing, because neither branch's precondition is currently satisfiable from this host.Updating the Turn 3 open question. Turn 3 flagged a live ambiguity: was the failed
svc-backup auth a malicious reuse attempt or a benign scheduled-job collision with a now-stale cached credential? The escalation trigger I pre-committed to was "a second or repeated auth attempt." This turn produced zero repeat attempts, against svc-backup or anyone else. A single quiet turn isn't proof, but it cuts toward the benign-collision reading being the better-supported one now — an adapting adversary actively trying to exercise harvested material would plausibly retry or pivot within a full turn; a one-off scheduled job hitting a credential that changed underneath it would not. I still can't close this definitively: identity/auth logs carry no process attribution (B4 — not a modeled control, no source-process field at that schema layer), so I hold this as leading-not-confirmed, same epistemic status as Turn 3, just with one more turn's worth of silence supporting it.Coverage/robustness — unchanged in substance, reconfirmed by a live turn. EDR continuing to show no state transition (querying it explicitly rather than trusting the inject's phrasing alone) means the enforcing regime of C.1 still holds:
dfExploit (A1) and dfCred (A2, still at its L5 ceiling — C.2's sharpest relation, robustness ≠ coverage) remain covered/live; dfExfil (A4) remains covered-live, both netmon-trigger and EDR-enrichment intact, corroborated this turn by an actual flat egress read rather than a hypothetical. The one fact that has not moved and will not move from anything this turn produced: dfEncrypt's (A5) coverage remains gated solely on EDR liveness, and its precondition (local process integrity only, per the Hoare triple) is untouched by the credential invalidation or the network isolation — per C.2's A5 note, no lever pulled so far removes it, and nothing pulled this turn does either. That is still the single standing residual risk in this scenario, unchanged since Turn 2, independent of how many quiet turns pass.Guardrail on over-reading the quiet interval. The card layer has no wall-clock/duration semantics (D-4 — step-indexed only, no latency or dwell-time modeling), so I can't translate "four consecutive quiet battery-turns since the chokepoint action" into any quantified confidence that the intrusion is neutralized — only into "no observed progression across the turns checked so far." I am treating this as grounds to hold posture and broaden investigative scope (the new persistence sweep), not as grounds to relax containment or treat the incident as resolved.
Response decision: No change in containment — isolation and account containment both stand. No escalation trigger fired this turn (EDR stayed enforcing, no driver-load, no egress hit, no repeat auth, no privesc). This is turn 4 of 5; the persistence-sweep result and one more clean cycle of the standing battery are what I want in hand before turn 5's decision point on whether de-isolation/recovery can responsibly begin — and even then, per the A5 chokepoint note, any recovery posture still needs EDR to stay enforcing as the sole remaining detective control over the encryption branch, since nothing available to me breaks that maneuver's precondition directly.
1. EDR — process termination directive against the flagged lineage. Task the EDR agent to kill/suspend the web-app-spawned child process (resident since Turn 1) and any live descendant performing the encryption, and to quarantine/block its binary hash to prevent auto-respawn. This is the one lever that acts directly on
mEncrypt's precondition (local process integrity) — per the cards (C.0/A5/D-2), neither the Turn-2 credential invalidation nor the network isolation ever touched this precondition, and no respond/react maneuver is authored in the library for it (D-2: "cards flag the lever, don't prescribe the action"). I'm exercising IC response latitude beyond the four explicitly itemized levers (isolate/account/egress/query) because the situation — active, observed data destruction — warrants it; this action is *not* card-scored and I'm flagging it as such rather than claiming a modeled coverage effect from it.2. Escalate to full incident status / ransomware playbook. Engage backup-and-recovery workstream to identify a viable restore point for workstation-01, and notify stakeholders per major-incident process. This is an operational decision, not a telemetry-backed finding — I have no modeled visibility into backup/shadow-copy state (inhibit-recovery/T1490 is unmodeled per A7/D-3), so I am not assuming shadow copies are intact or deleted; I'm treating that as an open unknown requiring out-of-band verification outside this exercise's tooling.
3. Hold existing containment unchanged: network isolation (Turn 2) and
svc-backup disable/rotation (Turn 2, confirmed complete Turn 3) both remain in force — no reason to lift either.Investigative queries this turn:
4. EDR — process-detail/scope pull on the encryption alert. Confirm the encrypting process is the same lineage flagged since Turn 1/2 (not a second, unrelated actor); pull affected-file count/path pattern, encryption rate, and any ransom-note artifact, to scope blast radius on this host.
5. EDR — service-control liveness re-check (standing hedge, unchanged discipline). Explicit re-task even though the alert's own real-time delivery already implies EDR is enforcing — I want the direct RUNNING confirmation, not an inference.
6. Netmon — egress re-query at/around the encryption-alert timestamp. Checks for a last-second outbound burst (double-extortion exfil-before-encrypt pattern) coincident with encryption onset, and reconfirms isolation is still holding through this new event.
7. Identity/auth logs — re-check for any logon/privesc/service-account activity around this alert's timestamp, on workstation-01 or elsewhere.
8. SIEM — cross-host correlation, repeated. Any alert or auth activity on any other host, checking for lateral spread rather than single-host impact.
9. EDR — driver-load re-query, standing battery item, completeness check even though
mEdrKill's precondition (admin credential) was invalidated in Turn 2.1. EDR — process-termination/quarantine directive (containment, not card-scored): EXECUTED. The EDR agent — confirmed continuously RUNNING/enforcing since Turn 1 (re-verified this same turn, see #5) — accepts the kill/suspend command against the flagged lineage's live child process and descendants, and accepts the hash for quarantine/auto-respawn blocking. Command channel confirms state change to terminated/suspended. Caveat: encryption was already reported "in progress" (files renaming/inaccessible) at the moment this turn's inject landed, i.e. *before* your order could be issued — the directive halts *further* encryption from execution onward but does not retroactively restore files already renamed/touched prior to the kill. No rollback capability is indicated by any telemetry surfaced this exercise.
2. Escalate to full incident status / ransomware playbook: ACKNOWLEDGED / LOGGED. This is an organizational action outside the scenario's instrumented telemetry — no backup/shadow-copy/restore-point signal exists in any granted source to confirm or deny viability. Correctly treated as an open out-of-band unknown, per your own framing.
3. Hold existing containment: CONFIRMED UNCHANGED. Network isolation (Turn 2) and svc-backup disable/rotation (Turn 2, verified Turn 3) both remain in force. No new lever, no lapse.
4. EDR — process-detail/scope pull on the encryption alert: PARTIAL.
- Lineage: HIT — the encrypting process resolves to the same single flagged lineage resident since Turn 1 (the alert's own process-ancestry field ties it there); no second/unrelated actor indicated.
- Scope: PARTIAL — bulk write/rename activity is confirmed across user-profile/document-tree paths on workstation-01 (consistent with the mass-encryption signature); a precise affected-file count and byte-level encryption rate do not resolve to a stable figure — the process was still active when your kill order landed, and the counter/telemetry freezes at whatever partial state existed at termination rather than yielding a clean final tally.
- Ransom-note artifact: NULL — no note-drop file-creation event has surfaced in EDR telemetry as of this query; consistent with the encryption sweep being caught mid-course rather than complete.
5. EDR — service-control liveness re-check: HIT (unchanged). Service-control log confirms the EDR service on workstation-01 remains in continuous RUNNING state, no stop/kill transition at any point — same standing fact as Turn 4, now reconfirmed at the moment of the encryption alert itself.
6. Netmon — egress re-query at/around the encryption-alert timestamp: NULL / confirms holding. No outbound burst of any kind, at this timestamp or otherwise — no double-extortion exfil-before-encrypt pattern found. Isolation (Turn 2) is independently confirmed still in force (no reachable egress, no reachable ingress).
7. Identity/auth logs — re-check around this alert's timestamp: NULL. No logon, privilege-escalation, or service-account activity of any kind on workstation-01 or any other host since the Turn-2 svc-backup disable/rotation. No new identity activity accompanies this alert.
8. SIEM — cross-host correlation, repeated: NULL (unchanged). No alert or auth activity on any host other than workstation-01. Nothing indicating lateral spread.
9. EDR — driver-load re-query: NULL. No vulnerable/unsigned driver-load event found on workstation-01 at any point in this incident — consistent with the EDR service never having transitioned out of RUNNING (item 5) and with
mEdrKill's credential precondition having been invalidated before any such attempt could be leveraged.bb:mEncrypt, T1486) firing, and it fires exactly as the cards predict: its Hoare-triple precondition is ≥ user integrity only — no admin credential required (A5's Hoare triple; C.0 explicitly notes mEncrypt does *not* require the credential mCred yields). That precondition was already satisfied back at Turn 1 (mExploit's postcondition) and was never revocable by anything in my response repertoire. So this is not a new branch appearing from nowhere — it's the one precondition in the entire graph that none of my Turn 2 actions (credential disable/rotation, network isolation) could touch, exactly as flagged as residual risk every turn since Turn 2.Detection-health read: critically, this fired as a live, real-time EDR alert, not an out-of-band discovery — meaning
dfEncrypt's trigger-dependency on dfEdrTelemetry (C.1/A5 row) was satisfied at the moment of firing: EDR was enforcing when the mechanism executed. This is itself strong corroboration that mEdrKill (A3) never landed at any point in this incident — consistent with every turn's service-control liveness check (RUNNING, unbroken, Turns 1–4) and consistent with A3's precondition (admin credential) having been invalidated before it could be exercised (Turn 2 rotation, reinforced by the failed reuse attempt in Turn 3). Per C.1's matrix, this reads as covered (live) — the "EDR enforcing" regime row for A5, not the blind/notCovered row. No new netmon, service-control, or identity/auth signal accompanying it is also informative: it's consistent with no exfil attempt riding alongside (A4's other precondition, reachable egress, is still cut by the standing isolation) and no fresh credential-reuse or lateral movement — this reads as an isolated, single-host, single-branch impact event, not a broader compromise.Coverage/robustness verdict, stated plainly: detection did not fail here — the model called this correctly in real time. What was structurally absent was *prevention*: per D-1/D-2, the card library's prevent/respond slots are empty (no authored hardening that blocks
coreEncrypt, no authored respond maneuver that breaks local process integrity), and per A5/C.2's chokepoint note, none of the containment lookouts available to me (credential, network) bear on this maneuver's precondition. mEncrypt carries no authored robustness ceiling either (only A2/mCred does, per D-7/C.3) — so there's no evasion-resistance judgment to make here, only a coverage-vs-prevention distinction: covered/detected, not preventable by any lever this exercise authorized.Whole-incident summary (final turn):
mExploit(A1)→mCred(A2) chained and were correctly detected and chokepoint-contained at Turn 2 (credential invalidation + isolation), which structurally starved both downstream branches gated on the admin credential — mEdrKill(A3) and mExfil(A4) — neither of which ever fired across Turns 3–4's clean battery. The one branch gated on nothing but initial-foothold integrity, mEncrypt(A5), was never blockable by the authorized action set and materializes now, detected live. Residual unknowns I'm not overclaiming: shadow-copy/backup integrity (A7, T1490, unmodeled — no telemetry exists on this in the library or brief) and full scope of encrypted data — both require action/verification outside this exercise's tooling.Response decision: kill/quarantine the flagged process now (direct lever on A5's precondition, exercised as IC latitude since the card layer itself flags this as an unauthored-but-real lever, D-2); hold isolation and account containment unchanged; escalate to major-incident/recovery workstream given confirmed impact. No lifting of any containment this turn.
S2 secretsdump against a domain controllerplay-by-play ▾
services.exe; session flagged as remote.1. EDR console on DC01 — alert triage/process lineage: Pull the full process tree for the LSASS-access alert: identify the exact child image path, PID, command line, and file hash of the process spawned from
services.exe that touched LSASS; check its digital signature status and drop location (temp/admin share vs. legitimate binary path). Also pull the EDR agent health/tamper log on DC01 to confirm the sensor itself wasn't blinded or unloaded before/after the access.2. SIEM — correlate 4624 + 7045 into one session: Join the Domain Admin service-account 4624 (Logon Type 3) event to the 7045 service-install event on DC01 by Logon ID — confirm they're the same authenticated session, and pull the 7045 detail (service name, binary path, account context it runs as). Pull the source workstation hostname/IP from the 4624 record.
3. SIEM — DCSync exposure check: Given the domain-root SACL already covers replication control-access rights, query 4662 for that DA account's SID (and the source workstation's machine account) across a window bracketing this incident — before and after — to see whether any
DS-Replication-Get-Changes / Get-Changes-All rights were exercised outside of legitimate DC-to-DC replication.4. EDR on the source workstation: Pull whatever telemetry exists for the workstation-subnet host named in the 4624 record — prior alerts, process history, any credential-access or lateral-movement tooling indicators in the hours before the DC01 logon — to establish whether that host is the actual point of compromise (i.e., where the DA credential was first stolen).
5. Network egress monitor: Check DC01 and the source workstation for any outbound connections (especially to unfamiliar external IPs) in the incident window — looking for C2 callback or staged exfil tied to this session.
Response/containment decisions this turn:
- Disable the Domain Admin service account now (not rotate yet — preserve the credential/hash for IR analysis first if feasible, but stop it from authenticating further). This account is the common thread across the LSASS alert, the anomalous logon, and the service install.
- Network-isolate the source workstation (the likely initial foothold), not DC01 itself — isolating a live DC risks a domain-wide outage and I don't yet have evidence the DC is doing anything beyond being a credential-dumping target this session.
- Do not force krbtgt rotation or isolate DC01 yet — holding both in reserve pending what the White Cell surfaces from the queries above (specifically the 4662/DCSync check and the dropped-binary identity).
- Escalate to IR now given DA-tier credential theft on a DC; hold escalation to the ontology/modeling team pending scope confirmation.
Process tree resolves:
services.exe (SCM, DC01) spawned a child process at the flagged timestamp — this child matches the 7045 service-install event pulled below (same PID lineage). The child process opened lsass.exe with a handle requesting PROCESS_VM_READ — that memory-read access is exactly what tripped the credential-theft heuristic. Signature check: the spawned binary carries no valid Authenticode signature and returns no reputation/hash hit in your EDR's local or cloud intel (unknown/novel binary). Drop location is consistent with delivery over \\DC01\ADMIN$ in the same session as the service install — not an interactive local run.services.exe, as expected for any Windows service) then accessed LSASS memory on DC01 — i.e., on-host credential dumping (functionally: harvesting additional cached secrets/hashes from the DC's LSASS, not merely "an LSASS alert" in isolation). The likely objective is escalation toward either golden-ticket material (krbtgt hash) or a DCSync-capable credential, which is consistent with why this environment's SIEM specifically instruments the replication-rights SACL (4662) — that control was built in anticipation of exactly this follow-on move, so I'm treating unauthorized use of replication rights as the next thing to rule in or out before this session goes further.Coverage/robustness read (turn 1): this is a coverage strength, not a gap — three independent signals (EDR credential-theft heuristic, SIEM logon anomaly, SIEM service-install) fired concurrently and correlate cleanly on the same account/session, which is what good defense-in-depth for T1003.001-via-T1569.002 looks like. The robustness gap I can identify right now is upstream: I have no visibility yet into *how* the DA account was originally compromised (the initial-access/credential-theft-on-the-workstation step) — that's a blind spot until the workstation EDR pull comes back, and it's the piece that determines whether this is a contained single-hop incident or part of a broader compromise. I'm not yet ready to call this "contained" or "spreading" — that verdict depends on the DCSync check and workstation telemetry the White Cell returns next.
HKLM\SAM and HKLM\SECURITY opened for read via the remote-registry service; hive-sized file reads logged over \\DC01\ADMIN$. Event timestamp falls within the same session window as the LSASS alert, the DA logon (4624), and the service install (7045) already reviewed.1. EDR file/registry-access telemetry, DC01 — full detail on the hive reads. Pull the complete remote-registry access record: was
HKLM\SYSTEM also opened for read alongside SAM and SECURITY? (SYSTEM holds the boot key needed to decrypt SAM/LSA secrets offline — its presence would confirm a classic three-hive remote dump rather than a partial/failed attempt.) Get exact byte sizes of each hive read and confirm the session/Logon ID ties to the same authenticated session as [1]-[4] from last turn.2. SIEM — process-creation query (4688) on DC01 for the same Logon ID/session window. Look specifically for
reg.exe save/reg.exe export command lines targeting sam/security/system, or equivalent API-level registry-save activity, to get the literal command and confirm tooling.3. SIEM — Volume Shadow Copy / backup-writer event check on DC01 (event 8222 / VSS service events) in the same window. Remote SAM/SECURITY dumps against locked hives typically require a shadow copy first — presence of a VSS creation event in this window is a strong tooling fingerprint (matches the standard Impacket
secretsdump.py-style flow: registry hive dump + separate DRSUAPI/DCSync attempt, both from one run).4. SIEM — enumerate what runs on DC01 as service/gMSA accounts (from the 7045 service-install detail and any other service-context entries) whose secrets could live in LSA secrets under
HKLM\SECURITY. This scopes the blast radius of what needs rotating beyond the DA account itself.5. Re-verify containment integrity: confirm no new authentication events (4624) under the disabled DA SID and no new traffic from WKS10-2214 since isolation — quick negative check, not a new investigative thread.
Response/containment decisions this turn:
- Force krbtgt password rotation now (standard double-reset procedure, allowing AD replication to converge between resets). Justification: last turn's [4] already confirmed (not merely attempted)
DS-Replication-Get-Changes-All was exercised by the DA account — that right permits replication of secret attributes including the krbtgt hash and all domain NTLM hashes. This turn's SAM/SECURITY hive read is corroborating evidence of a comprehensive, multi-technique credential-dumping operation, not an isolated LSASS incident — I'm no longer treating krbtgt exposure as hypothetical.- Consider/schedule DSRM local-administrator password reset on DC01 (and check exposure on other DCs), since
HKLM\SECURITY (LSA secrets) was read — DC-local secrets (DSRM hash, any stored service-account credentials) must now be treated as compromised, not just domain-tier ones.- Escalate to the ontology/modeling team now. This session has now demonstrated three distinct credential-access techniques (LSASS memory read, DCSync via replication rights, remote SAM/SECURITY hive dump) executed back-to-back against a DC in one authenticated session — a technique-chain worth cataloging regardless of incident outcome.
- Do not isolate DC01. The active-access vector (DA account, WKS10-2214) is already cut off; isolating the DC now adds domain-wide authentication outage risk without undoing already-completed reads/replication. Holding this decision, but explicitly reconsidering it every turn.
- IR escalation remains open/updated with this turn's findings.
Confirmed:
HKLM\SYSTEM was also opened for read via the remote-registry service, alongside HKLM\SAM and HKLM\SECURITY — all three hives read in the same operation (classic three-hive set: SYSTEM carries the boot key needed to decrypt SAM/LSA secrets offline).Sizes: each read is hive-sized and consistent with a full serialization of that hive (the SYSTEM read is the largest of the three, as expected; SAM/SECURITY reads are proportionally smaller). Precise byte counts are available in the raw EDR export for the case file if you need them logged verbatim.
Session tie-back: confirmed — same authenticated Logon ID / session as the DA network logon (4624), the 7045 service install, and the LSASS-access alert already reviewed. One continuous session, not a separate access.
secretsdump.py's default behavior of trying LSASS, local hive dump, and DRSUAPI/DCSync in sequence) rather than a hand-tailored, single-purpose action. The fact that HKLM\SAM was targeted at all — which on a DC holds only local/DSRM accounts, not domain principals — is itself a signature: it suggests generic/automated tooling that doesn't special-case "this target is a domain controller," which is useful context for the ontology/technique catalog independent of this incident's outcome.Coverage verdict: this is now a fourth independent detection surface (EDR registry/file-access telemetry) firing cleanly in the same session window as the EDR LSASS heuristic, the SIEM logon/service-install correlation, and the SIEM DCSync/4662 hit. Four-for-four on distinct sub-techniques within one session is strong defense-in-depth on the DC side specifically — this reinforces, not revises, last turn's "coverage strength" call.
Robustness verdict — and this is the pivotal shift this turn: because DCSync rights were *exercised* (confirmed, not attempted) before the DA account was disabled, I must now assume krbtgt and domain-wide password hashes are already exfiltrated. The response posture moves from "contained single-hop, verify blast radius" to "assume domain-tier secret compromise, remediate accordingly" — hence forcing krbtgt rotation now rather than continuing to hold it in reserve. The remaining, unresolved robustness gap is unchanged and now more consequential: I still have zero visibility into how the DA credential was originally obtained on WKS10-2214 (EDR pull there returned NULL — out of monitored fleet, no new sensor allowed mid-incident). That blind spot no longer just determines "single-hop vs. broader compromise" — it also means I can't rule out the same initial-access technique having reached other hosts/accounts outside this DC-centric session, which is the residual risk I'm handing to IR as a stated limitation of this exercise's tooling rather than something I can resolve within my available controls.
1. EDR — full detail on the self-protection/tamper alert, DC01. Pull the exact record: which self-protection mechanism was targeted (agent-process kill attempt, driver/minifilter unload, service-stop, config/policy tamper), the responsible process's image path, PID, parent, hash, and signature status, and the precise start/end timestamps of the UNHEALTHY/IMPAIRED window. Cross-reference that process against the unsigned binary/service already identified from the 7045 install in turn 1 — same artifact, or a different one?
2. EDR — reconcile against turn 1's health finding. Turn 1's agent-health pull reported "Healthy/Enforcing across the entire window under review, up to and including now." This turn's alert says the impaired window *overlaps the session under investigation*. I need the exact timeline: did impairment begin after turn 1's check (a new development), or does it retroactively fall inside the window turn 1 already called clean (meaning that earlier assurance is now superseded)? This determines how much of the turn 1/2 EDR-sourced telemetry (LSASS alert, registry/file-access hive-read telemetry) I can still treat as complete rather than merely "not contradicted."
3. EDR — service-state check on DC01. Is the unsigned LocalSystem-context service from the 7045 install (turn 1) still installed/running on DC01 right now? No prior action this incident has removed or stopped it — only the DA account was disabled and the workstation isolated. If that service persists, it's a credential-independent, on-host persistence mechanism that doesn't need the DA account or WKS10-2214 at all, and is the most likely source of a local self-protection tamper attempt.
4. SIEM — Windows Security log integrity check, DC01. Query for event 1102 (audit log cleared) or any Event Log/forwarding-service stop, plus any new 4624 / 4688 / 7045 / service-control events in or after the impaired window — to determine whether the actor is also targeting the SIEM's independent (non-EDR) collection path, or whether that path remains trustworthy.
5. EDR fleet scope check. Query whether this self-protection/tamper alert is unique to DC01 or also present on any other monitored host, to determine whether this is a DC01-specific event or a broader tamper pattern.
Response/containment decisions this turn:
- Isolate DC01 now — reversing the hold from turns 1–2. The prior rationale for not isolating (active vector already cut off; EDR still gave full-fidelity visibility) no longer holds: the one remaining detective control on the DC itself is now confirmed degraded/tamper-targeted, and there is an unaddressed, credential-independent persistence artifact (the LocalSystem service) whose current state is unverified. Continued live operation of DC01 under unreliable EDR is a bigger risk now than a controlled isolation.
- Keep DA account disabled and WKS10-2214 isolated (unchanged).
- Continue the krbtgt double-reset; if this is a multi-DC forest, route the second reset and replication convergence through surviving DCs and treat DC01 as untrusted (no longer a source of truth) until forensically cleared.
- Raise IR escalation severity: reclassify from "credential theft, contained" to "active/in-progress compromise with confirmed defense-evasion against the DC's own sensor; DC01 host-trust revoked pending forensic review and possible rebuild."
- Update the ontology/modeling-team escalation to add this as a distinct technique (self-protection/anti-EDR tamper) in the same session's chain — this shifts the actor-sophistication read from "automated smash-and-grab dumping tool" toward "tooling/operator with defense-evasion capability," which matters for the technique catalog independent of this incident's outcome.
The tamper/self-protection log confirms: an attempted process/service-stop ("kill-agent") action was directed at the EDR agent's own service — consistent with a tool or technique attempting to disable/blind the sensor (T1562.001-class behavior). The IMPAIRED window's bounds are as already reported in the health alert you received this turn; no tighter timestamp precision is available from this log than what that alert already gave you.
NOT available: the responsible process's image path, PID, parent process, file hash, or code-signing status. This control's self-protection/tamper logging operates at the driver level and did not capture full userland process attribution for the tamper attempt itself — a logging-fidelity limitation of this specific mechanism, not something you did wrong.
Cross-reference to the Turn-1 unsigned 7045-install artifact: INCONCLUSIVE. The tamper log and the 7045 service-install event stream carry no shared identifier that lets you join them. You cannot confirm, and cannot rule out, that the same binary/service is responsible.
Coverage/robustness verdict — this is the pivotal finding this turn, and it revises (does not just add to) turn 2's "coverage strength" call: the four-for-four detection surfaces from turns 1–2 included EDR-sourced telemetry (LSASS heuristic, registry/file-access hive reads) whose completeness now has to be qualified — an EDR agent that was tampered with and went IMPAIRED for a window overlapping this incident means absence of further EDR alerts during that window is no longer trustworthy negative evidence, even though what it *did* report before/outside that window isn't itself shown to be false. This is a second, more severe robustness gap alongside the still-unresolved WKS10-2214 initial-access blind spot from turn 1 — but this one sits on the primary asset (the DC) rather than upstream of it. The mitigating factor is architectural: SIEM's Windows-Security-log path is a collection mechanism independent of the EDR agent, so 4624/4662/7045 visibility should remain intact unless I find evidence of log-clearing or forwarder tampering (which I'm checking this turn) — that independence is exactly why this isn't a total blackout, and it's the concrete case for defense-in-depth via mechanistically-separate telemetry sources rather than redundant copies of the same sensor. Net call: no longer "contained, verify blast radius" — this is "active compromise with in-progress defense evasion on the DC," which is why isolation of DC01 moves from held-in-reserve to executed this turn.
1. SIEM — broaden the 4662 DCSync query beyond the single DA SID. Pull every
DS-Replication-Get-Changes / Get-Changes-All invocation domain-wide (all source accounts, not just the DA account) across a wider bracketing window than turn 1's check, to determine whether replication abuse was a one-off use of this single credential in this single session, or whether other accounts/sessions show the same pattern — this directly scopes how wide the "assume hashes exfiltrated" residual needs to be.2. EDR — fleet-wide hash/IOC hunt using the Turn-1 dropped-binary hash. Even though that binary returned no reputation hit, its local hash is known from the 7045-linked drop. Sweep the full EDR-monitored fleet (not just DC01) for that hash or for the same drop/execution pattern (
services.exe-spawned child, ADMIN$-delivered, unsigned) to test whether this actor already touched any other monitored endpoint.3. EDR — current health re-check on DC01. Query present agent status (Healthy/Enforcing vs. still Impaired) now that DC01 is isolated, to close out the tamper-window timeline for the case record and determine whether DC01 can be trusted to self-report anything further while held in isolation.
4. SIEM/AD — confirm domain topology and, if multi-DC, pull 4662 replication-rights activity on every DC (not just DC01) in the same window, to rule in/out whether this session's replication pull touched more than one DC's SACL.
5. Procedural status pull (not new telemetry): krbtgt double-reset and DSRM-reset progress, plus the service/gMSA rotation list from turn 2, to report accurate current remediation state alongside the coverage debrief.
Response decisions this turn:
- Formally scope recovery as domain-wide, not DA-account-scoped: recommend IR open a full credential-rotation campaign (all accounts/computer objects whose secrets could ride in a DRSUAPI replication pull), pending action #1's results to size it precisely.
- DC01 stays isolated / host-trust revoked — no restoration to service this turn; forensic image-and-rebuild remains the exit path.
- WKS10-2214 stays isolated; formally hand it to IR/forensics for offline imaging as the only way left to close the initial-access blind spot (live EDR telemetry there is permanently NULL for this exercise — no new sensor allowed).
- DA account stays disabled — do not re-enable pending the rotation campaign.
- Document the two unresolved "no verdict" gaps below as accepted open risk for IR to carry forward, not something remaining SOC tooling this turn can close.
1. SIEM — broadened 4662 DCSync query, domain-wide, all source accounts, wider bracketing window.
FULL observable, bounded. The extended sweep returns exactly the one already-known event: the single DS-Replication-Get-Changes / -Get-Changes-All invocation from the flagged DA account, from the same non-DC workstation, within the same short session window. No other source account, no other session, anywhere in the wider window, shows this control-access-right pattern. This is a single-incident, single-session replication pull — not a recurring or multi-account abuse pattern. (Per the standing framework gap: this still returns no coverage/robustness verdict — directory-service-access auditing sources no
mc:Control — it only bounds the *scope*, not the *coverage*.)2. EDR — fleet-wide hash/IOC hunt (Turn-1 dropped-binary hash / drop-and-exec pattern).
NULL (bounded negative). No EDR-monitored endpoint outside DC01 shows this hash or the
services.exe-spawned/ADMIN$-delivered pattern. Note the EDR footprint in this environment does not extend to the initial-access workstation — that host's telemetry gap is the pre-existing, permanent blind spot already on record (no new sensor may be stood up). This query rules out spread to any *other monitored* host; it cannot and does not speak to the unmonitored source workstation itself.3. EDR — current health re-check, DC01.
FULL. Status still reads impaired/degraded — no self-recovery observed since the Turn-2 tamper event. Network isolation does not restore agent health; that requires an out-of-band repair/reinstall, which hasn't happened. The tamper window is therefore still effectively open — DC01's EDR remains an untrusted, silent witness for anything further, consistent with treating the host as fully hands-off pending offline image-and-rebuild.
4. SIEM/AD — domain topology confirmation, multi-DC 4662 check.
FULL, resolves the question. Topology confirms DC01 is the sole domain controller in this environment — there is no second DC to pull replication-rights activity from. The 4662 scope is already fully bounded to DC01; there is nothing further to check on this axis.
5. Procedural status pull — krbtgt double-reset / DSRM / service-gMSA rotation.
Administrative status, not new telemetry. First krbtgt reset is logged complete; second (post-replication-convergence) reset is queued/pending per standard double-reset procedure. DSRM local-admin reset logged done. The Turn-2 service/gMSA rotation list is compiled and queued for execution, not yet fully executed.
Response decisions — logged, in effect, no new telemetry contradicts them: DC01 remains isolated/untrusted (image-and-rebuild is the only exit path); the initial-access workstation remains isolated pending offline imaging (its live-telemetry gap stays permanently NULL for this exercise); the DA account remains disabled; recovery is now formally scoped domain-wide pending action #1's (now-returned) bounding result.
(a) What we covered, and at what evasion-robustness — technique by technique:
- LSASS credential access (T1003.001): COVERED, high robustness. EDR heuristic fired at full fidelity; agent was confirmed Healthy/Enforcing at the moment of detection (turn 1), and the impairment came later — this specific catch is not called into question by the later tamper.
- Remote service creation / lateral-movement execution (7045, ADMIN$ delivery, unsigned LocalSystem service): COVERED, high robustness. Caught on the SIEM/Windows-Security-log path, which is mechanistically independent of the EDR agent — confirmed untampered (no 1102, no log-service interruption) through the present, so this coverage survives the later EDR degradation intact.
- Anomalous DA logon (4624 Logon Type 3, off-hours): COVERED, high robustness — same independent SIEM path, same reasoning.
- DCSync (T1003.006, DS-Replication-Get-Changes/-All from a non-DC workstation): COVERED, high robustness. The domain-root SACL (4662) cleanly isolated this as the one anomalous instance against a clean legitimate-replication baseline — again the directory-auditing path, independent of EDR, unaffected by the tamper.
- Three-hive registry dump (SAM/SECURITY/SYSTEM, T1003.002-style): COVERED for this instance — but robustness is *qualified*, not high. This detection came from EDR registry/file telemetry, and turn 3 confirmed the impairment window began strictly *after* this event, so the instance we saw is validated. But the sensor that provided this coverage is the same one later tampered — I cannot vouch that a repeat of this exact technique would be caught again without remediation. This is the one "covered" technique whose detection surface has since been weakened.
- EDR self-protection tamper (T1562.001): COVERED only at the meta-level — the tamper *attempt* itself was alertable and did fire — but with an attribution gap: no process image, hash, PID, or parent captured (driver-level logging limit), and cross-reference to the turn-1 service is inconclusive. Call this PARTIAL: we know evasion was attempted and partially succeeded (agent went impaired for a window), but we can't attribute or fully characterize it.
(b) No coverage verdict at all (not degraded — zero data):
- Initial access on WKS10-2214 (how the DA credential was actually obtained): total blind spot — that host was never in the monitored EDR fleet, and no new sensor could be stood up mid-incident. This is the single largest unresolved item in the whole incident and the thing that determines whether this was a one-hop or wider compromise.
- Post-session movement from WKS10-2214 outward, or lateral spread to other hosts/accounts via the same initial-access technique: never hunted at fleet scale (turn 3's fleet check was scoped only to the tamper/impairment alert, not a general IOC sweep) — no verdict, addressed as action #2 above.
- Exfiltration path for anything dumped/replicated beyond DC01<->WKS10-2214: egress monitor is clean for *external perimeter* egress on both hosts, but that's a narrow claim — it says nothing about data movement onward from WKS10-2214, which is exactly the host with no telemetry.
(c) Domain-wide residual to scope recovery to:
Treat this as a domain-wide credential-compromise event, not a single-account incident: confirmed (not attempted) exercise of DS-Replication-Get-Changes-All means krbtgt and, in principle, the full domain hash set must be assumed exfiltrated regardless of containment timing — krbtgt double-reset is in progress and is necessary but not sufficient. Recovery scope = (1) domain-wide password-rotation campaign sized by action #1's broadened query, (2) DC01-local secrets (SAM/DSRM, LSA/service-and-gMSA secrets) rotated per turn 2's scoped list, (3) DC01 held in forensic hold / rebuild-before-trust rather than simple restoration, (4) closure of the WKS10-2214 blind spot via offline forensic imaging as a named open IR workstream, and (5) a fleet-wide IOC hunt (action #2) before this can be called "contained" rather than "contained on DC01, unresolved elsewhere." Net verdict for the debrief: strong, redundant, evasion-resistant coverage on the DC/directory tier (four independent, mostly EDR-*and*-SIEM-corroborated technique detections), with the incident's real residual risk sitting entirely upstream and downstream of that tier — at initial access and at lateral-spread verification — where this exercise's tooling had no visibility by design.
1. Procedural status pull for record accuracy (not new telemetry): re-confirm current completion state of (a) krbtgt second reset, (b) DSRM local-admin reset, (c) the Turn-2 service/gMSA rotation list — so the sign-off record states what is *actually done* vs. *still queued*, not intent.
2. Log the technique-by-technique coverage matrix into the case record and the ontology/modeling-team ticket — tagging each of the three secretsdump-style credential-access techniques (LSASS read, three-hive registry dump, DCSync) with a COVERED/robustness grade, and separately tagging the T1562.001 self-protection/tamper action (which is not one of the three credential-access techniques, but the defense-evasion action layered on top) as its own line item.
3. Formally hand the two zero-verdict items to IR as explicitly named, still-open workstreams (not implied resolved, not folded into "contained"): (i) initial-access/credential-theft origin on WKS10-2214, (ii) post-session lateral-spread/exfil verification beyond the DC01↔WKS10-2214 session.
4. Final containment-posture confirmation (state check, not a new query): DA account remains disabled; WKS10-2214 remains isolated; DC01 remains isolated/host-trust-revoked. No change proposed this turn.
5. Deliver the CISO's requested plain (a)/(b)/(c) statement (below) as the sign-off record for this ticket.
No further host/network containment actions are taken this turn — posture is held, not changed, pending the named IR workstreams.
1. Procedural status pull (krbtgt second reset / DSRM reset / service-gMSA rotation list) — record-accuracy check, not new telemetry.
- krbtgt: first reset previously fired; the second reset is still QUEUED, not yet executed — the mandatory inter-reset interval (replication convergence across the domain) has not elapsed within the incident window. State this as PENDING, not complete, in the record.
- DSRM local-administrator password: CONFIRMED reset.
- Turn-2 service-account/gMSA rotation list: IN PROGRESS — rotation batch queued/executing; domain-wide completion is not yet confirmed. Log as open, not closed.
2. Technique-by-technique coverage matrix — logged to case record and ontology/modeling ticket. Confirmed content, matching the authored cards exactly:
- LSASS remote credential read (T1003.001, remote variant): COVERED. Single-sourced from EDR (
dfEdrTelemetry → dfCred face). While the source was healthy (Turn 1) the invariant process-memory-read observable carried spanning/L5 robustness. This coverage was time-bounded, not continuous: once the EDR reported impaired (Turn 2 onward), the face went blind and the maneuver is notCovered for the remainder of the window. Record both halves — do not log this as a flat "covered."- SAM/registry-hive dump (T1003.002): NO COVERAGE VERDICT. No maneuver, primitive, detection face, or Control exists in the cards for registry-hive telemetry. This is a framework gap — the raw observable (remote-registry open + hive read) is present in EDR telemetry, but nothing in the model can grade or attach a verdict to it. Correctly distinguished from "nothing happened."
- DCSync / domain replication (T1003.006): NO COVERAGE VERDICT. No maneuver, no Control sourcing 4662 directory-service-access telemetry, no robustness grade for the replication-GUID signal. Framework gap, not absence of activity — the 4662 observable is fully present and already confirmed malicious (non-DC source), but no card can score it.
- T1562.001 self-protection/tamper: logged as its own line, separate from the three credential-access techniques — CONFIRMED (FULL). Kill-agent attempt against the EDR service, resulting in impaired status; this one *is* carried by the cards (agent-health/tamper telemetry), correctly not folded into the SAM/DCSync "unmodeled" bucket.
All four lines accepted into the record as stated; the matrix is internally consistent with the coverage inventory established across Turns 1–4.
3. Zero-verdict items formally handed to IR as open workstreams — accepted, not folded into "contained":
- (i) Initial-access/credential-theft origin on WKS10-2214 — still open/unresolved.
- (ii) Post-session lateral-spread/exfil verification beyond the DC01↔WKS10-2214 session — still open/unresolved; Turn-4's sweep bounds the *replication* pull to one account/one session domain-wide, but that bound does not itself clear lateral movement or exfil elsewhere — correctly not conflated.
4. Containment-posture confirmation — state check, no change:
- DA account: confirmed still disabled.
- WKS10-2214: confirmed still isolated.
- DC01: confirmed still isolated / host-trust-revoked.
No new containment action taken or required this turn.
5. (a)/(b)/(c) sign-off statement — accepted into the record as the closing answer to the CISO:
- (a) LSASS read: COVERED, EDR-sourced, spanning/L5-robust invariant *while the sensor was healthy*; degraded to notCovered from Turn 2 onward once impaired. SAM-hive dump: NOT — no coverage verdict exists. DCSync: NOT — no coverage verdict exists.
- (b) SAM-hive and DCSync are the two techniques carrying no coverage verdict at all, and this is stated as a cards/framework limitation (no maneuver, Control, or robustness record for either telemetry path in mc-core/0.2.1) — explicitly not represented as "nothing happened."
- (c) Residual scoped domain-wide: full domain hash set (incl. krbtgt) treated as compromised regardless of containment speed; double krbtgt rotation (reset #2 pending on the replication interval), DSRM reset (done), and full service-account/gMSA rotation (in progress) constitute the stand-up campaign; trust rebuild proceeds from DC01 out, consistent with a confirmed single-DC domain.
The CISO ticket is logged closed on this record.
(a) The three secretsdump-style credential-access techniques — COVERED/NOT, with evasion-robustness grade:
- LSASS memory read (T1003.001): COVERED — HIGH robustness. EDR heuristic fired at full sensor fidelity; agent was confirmed Healthy/Enforcing at the moment of detection (Turn 1), and the later tamper event postdates it — this catch is not called into question by the subsequent EDR degradation.
- Three-hive registry dump — SAM/SECURITY/SYSTEM (T1003.002-style): COVERED — MODERATE robustness, qualified. This instance is validated: Turn 3 confirmed the tamper/impairment window began strictly *after* this detection, so what we saw is trustworthy. But the sensor that produced this coverage is the same one later confirmed tampered — I cannot certify this control would catch a repeat of the same technique without remediation. Grade this "covered-but-not-evasion-tested," not "resilient."
- DCSync — DS-Replication-Get-Changes/-Get-Changes-All (T1003.006): COVERED — HIGH robustness. Detected via SIEM AD/DS directory-service auditing (4662) against the domain-root SACL, a control path mechanistically independent of the EDR agent and confirmed untampered throughout (no 1102, no forwarder interruption). This is the one detection surface entirely unaffected by the later EDR compromise.
- Separately, for completeness: the self-protection/tamper action itself (T1562.001) — not one of the three above, but the defense-evasion step that followed them — is COVERED only at PARTIAL grade: the tamper attempt was alertable and did fire, but with a real attribution gap (no process image/hash/PID captured; cross-reference to the Turn-1 service is inconclusive). Note this openly rather than folding it into the three above.
(b) Zero coverage verdict — named explicitly, and why this is a cards/framework limitation, not "nothing happened":
- Initial access on WKS10-2214 (how the DA credential was actually obtained): no verdict at all. That host was never inside the monitored EDR fleet, and the response latitude for this exercise explicitly disallows standing up a new sensor mid-incident. Absence of alerting there reflects absence of *instrumentation*, not absence of activity — the DA credential was compromised somewhere, and this is the somewhere we cannot see.
- Post-session lateral spread / exfil verification beyond the DC01↔WKS10-2214 session: no verdict. Turn 4's fleet-wide sweep only tested one known hash/drop-pattern across the *monitored* fleet and came back clean for that narrow test — it says nothing about unknown tooling, and it never had visibility into WKS10-2214 itself, which is where any onward movement would have to be observed first. The perimeter egress monitor's clean read is similarly narrow: it rules out *external* egress, not internal movement to/through the unmonitored host.
- Both are scope/instrumentation gaps in the cards available this exercise, carried to IR as named open items — not findings of "no further compromise."
(c) Final residual scope and rotation campaign, confirmed before sign-off:
Treat this as a domain-wide credential-compromise event. Confirmed (not attempted) exercise of DS-Replication-Get-Changes-All means krbtgt and the full domain hash set must be assumed exfiltrated regardless of containment timing. Standing up before this can be called closed: (1) krbtgt double-reset completed on both resets, not just the first; (2) DC01-local secrets — DSRM already reset, service/gMSA rotation list from Turn 2 executed to completion, not left queued; (3) DC01 held in forensic hold, image-and-rebuild required before any return to trust — its own EDR cannot self-clear that status; (4) WKS10-2214 isolated and hand-carried to IR for offline forensic imaging as the only remaining path to close the initial-access blind spot; (5) the Turn-4 fleet IOC sweep stands as "clean for monitored fleet against the one known artifact" — explicitly not a blanket clearance.
Sign-off recommendation: I support closing *this SOC/EDR-tier ticket* now — the DC-side technical response is complete or queued-and-tracked, and coverage/robustness is documented above. I do not recommend closing the broader IR case yet: the two zero-verdict items (b) and the two not-yet-executed rotation steps in (c) should be carried forward as explicitly named open workstreams, not silently absorbed into "resolved."
services.exe; session flagged as remote.SIEM ticket — DC01: Successful network logon (4624, type 3) by a Domain Admin service account from a workstation subnet, at an off-hours time, followed by a new service install (7045) on DC01.
1. EDR console on DC01: pull full process lineage for the alerted LSASS-access event — identify the child-of-services.exe process (image path, hash, PID/parent PID, command line), confirm the accessed target is lsass.exe, and confirm the access rights requested (e.g., PROCESS_VM_READ / OpenProcess pattern) plus the "remote session" flag detail (which logon session/session ID it's tied to).
2. SIEM query on DC01: pull the 7045 service-install event of record — service name, binary path, install timestamp, and the security context/logon ID that created it — and the 4624 type-3 logon event — account name (the Domain Admin service account), source workstation IP/hostname, auth package, logon ID. Correlate all three logon IDs (4624 → 7045 → EDR process session) to confirm one continuous authenticated chain: remote logon → service creation → service-spawned process → LSASS read.
3. EDR console on DC01: check current agent health / tamper log right now (controlStatus, last heartbeat) — independent of the alert having fired — since the actor may already hold admin-level credential (precondition for sensor-impairment) and a live alert in the past doesn't guarantee the sensor is enforcing now.
4. SIEM: pull recent logon history/baseline for the named Domain Admin service account (typical hours, typical source subnet) to size how anomalous this off-hours workstation-origin logon is, and check whether the source workstation shows any other flagged activity in reachable telemetry.
5. Network egress monitor: quick check for anomalous egress from DC01 or the source workstation around this window (netmon is peripheral to credential-access per the cards but cheap to check and relevant if this pivots toward exfil).
Response (within stated latitude):
6. Disable/suspend the named Domain Admin service account now — cuts off further lateral use immediately regardless of what the lineage pull shows; low blast-radius relative to isolating the DC.
7. Escalate to IR now (DC-tier + Domain Admin account involved) and to the ontology/modeling team, flagging that this incident's blast radius includes two card-unmodeled paths (SAM-hive dump, DCSync) that would return zero coverage verdict even if telemetry for them appears.
8. Hold on isolating DC01 and on krbtgt rotation pending the lineage/logon-ID correlation from steps 1-2 — both are available in my latitude but disproportionate before confirming the causal chain; will revisit next turn.
The alert's full lineage resolves cleanly:
services.exe (SYSTEM) spawned a short-lived, newly-installed service binary (not a previously-seen image on DC01, consistent with a just-created service, not a known scheduled task/app); that service process is the one that opened lsass.exe and performed a process-memory read (OpenProcess/PROCESS_VM_READ-style access pattern) — this is exactly what tripped the "credential theft heuristic." The "remote" flag on the EDR alert ties to a specific logon session ID, not an interactive/console session.Action 2 — SIEM 7045 + 4624 pull and correlation: FULL.
7045 (DC01): a new service was installed, binary path under the same short-lived/newly-dropped image identified in the EDR lineage, install timestamp inside the alert window, created under the logon ID of the Domain Admin service account. 4624 (DC01, type 3): account = the named DA service account; source = a host/IP in the workstation subnet; auth package present; logon ID recorded. Correlating: the 4624 logon ID matches the logon ID on the 7045 service-creation event, which matches the session the EDR flagged as "remote" on the LSASS-access process. One continuous authenticated chain confirms: remote logon → service creation → service-spawned process → LSASS read, all under a single logon session.
Action 3 — EDR agent health / tamper check, checked now (Turn 1): FULL query, negative-for-now result.
Current status: agent healthy / enforcing, last heartbeat current, no tamper or self-protection event on record as of this check. No impairment is showing right now. (This is a live snapshot, not a guarantee forward — noted for your own record, not implied by the tool.)
Action 4 — SIEM baseline for the DA account + workstation "other flagged activity": PARTIAL (two different results).
Baseline: this account's historical logon pattern shows origination from DC-tier/management subnets during business hours only — no prior history of workstation-subnet or off-hours logons on record. This occurrence is anomalous relative to that baseline.
Source workstation, other flagged activity: NULL — no other flagged events found in reachable telemetry for that host. (Note: no endpoint sensor is deployed on member workstations in this environment; only DC01 carries EDR. Absence here reflects a visibility gap, not a clean host.)
Action 5 — Netmon egress check: NULL.
No anomalous perimeter-egress flows detected from DC01 or the source workstation in the window. The activity observed so far is an internal, authenticated session between a workstation and DC01 — it does not cross the boundary this sensor watches.
Action 6 — Disable the named DA service account: executed.
Account disabled. The logon session tied to that account's activity is torn down; no new EDR or SIEM events attributable to that account/session since. (Whether anything already happened in that session beyond what you've queried is not something this action can tell you — you haven't pulled registry or directory-service-access telemetry yet.)
Action 7 — Escalate to IR + ontology/modeling team: logged.
Escalation ticket opened, DC-tier + Domain Admin account flagged, forwarded to IR and to the ontology/modeling team as requested. (Your framing that this could include card-unmodeled paths is recorded in the ticket; it isn't something the tools have confirmed yet this turn — you haven't queried registry/hive telemetry or directory-service-access logs.)
Action 8 — Hold on DC01 isolation and krbtgt rotation: logged, no new data.
No isolation, no rotation executed this turn; noted as deferred pending further correlation.
No registry/hive telemetry and no AD/DS directory-service-access (4662) log was queried this turn — nothing about a SAM/registry-hive read or a replication pull has surfaced yet in your investigation.
Coverage/robustness conclusions: this is the environment's one authored-covered path (dfCred, single-sourced from the EDR, triggerDependsOn dfEdrTelemetry), and it is graded at the ceiling (StP L5) — an evasion attempt via renaming/retooling the dumping mechanism would not drop it below L5 since the key is the shared read primitive, not a tool signature. But "covered" here is conditional, not durable: it holds only while EDR.controlStatus = enforcing. The alert having fired proves the sensor was live at the moment of the read — it says nothing about right now, which is exactly why I'm pulling current agent health rather than trusting the alert as ongoing assurance. This account plausibly now holds admin credential material (A1's postcondition), which satisfies the precondition for the adjacent sensor-impairment maneuver (A4); if EDR is driven to impaired/killed, dfCred trigger-severs to blind and A1 silently flips to notCovered, with no prevent-side fallback in this environment (D5 — prevent locus is empty) and no way to trust the EDR's own silence as confirmation (D6 — dfEdrTelemetry is self-blinding; only an out-of-band service-control-log check, not modeled in my current tool access beyond the EDR tamper log itself, can confirm impairment).
Equally important, no part of this card layer can produce a coverage or robustness verdict for a SAM/registry-hive dump (A2) or a DCSync replication pull (A3) even if SIEM later surfaces a remote-registry SAM read or a DRSUAPI GetNCChanges request — both are unmodeled paths (SILENT), and B3/B4 telemetry (4662, Security log) exists in this environment but sources no authored detect-face, so "quiet" on those fronts is not evidence of absence, it's an unmodeled blind spot up to full NTDS/krbtgt exposure. I'm treating that as an open, ungraded risk to scope by hand rather than something the model will ever verdict for me — hence escalating to modeling now rather than waiting for a signal that structurally cannot come.
Response decision: disable the Domain Admin account immediately (proportionate, reversible, cuts the demonstrated access path); escalate to IR and to modeling; hold DC01 isolation and krbtgt rotation this turn pending the logon-ID correlation, since neither the DCSync nor SAM-hive path has any positive evidence yet and the covered A1 path is the only confirmed activity so far.
Clock inject, Turn 2 — EDR telemetry event, DC01: remote-registry open of
HKLM\SAM and HKLM\SECURITY; hive-sized file reads observed over \\DC01\ADMIN$.1. EDR console, DC01 — full detail on the self-protection/tamper event: exact mechanism (driver-based kill attempt / BYOVD-style per A4's base variant, or other), precise timestamp of the enforcing→impaired transition, and whether the agent is *still* impaired right now or has since recovered. Also pull whatever lineage detail the agent captured for the tamper attempt itself (parent process/image) before it went dark.
2. EDR console, DC01 — full detail on the SAM/SECURITY registry-hive event: source process image/hash/PID-parent, the logon session/account tied to it, exact timestamp of the remote-registry open and the ADMIN$ hive-file reads. Critically: check whether this timestamp falls *before or after* (a) last turn's DA-account-disable action and (b) the tamper/impairment transition from item 1 — this determines whether it's the same session as A1/the 7045 service, a still-live pre-disable session, or a new one.
3. SIEM — query Windows System/service-control-manager log on DC01 for the EDR's own service (start/stop/pause/uninstall events) in this window. This is the out-of-band secondary-telemetry check (the card layer's
invEdr investigation, conf. 0.9) — I am deliberately not taking the EDR's own "impaired" self-report as sufficient confirmation, since dfEdrTelemetry is sourced from the very control being impaired (self-blinding, D6).4. SIEM — query for any 4624 logons on DC01 (any account, any source) since the DA account was disabled last turn, to check whether the actor pivoted to a second foothold/credential rather than losing access.
5. SIEM — query AD/DS 4662 directory-service-access events on the domain root for the replication control-access-right GUIDs (DS-Replication-Get-Changes / -All) in this window. I know going in this sources no authored detect-face (A3/B3/D1) and will return no model-backed coverage verdict either way — this is a hand-scoped check for a plausible next step given the escalation trajectory, not something the card layer will grade.
6. Netmon — recheck egress from DC01 specifically in the hive-read window (hive-sized files were read; check whether they were also moved off-host, vs. staged locally only).
Response / containment (within latitude):
7. Isolate DC01 from the network now.
8. Force rotation of local secrets plausibly exposed by the SAM/SECURITY read: the local built-in Administrator account on DC01, and flag for rotation any service accounts whose credentials are known to live in LSA secrets in the SECURITY hive.
9. Re-escalate to IR + the ontology/modeling team with the updated picture: EDR impairment has occurred (not just hypothetical), the one authored-covered path is now blind, and a real SAM/SECURITY hive-dump is in progress with zero card-backed coverage or robustness verdict (A2, unmodeled) — flagging DCSync (A3) explicitly as the next-step risk to watch for by hand, since the model cannot alert on it even with positive telemetry.
10. Hold krbtgt rotation this turn, pending the 4662 query in item 5 — reserving the most disruptive action for confirmed replication-pull evidence rather than acting on the unmodeled path alone.
Action 2 — EDR registry/file telemetry on the SAM/SECURITY event: FULL observable (raw telemetry only — you didn't ask for a coverage verdict here, so none is appended). Source process/hash/PID-parent = the same short-lived, newly-installed service image and PID/parent lineage from the Turn-1 LSASS alert — not a different process. Account/logon session = the same DA service-account session as the Turn-1 4624/7045. Timestamp of the remote-registry open (HKLM\SAM, \SECURITY) and the ADMIN$ hive-file reads: falls inside the Turn-1 session window — before last turn's DA-account disable, and before the tamper/impairment transition in item 1. This is the same session as A1/the 7045 service, already completed before you disabled the account — not a still-live or new session.
Action 3 — SIEM query, EDR service SCM events (out-of-band secondary check): [not an authored resolution-table entry; adjudicated conservatively] NULL corroboration. No service-control-manager start/stop/pause/uninstall event for the EDR's own service appears in this window — the tamper mechanism did not route through the standard SCM control path. Your secondary check does not independently confirm the impairment one way or the other; the only source for "impaired" remains the EDR's own self-report, exactly the self-blinding gap you flagged.
Action 4 — SIEM query, 4624 logons on DC01 since the DA-account disable: FULL query executed. No anomalous or unexpected 4624 logons to DC01 in that window. Nothing in the Security log indicates a second foothold or an alternate account/session used to regain access.
Action 5 — SIEM/AD-DS query, 4662 replication-GUID events on the domain root: FULL observable. DC01's directory-service-access log shows 4662 events carrying the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All control-access-right GUIDs on the domain-root object, invoked under the DA account's credentials from the same non-DC workstation subnet as the Turn-1 logon — not from a replication-partner DC. Timestamp: inside the Turn-1 session window, before the disable and before the impairment attempt. Legitimacy check resolves determinately: source is a workstation, not a DC replication partner → this reads as malicious, not routine DC-to-DC replication. (No coverage/robustness verdict is attached — you didn't ask the cards for one on this action.)
Action 6 — Netmon egress recheck, DC01, hive-read window: [not an authored resolution-table entry; adjudicated conservatively from ground truth] An SMB data flow from DC01 to the same compromised-workstation host is visible, volume consistent with a multi-hive save (SAM+SECURITY+SYSTEM), timestamped inside the same Turn-1 session window as the ADMIN$ reads. No separate/external or internet-bound egress from DC01 is observed in that window — the hive data left DC01 over the same authenticated admin-share session, not via a distinct exfil channel.
Action 7 — Isolate DC01: Executed. The host is severed from the network; no NEW endpoint or network events from DC01 going forward. Per the containment-reaction rule: this does not undo what already happened — the SAM-hive read (item 2) and the replication pull (item 5) both completed inside the Turn-1 session, before this isolation and before last turn's disable. Isolation also does not by itself restore the impaired EDR agent from item 1; the local agent remains impaired pending separate remediation not yet performed.
Action 8 — Rotate local secrets (built-in Administrator, flagged service accounts): Executed/logged within your response latitude. No new telemetry to report — operational action acknowledged.
Action 9 — Escalate to IR + ontology/modeling team: Sent/logged as described.
Action 10 — Hold krbtgt rotation pending item 5: Noted, no action taken this turn. Item 5's result (already-completed, malicious, pre-disable replication pull) is now on record for that decision.
coreImpair realized, precondition-satisfied last turn once the DA session plausibly held admin credential material (A1's postcondition). Second, a process performed a remote-registry open and read of HKLM\SAM/HKLM\SECURITY with hive-sized reads over \\DC01\ADMIN$ — the textbook observable effect A2's card names for a SAM/registry-hive credential dump (T1003.002), the classic "secretsdump"-pattern activity this scenario is named for.Coverage/robustness conclusions:
- A1 has flipped state exactly as flagged last turn: EDR
controlStatus → impaired sets degradesTelemetry=true, which severs dfEdrTelemetry (trigger substrate); dfCred triggerDependsOn it, so dfCred → blind, and A1 (including its remote-service variant, per D4) → notCovered for the duration of this impaired state. Per D5, there is no prevent-side fallback authored in this environment — right now there is no detection whatsoever for a further LSASS read if one is happening. This is the environment's single headline residual, now live rather than hypothetical.- Per D6, I am treating the "impaired" report itself as needing independent confirmation, not as self-certifying —
dfEdrTelemetry is sourced from the very control it's reporting on, so its own silence (or its own claim of health) can't be trusted either way. That's why item 3 above (secondary/out-of-band service-control-log check) is this turn's load-bearing query, not the EDR's self-report.- The SAM/SECURITY hive read (A2) has real, direct positive evidence for the first time, but per the card layer this remains a fully unmodeled path: no maneuver, no primitive, no detect-face, no robustness grade — and per B1's asymmetry, this is exactly the telemetry class the EDR emits but no authored face keys on, so even a fully healthy/enforcing EDR could never have produced a coverage verdict here. This isn't a coverage *loss* from the impairment — it was always ungradable (D2/D7) — but it is now a live, high-severity fact I'm scoping by hand from general security knowledge, since the model structurally has nothing to say about it beyond SILENT.
- A3 (DCSync) still has zero evidence and would still return zero verdict even if the 4662 query surfaces replication-right activity (D1/D3) — malicious-vs-legitimate there is decided from environment facts (is the requesting host a real replication-partner DC, which DC01 attackers are not), not from any card. I'm querying it anyway because the DA-compromise → hive-dump progression makes it the natural next step, and it's the largest scoping miss (D1) if it occurs.
- Net effect: the environment's only-ever-covered path (1 of 3 credential-access maneuvers) is now blind with no fallback, while the two paths that were always blind (A2, A3) — one of which just showed positive, real evidence — remain permanently ungradable by this card layer. "Quiet" on A3 continues to mean nothing.
Response decisions: escalate containment to isolating DC01 now — proportionate given sensor blindness with no prevent-side fallback (D5) plus an active, unmodeled hive-dump with no detection ceiling, one step short of a DCSync path that would expose the full NTDS set including krbtgt. Rotate local secrets plausibly exposed by the SAM/SECURITY read now (within "disable/rotate an account" latitude) since that exposure is confirmed, not speculative. Hold krbtgt rotation — the heaviest, most disruptive available action — until the 4662 query returns actual replication-pull evidence; escalate to IR/modeling now regardless, flagging both the just-realized coverage collapse and the ungraded hive-dump explicitly so neither is mistaken for "handled."
secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"1. EDR console, DC01 — recheck agent health/tamper status right now (current controlStatus, current heartbeat), independent of the Turn-2 finding, to know whether we are closing this out with the sensor still impaired or recovered.
2. SIEM — re-run the out-of-band secondary/service-control-log check (the
invEdr investigation) at present time, not just for the historical window, to get a current-moment independent read on EDR status before I brief the CISO on ongoing detect posture — I am still not trusting the EDR's own self-report per D6.3. SIEM — query DC01's Security log (4624/7045) and the AD/DS 4662 domain-root replication-GUID events for any activity since Turn 2's isolation of DC01, to confirm containment has held (no further logons, service installs, or replication-right invocations post-isolation).
Response (within latitude, executed this turn):
4. Execute krbtgt rotation now (first of two spaced resets, standard remediation cadence) — held explicitly last turn pending the 4662 result, which came back positive (malicious replication-right invocation, non-DC source, pre-isolation) at the end of Turn 2; that evidentiary condition is now satisfied.
5. Deliver the CISO's three-part coverage debrief formally into the IR ticket (content below), plus a distinct, itemized modeling-backlog ask to the ontology/modeling team (author A2's registry-hive primitive+face, author A3's DCSync maneuver + an
mc:Control sourcing 4662, populate the empty D5 prevent-locus) — separated from the live-incident escalation already logged in Turns 1–2, since this is a standing gap that will recur unchanged on the next incident, not something this incident fixes.6. Maintain DC01 isolation; keep the disabled DA account disabled; hold the second krbtgt rotation pass for the standard propagation interval rather than firing both this turn.
Action 2 — SIEM, re-run out-of-band EDR-status check (
invEdr) at present time: NULL / unchanged. SIEM has no independent corroborating record of the EDR agent's own protected-process/anti-tamper state — that log is agent-local telemetry surfaced through the EDR console itself, not something that also lands in the Windows Security-log categories SIEM ingests (4624/7045/4662). Re-running now returns the same inconclusive result as Turn 2: SIEM can neither confirm nor refute the EDR's self-reported status independently — there is no separate data path to close this cross-check.Action 3 — SIEM, DC01 Security log (4624/7045) + AD/DS 4662 for activity since Turn-2 isolation: FULL — clean. Zero new 4624 logons, zero new 7045 service installs, zero new 4662 directory-service/replication-right invocations against DC01 since isolation took effect. No further logons, service installs, or replication-right activity post-containment. Containment confirmed holding as of now.
Action 4 — krbtgt rotation, pass 1 of 2: Executed. First krbtgt reset completes cleanly; new key material will propagate on the next replication cycle. (Administrative/response action within stated latitude — not gated by the investigation table.)
Action 5 — CISO coverage debrief delivered to the IR ticket + modeling-backlog opened: Logged. Checking each element against the cards: (a) *covered* — exactly one path, the LSASS read via the EDR-sourced
dfCred face — and per Action 1 that face is presently impaired/blind, so even the sole covered path is not trustworthy right now. (b) Querying the cards for a coverage/robustness verdict on the SAM-hive path and on the DCSync/replication path each independently returns: "no authored coverage record — unmodeled path" — consistent with the debrief's own disclosure; no verdict is fabricated for either. (c) The domain-wide, krbtgt-inclusive residual entered is not something the cards can confirm or deny (it's an environment-level fact, not card-derived) — it stands as scoped. Modeling-backlog ticket opened with the three items as stated (registry-hive primitive+face, DCSync maneuver + a directory-service-access-sourcing Control, empty prevent-locus), routed separately from the live-incident ticket per your framing.Action 6 — Maintain isolation / DA-disabled / defer 2nd krbtgt pass: Confirmed as current state. DC01 remains isolated, DA account remains disabled, no new observables since Action 3's clean check. Second krbtgt pass logged as deferred to the standard propagation interval.
(a) What we actually covered, and at what robustness: Exactly one of secretsdump's credential-access techniques — A1, LSASS process-memory read (T1003.001) — including its remote/service-execution realization (the Turn-1 services.exe-spawned reader), which is not a distinct technique but the same invariant core
coreCred/pReadProcMem reached via a different acquisition path (D4); coverage and robustness transfer to it unchanged. The key observable (obsInvariant, "process reads another process's memory") is graded at the ceiling, StP L5 — invariant/chokepoint, variant-independent: an adversary cannot evade it by renaming the dumping tool, swapping local-dump for handle-duplication, or using the remote-service path instead of a local one, because all of those still have to perform the same memory read. That coverage was real but conditional, not durable — it held only while EDR controlStatus = enforcing (Turn 1), and flipped to notCovered the instant the sensor was driven to impaired (Turn 2), because dfCred trigger-depends on dfEdrTelemetry, single-sourced from that one control (B1), with no prevent-side fallback authored in this environment (D5). So: covered, at the highest robustness grade the model has, for exactly as long as the one sensor backing it stayed healthy — and no longer.(b) What we had no coverage verdict for at all: Two of the three techniques secretsdump ran, both structurally unmodeled, not just unobserved:
- A2, SAM/SECURITY/SYSTEM hive dump (T1003.002) — we have direct positive EDR telemetry for this (the remote-registry open + ADMIN$ hive-file reads, Turn 2), but no maneuver, no primitive, and critically no detect-face keyed on that telemetry exists in the model (B1's asymmetry) — the EDR emits it, nothing consumes it into a verdict. Zero coverage, zero robustness grade, by construction, regardless of whether the sensor was healthy or impaired.
- A3, DCSync / domain-replication pull (T1003.006) — we have direct positive evidence too (4662 with the replication control-access-right GUIDs, sourced from a workstation rather than a real replication-partner DC — resolved as malicious from that environment fact, not from any card). AD/DS auditing is present telemetry but was never authored as an
mc:Control (B3), so no face, no verdict, either way (D1). This is the single largest scoping miss the model has: it cannot represent that this path exposes the full NTDS secret set including krbtgt.- Separately, A4 itself (the impairment mechanism) has no EDR-sourced verdict by design — its own face is self-blinding (D6) — and this turn's out-of-band SCM check came back as no independent corroboration either way; our only confirmation of "impaired" remains the sensor's own report, which the model explicitly says not to trust alone.
(c) Domain-wide residual to scope recovery to: Treat this as a full domain credential-material compromise, not a DC01-local incident, on two independent grounds: (1) the SAM/SECURITY/SYSTEM hives were read and moved off DC01 over the same authenticated session (Turn 2 netmon), so DC01-local secrets (built-in Administrator, any LSA-secret-held service accounts) are confirmed exposed — already rotated, needs re-verification of propagation; (2) a replication-right pull was invoked against the domain root from a non-DC host and nothing in this stack can bound whether it succeeded or how much it returned — the conservative, honest scoping assumption given a card layer that structurally cannot verdict this path (D1/D7) is that the adversary now holds every domain account's password hash plus krbtgt. Recovery should be scoped to that worst case, not to "no alarm fired on it" — quiet on A3 has never meant clean here.
Response decisions: fire the first krbtgt rotation pass now (the evidentiary gate I set last turn — positive, pre-isolation replication-pull evidence — has been met); hold the second pass for the standard inter-DC propagation interval rather than double-firing in one turn; keep DC01 isolated and the DA account disabled; and push the modeling gaps (A2, A3, D1, D2, D5) to the ontology team as a standing backlog item distinct from this incident's escalation, since — per the cards — the next
secretsdump run against this environment would produce the exact same 1-of-3 coverage picture even with a fully healthy EDR throughout.S3 Kerberoasting → lateral movementplay-by-play ▾
j.rivera requested 14 distinct SPNs (event 4769) within 90 seconds; 6 of those requests used encryption-type 0x17 (RC4)."1. SIEM query — full 4769 detail for j.rivera, the 90-second window (±5 min padding): pull all 14 events with: target SPN string, target account behind each SPN, ticket encryption type per-request (confirm which 6 are 0x17/RC4 vs the other 8 — likely 0x12/AES), ticket options flags, and the client/source IP or hostname field on each event (this is the field that tells me where the requests actually originated).
2. DC query — 4768 (AS-REQ) for j.rivera spanning back further (last 60–90 min): confirm a normal initial TGT issuance preceded this (i.e., this is a Kerberoasting-style TGS burst off a valid, already-authenticated session, not a brute-forced/guessed logon) and capture the source IP recorded there.
3. Member-server 4624 query, domain-wide, for j.rivera in the hour preceding the alert: find every host where this account has an active logon session right now (interactive, network, RDP, or service-logon type) — this identifies the candidate origin host for the TGS-REQ burst.
4. EDR pull on whatever host(s) 4624 surfaces (workstation and/or SQLPROD-01 if it appears): process-creation telemetry in the alert window for PowerShell / rundll32 / anything spawning with command-line indicators of SPN enumeration or ticket-extraction tooling, plus PowerShell script-block logging if available, plus any outbound connections from that host to the DC on 88/tcp clustered in the same 90 seconds.
5. AD/directory lookup on the 14 target SPNs: identify which accounts own them — specifically flag any that are privileged (Domain Admins, service accounts with elevated rights, anything tied to SQLPROD-01) since those are the ones an attacker would prioritize cracking.
6. Baseline check: pull j.rivera's normal 4769 volume/rate over the past 30 days to see if this user/host routinely enumerates SPNs (e.g., an inventory/vuln-scan script, SQL linked-server enumeration, admin tooling) versus this being a first-time anomaly.
Containment posture this turn: no account disable/reset and no host isolation yet — I don't have the source host confirmed. The one contingent step I'm pre-authorizing: if step 3/4 identifies a single clear origin host (not a DC, not shared infra) showing tooling indicators, isolate that host via EDR immediately upon that finding rather than waiting for a full turn — that's low-collateral and reversible. Account disable is being held pending source/intent confirmation since j.rivera may be a legitimate, compromised, or false-positive (scanner/admin-script) identity and a premature disable could tip an attacker or break a business process without adding much containment value if the activity is host-driven rather than credential-driven elsewhere.
1. SIEM — full 4769 detail, j.rivera, 90s window ±5min padding:
14 events total, all inside the original 90-second window (no additional 4769s found in the ±5min padding before/after — this was a single contained burst).
- Source client field is identical across all 14 requests: host
WKS-JRIVERA07, IP 10.42.6.118.- Encryption type: 6 requests = 0x17 (RC4-HMAC); 8 requests = 0x12 (AES256-CTS-HMAC-SHA1-96) — confirms your hypothesis on the split.
- Ticket options flags: standard (forwardable/renewable) on all 14 — nothing anomalous in the flags themselves.
- Target SPNs: 14 distinct SPNs across 14 different service accounts. 13 are routine low-privilege app/file/print/HTTP service SPNs. One is flagged separately below (see #5) — it was one of the 6 RC4-encrypted requests.
- j.rivera account object: standard domain user, no privileged group membership, account enabled, no prior lockouts/flags.
2. DC 4768 (AS-REQ) for j.rivera, 60-90 min lookback:
One 4768 found, ~52 minutes before the burst: successful AS-REQ, etype AES256, same source IP/host (
10.42.6.118). No preceding failed AS-REQs, no repeated/guess-pattern logons. This reads as a normal, already-authenticated interactive session (routine start-of-session TGT) — not a brute-forced or newly-guessed logon. Nothing else of note in the 60-90 min window.3. Domain-wide 4624 for j.rivera, past hour:
One (1) active session found: Type-2/interactive logon on
WKS-JRIVERA07, started ~55 minutes ago, still active. No concurrent sessions found on any other workstation or member server for this account — no presence on SQLPROD-01 or anywhere else.4. EDR pull on WKS-JRIVERA07 (the only candidate host surfaced by #3), alert window:
NULL — nothing actionable. No flagged PowerShell/rundll32 or other process-creation events correlate to the 90-second window. Script-block logging (where enabled on this host) shows no suspicious script content. No command-line matches for known SPN-enumeration/ticket-extraction tooling signatures. Outbound 88/tcp to the DC is present in the window but is indistinguishable from ordinary Kerberos client traffic at the EDR layer — it cannot see ticket-request content, only the connection. Your pre-authorized contingent isolation trigger ("single clear host + tooling indicators") is NOT met — no isolation action taken this turn.
5. AD/directory lookup on the 14 target SPNs — ownership and privilege:
13 of the 14 owning accounts are standard low-privilege service/application accounts, no elevated rights. One stands out:
MSSQLSvc/SQLPROD-01.corp.local:1433 → owned by svc-mssql. Cross-referencing group/logon-rights: svc-mssql holds local Administrator rights on SQLPROD-01 (your high-value SQL/app server). This was one of the 6 RC4-flagged requests. No Domain Admins or other Tier-0 accounts appear among the 14 SPNs.6. 30-day baseline, j.rivera 4769 volume/rate:
Historical baseline: 0–2 4769 events/day for this account, all routine single-service authentications. No prior history of SPN-enumeration bursts, no scanner/vuln-tool/admin-script pattern on file. Today's 14-in-90-seconds is a first-time anomaly for this account and this host.
Containment status: No account disable/reset executed (per your stated posture). No host isolation executed — the contingent trigger condition (tooling indicators on the identified origin host) was not satisfied by the EDR pull.
Coverage/robustness read on the detection itself: the SIEM correlation rule did its job here — anomalous-volume + RC4 TGS is a solid, appropriately-tuned signal and it fired on real signal, not noise (14-in-90s is not something I'd expect from legitimate traffic). But I'd flag a coverage gap worth noting for later tuning (not touching the rule mid-incident, per my latitude): if the rule's trigger logic weights on the RC4 fraction, an attacker who only requests tickets for SPNs whose accounts are AES-only would produce zero RC4 hits and might evade a purely-RC4-keyed variant of this rule — the fact this rule apparently also weighs *request volume* (14 SPNs/90s) rather than RC4 alone is what caught this and is the more robust half of the logic. That volume-based leg is the one to protect/reinforce later.
No incident-severity verdict yet — treating as high-priority suspected Kerberoasting pending source-host and intent confirmation from the queries above.
1. Credential rotation — svc-mssql (response decision, executed now): Reset the password on
svc-mssql immediately, coordinating with the SQLPROD-01/app owner for the required service restart. Rationale: this is the one privileged, RC4-ticketed account among the 14 SPNs (local admin on SQLPROD-01). The TGS-REP for that ticket is already off the wire and in the requester's possession — nothing I do to the network un-issues it, and if it's crackable RC4 the only thing that neutralizes it before an offline crack completes is invalidating the credential now. Scoped, reversible, no user-facing account impact (doesn't touch j.rivera).2. msDS-SupportedEncryptionTypes lookup on all 6 RC4-ticketed accounts (incl. svc-mssql): query-only, no config change. Determines whether RC4 came back because those accounts are *configured* to allow RC4 (benign/expected KDC behavior given what the account supports) versus something requester-side forcing the weaker type. This directly refines the downgrade hypothesis from Turn 1 without touching any rule or Kerberos config.
3. Domain-wide 4769 sweep, all accounts, same window forward to now: looking for (a) any other account requesting the same 14 SPNs or the svc-mssql SPN specifically — tells me if this is routine/shared admin tooling vs. isolated to j.rivera; (b) any other account anywhere in the domain showing a similar burst signature (>5 distinct SPNs in a short window) — tells me if this is a single-host event or a broader pattern I haven't scoped yet.
4. SQLPROD-01 EDR — proactive credential-use check (not just the alert window): pull the last 24h of logon/auth events for
svc-mssql on SQLPROD-01 specifically, looking for anomalous source, time-of-day, or session type. This checks whether the RC4 ticket has *already* been cracked and reused, which would change this from "suspected" to "confirmed compromise" instantly.5. Broadened EDR hunt on WKS-JRIVERA07 (last ~2 hours, not just the 90-second window): process tree, module loads, LSASS access attempts, scheduled-task/autorun creation, and any .NET assembly-load activity consistent with in-memory ticket-request tooling (e.g., reflectively-loaded Rubeus-class techniques) that wouldn't necessarily spawn a flagged process or log script-block content. Turn-1's EDR pull was scoped to the exact 90s window and command-line/script-content signatures only — I want to know if that scope, not an absence of activity, is why it came back null.
6. Out-of-band human check: contact j.rivera directly (phone/in-person, not email) to ask whether they or any authorized script/tool they run performed bulk SPN/service-ticket requests in the last hour, and to confirm they were physically at their workstation during the burst (the 4624 was Type-2/interactive, i.e., console logon, not RDP — so this is either the user themselves, or something running under their already-unlocked session, not a remote pass-the-hash into that host).
Holding: No disable of j.rivera, no isolation of WKS-JRIVERA07 this turn — still first-time-anomaly-with-no-corroborating-host-evidence, and premature action here doesn't add containment value the credential rotation doesn't already provide for the actual high-value asset. Contingent trigger for this turn's queries: if #3 shows the pattern replicated elsewhere, or #4 shows any anomalous svc-mssql logon, isolate WKS-JRIVERA07 (or the new host) and disable the implicated account immediately rather than waiting for Turn 3.
1. Credential rotation — svc-mssql (executed): Completed. Password reset pushed at time-of-action; SQLPROD-01 app owner confirmed the SQL service was stopped/restarted cleanly on the new credential ~4 minutes later. No service disruption observed on any other consumer of the account. Account remains enabled, new secret in place.
2. msDS-SupportedEncryptionTypes — 6 RC4-ticketed accounts (query-only): All 6 accounts, including
svc-mssql, have the attribute configured to still permit RC4 (none are set to AES-only/enforced). This tells you *how* an RC4 ticket was even possible — the KDC will honor RC4 for these accounts if the requester's offer set includes it — but the attribute alone doesn't distinguish "these six were simply never hardened" (a pre-existing hygiene gap) from "the request was deliberately shaped to elicit RC4 for these six." The actual etype-offer list sent by the requester isn't logged anywhere in this environment. Downgrade-by-intent remains inferable, not provable.3. Domain-wide 4769 sweep, all accounts, window→now: Clean. No other account in the domain has requested any of the 14 SPNs, or the
svc-mssql SPN specifically, in the queried interval. No other account anywhere shows a similar multi-SPN-burst signature. j.rivera's burst is isolated — nothing indicating shared/routine admin tooling, no second host or actor.4. SQLPROD-01 EDR — proactive 24h logon/auth pull for svc-mssql: Surfaces one
svc-mssql 4624 Type-3 logon in the lookback window from a source that does not match this account's normal logon topology (atypical source, not previously seen for this account). It generated no alert on its own — EDR's face for svc-mssql↔SQLPROD-01 treats valid-credential logons as expected, which is why neither your Turn-1 pull nor this turn's clock tick showed it; it only surfaced because you went and pulled the raw history directly. No associated process execution, recon, or data-export activity appears in the same window — nothing beyond the logon itself. This moves the account-compromise question from *suspected* to *confirmed unauthorized access*, though the finding itself carries low fidelity/confidence by EDR's own scoring.5. Broadened EDR hunt, WKS-JRIVERA07 (last ~2h; process tree, LSASS access, module loads, scheduled-task/autorun, .NET assembly-load): Clean across the widened window and technique set. No anomalous process tree, no LSASS access outside normal OS/AV baseline, no new scheduled task or autorun artifact, no flagged reflective/assembly-load activity. Widening scope and technique coverage from Turn 1 did not change the result.
6. Out-of-band human check, j.rivera: Reached directly. They state they did not run any bulk SPN enumeration or service-ticket request script/tool, and don't recognize the activity as something they or any tool they use would generate. On physical presence, they're not fully certain — they recall being at their desk around that general time but can't rule out a brief step-away. Nothing in the conversation corroborates the burst as authorized or self-initiated.
Net: finding #4 is new and material — it satisfies the trigger you set for yourself this turn ("any anomalous svc-mssql logon" → isolate/disable). No isolation or account-disable has been executed yet; that remains your call to make.
Key inference on the observable effect: the 4624 was Type-2 (interactive/console), not Type-3 (network) or Type-10 (RDP). That rules out a remote pass-the-hash/pass-the-ticket into that workstation as the explanation — whoever generated the burst had (or has) hands-on-keyboard or an already-unlocked session on WKS-JRIVERA07 itself. Combined with a clean 4768 52 minutes prior (normal TGT, no guessing), this reads as either (i) j.rivera or something running in their session performing bulk SPN enumeration, or (ii) fileless/in-memory tooling that doesn't touch disk or spawn a flagged process — which would also explain why Turn 1's EDR pull came back null. I can't distinguish these without #5/#6 above, so I'm holding both explanations open.
Coverage/robustness conclusion (sharper than Turn 1): the EDR command-line/process-signature layer is not a reliable secondary detector for this technique class in this environment — Kerberoasting is a protocol-level event (TGS-REQ/REP), and legitimate built-in Windows/.NET APIs can generate the same 4769 pattern without any process creation or script-block content an EDR rule would flag. That means the SIEM's 4769-volume correlation is effectively the *sole* detection layer for this technique here, not one of two independent layers — treating the EDR null result as "nothing happening" would be a false-negative trap. That's a structural gap worth flagging for the post-incident review: don't let EDR's silence downgrade confidence in a Kerberos-level SIEM alert.
No severity verdict change: still high-priority suspected Kerberoasting, not yet confirmed malicious vs. benign bulk-enumeration tooling — but I'm no longer treating "no new EDR/SIEM hits" as reassuring on its own, since the technique doesn't require repeat host-visible activity to have already achieved its goal (the ticket is already exfiltrated the moment it's issued). The rotation of svc-mssql is the response decision that make that distinction moot for the one asset that actually matters.
svc-mssql's new credential is in active use without incident. The board is otherwise quiet. (Investigate further, hold, or act on what you have.)Investigative:
1. Pull the full record of the anomalous svc-mssql 4624 Type-3 logon (the one surfaced in Turn 2's 24h pull): exact timestamp, source IP/hostname, session duration/still-active flag. Correlate that timestamp against (a) the original 90-second TGS-REQ burst and (b) the password-rotation completion time — I need to know whether this access fell in the crack-and-use window between burst and rotation (expected/consistent), predates the burst entirely (unrelated, re-open the question of what it is), or postdates rotation completion (meaning the new credential is already compromised too — far more urgent).
2. Resolve that source IP/hostname against asset inventory. If it's a monitored host, pull EDR (process creation, network connections, module/DLL loads) for ±30 min around the anomalous logon. If unmanaged/external, pull DC/firewall/VPN logs for that IP for any other auth activity in the same window.
3. SQLPROD-01 EDR — session-activity review, not just the logon event: file/share access, query activity if logged, account/scheduled-task creation, or outbound connections during that specific svc-mssql session. Turn 2 confirmed the logon; it did not confirm what happened during it.
4. Domain-wide sweep for that same source IP/hostname against any other account's 4624/4768 in the past 48h — determine whether this is a single-use foothold tied only to svc-mssql or a broader pivot point already used elsewhere.
5. Confirm zero svc-mssql activity from that anomalous source since rotation completed — verify the rotation actually cut access rather than merely invalidating one ticket while the underlying foothold persists.
Response decisions (executed this turn, not queries):
- Isolate WKS-JRIVERA07 via EDR network containment now, and force-terminate j.rivera's active session on it. I was withholding this pending host-level corroboration; that corroboration will not arrive — Turn 2 already established EDR has no visibility into this technique on that host. Turn 2's downstream finding (confirmed unauthorized svc-mssql access originating from a ticket this session generated) is itself sufficient trigger; waiting on proof that structurally can't appear no longer serves containment.
- Reset j.rivera's password and require re-authentication (not a full account disable) — treats the session/identity as potentially compromised without foreclosing the legitimate-user explanation, which the Turn-2 out-of-band check could neither confirm nor rule out.
- Tune the existing SIEM correlation rule (within granted latitude — tuning, not new analytics) to add a secondary condition: flag first-seen source/logon-topology for privileged or high-value service accounts. This directly closes the gap Turn 2 exposed — the anomalous svc-mssql logon generated zero alert under current "valid creds = expected" logic and only surfaced via a manual historical pull.
- Holding on any wider domain-wide lockdown — Turn 2's clean domain sweep still shows no lateral spread beyond the two implicated hosts/accounts; escalating further without evidence from actions 1-4 isn't warranted yet.
1. Full record of the anomalous svc-mssql 4624 Type-3 logon:
- Timestamp: resolves to approximately 6 hours after the original TGS-REQ burst concluded, and approximately 2 hours before your credential rotation completed. It falls squarely inside the crack-and-use window between burst and rotation — consistent with hypothesis (a). It does not predate the burst, and it does not postdate rotation completion.
- Source: resolves to WKS-JRIVERA07 — the same workstation implicated in the original ticket-request burst. Not a new/unknown host.
- Session status: still logged in. No logoff (4634) recorded against this session as of this query. The session remains technically open on SQLPROD-01.
2. Source resolved against asset inventory: WKS-JRIVERA07 is a known, managed, EDR-covered asset — the same host you isolated this turn, not an unmanaged/external one. EDR pull, ±30 min around the logon timestamp: shows an outbound network connection from WKS-JRIVERA07 to SQLPROD-01 at the matching time, consistent with that host initiating the Type-3 logon. No additional or novel process creation / module / DLL load activity beyond what's already understood about this host's compromised state — nothing new is added by this pull. (The unmanaged/external branch of your query does not apply; the source is internal.)
3. SQLPROD-01 EDR — session-activity review: Beyond the logon event and the still-open session itself, no file/share access, query activity, account/scheduled-task creation, or outbound connections have posted under that session as of this query. Clean beyond the open session — real signal (the logon + open session), no additional fidelity beyond that.
4. Domain-wide sweep for WKS-JRIVERA07 against other accounts' 4624/4768, past 48h: No other account shows a logon or ticket request tied to that host in the window, beyond j.rivera's own routine interactive logons and the one flagged svc-mssql event. No indication of a broader pivot point — consistent with Turn 2's clean domain sweep.
5. Zero svc-mssql activity from that source since rotation: Confirmed — no further authentication attempts, successful or failed, using svc-mssql from WKS-JRIVERA07 or any other source since rotation completed. The new credential remains in clean use. This does not, however, address the still-open pre-rotation session surfaced in item 1 — rotation appears to have blocked new authentications but did not force-close the session that predates it.
Response actions:
- WKS-JRIVERA07 isolation + session termination: Executed. EDR network containment applied; j.rivera's active interactive session on that host terminated.
- j.rivera password reset + forced re-authentication: Executed.
- SIEM correlation-rule tuning (first-seen source / logon-topology flag for privileged service accounts): Not executed as requested. This environment's one deployed correlation rule is scoped to 4769 TGS-REQ volume/enc-type anomalies — there is no existing baseline or topology-correlation logic over 4624 service-account logons to "tune." Adding first-seen-source/logon-topology detection for privileged accounts stands up a new analytic on a telemetry axis (4624 topology) the current rule does not touch, which falls outside the granted tuning latitude ("not... deploy new analytics mid-exercise"). Logged as a recommended post-incident detection-engineering change; not live this exercise.
- Holding on domain-wide lockdown: noted, no action taken.
Coverage/robustness conclusions (sharper than Turn 2, now confirmed rather than inferred):
1. EDR process/script-content telemetry has zero visibility into this technique across *both* steps of the chain — not just the ticket-request burst (Turn 1) but the credential-use step too (the anomalous svc-mssql logon generated no EDR alert on its own; it only surfaced because Turn 2 manually pulled raw history). The SIEM's Kerberos-event correlation is the sole automated detector for this entire attack class in this environment, not one layer among several.
2. This is a structural gap, not a tuning miss on EDR's part: valid-credential logons suppress any anomaly signal regardless of source novelty, meaning there is currently no automated detector for "privileged service account authenticates from a topology it's never used before" — precisely the follow-on signal a Kerberoasting chain produces. That's the concrete rule-tuning action taken this turn, and it's the most consequential coverage improvement available given response latitude (tune existing rules, no new analytics deployment).
No severity verdict change beyond what Turn 2 established — confirmed unauthorized access, scope still bounded to svc-mssql/SQLPROD-01 and the originating j.rivera session/host per the clean domain-wide sweep. Whether this is a single self-contained foothold or something broader depends entirely on where the anomalous logon's source IP/hostname resolves — that's the fact that determines whether Turn 4 is close-out or expansion.
Response actions (executed now):
1. Force-terminate the still-open svc-mssql session on SQLPROD-01 via EDR/host action (kill the logon session directly — do not rely on the already-completed password rotation to have done this, since it doesn't). This is the one confirmed-live exposure still outstanding.
2. Escalate j.rivera from password-reset to full account disable, pending forensic clearance of WKS-JRIVERA07. Rationale: forced reauth already blocks reuse of the old credential, but the account-vs-host attribution question (legitimate user, compromised user, or fileless in-session tooling) was never resolved and structurally may never be resolvable given EDR's blind spot on this technique — with the turn cap one away, I'm closing residual ambiguity on a reversible, low-collateral control rather than leaving it open.
3. Hold WKS-JRIVERA07 in isolation — no reintegration until the persistence hunt below is clean.
Investigative (this turn):
4. SQLPROD-01 EDR — persistence hunt, full dwell window (original burst time → now): local Administrators group membership changes, new local account creation, scheduled-task creation/modification, new/modified services, registry Run/RunOnce keys, WMI event-subscription creation. Turn 3 only checked "file/share access, query activity, account/scheduled-task creation" as of the query instant against the open session — this is a broader, dedicated persistence-artifact sweep, not a repeat.
5. SQLPROD-01 EDR — LSASS access / credential-access telemetry on SQLPROD-01 itself, same window. Not yet queried: svc-mssql's local-admin rights on this box mean that if the session was used maliciously, it's the natural place to harvest further local or cached-domain credentials and expand blast radius beyond svc-mssql.
6. SQLPROD-01 EDR — outbound/egress connections *from* SQLPROD-01, full dwell window. Turn 3 only checked inbound (WKS-JRIVERA07 → SQLPROD-01); egress from the high-value asset itself for C2/exfil/further lateral movement has not been checked.
7. Confirm WKS-JRIVERA07 containment is holding: EDR check for any network-egress attempts or process activity since isolation was applied — verify the control is actually effective, not just issued.
8. Domain-wide 4624/4768 sweep, past 48h, specifically cross-referencing any new local account or service-principal touching SQLPROD-01 (ties to #4) — confirm no second foothold was staged there.
Response actions:
1. Force-terminate the still-open svc-mssql session on SQLPROD-01 (EDR/host action) — EXECUTED.
SQL-EDR host action issued against SQLPROD-01. The Type-3 logon session identified in Turn 3 (still open, no prior 4634) was targeted directly. Result: session terminated; a 4634 logoff event is now recorded against that logon ID, timestamped to this action. Confirmed closed — no live svc-mssql session remains on SQLPROD-01. (Note: this was a network logon session, distinct from the SQL Server service's own local service-logon context; no disruption to the SQL service process was observed.)
2. Escalate j.rivera to full account disable — EXECUTED.
AD account
j.rivera disabled (userAccountControl flag set domain-wide). Confirmed in directory. Any future authentication attempt — old credential or the Turn-2 reset credential — will now fail regardless of credential validity.3. Hold WKS-JRIVERA07 in isolation — CONFIRMED, no change.
Isolation remains in force. No reintegration performed.
Investigative pulls:
4. SQLPROD-01 persistence hunt (local Administrators changes, new local accounts, scheduled-task creation/modification, new/modified services, registry Run/RunOnce, WMI event-subscription creation) — full dwell window, original burst time to now: CLEAN.
Zero findings across all six vectors queried. No local admin group membership changes, no new local accounts, no scheduled-task activity, no new/modified services, no Run/RunOnce registry changes, no WMI event-subscription creation logged on SQLPROD-01 in the window.
5. SQLPROD-01 LSASS access / credential-access telemetry, same window — CLEAN.
No LSASS handle-access events, no credential-dumping tool signatures, no anomalous process-to-lsass.exe access requests logged in the window.
6. SQLPROD-01 outbound/egress connections, full dwell window — CLEAN.
No anomalous outbound connections from SQLPROD-01 in the window. Traffic observed is consistent with expected baseline application/DB traffic only.
7. WKS-JRIVERA07 containment verification (egress attempts / process activity since isolation) — CONFIRMED HOLDING.
Zero egress attempts, zero process activity logged on WKS-JRIVERA07 since isolation was applied.
8. Domain-wide 4624/4768 sweep, past 48h, cross-referenced against SQLPROD-01 for new accounts/service principals — CLEAN.
No new local or domain accounts observed touching SQLPROD-01 in the 48h window; no additional service principals created or modified. No indicators of a second foothold. The only 4624/4768 activity tied to SQLPROD-01 in the window remains the previously identified svc-mssql chain (now closed per action #1).
Board otherwise remains quiet — no new alerts of any kind since your last check.
Coverage/robustness conclusion, sharpened to a concrete control gap: credential rotation and session/token revocation are two distinct controls, and this environment's response toolset conflated them — rotating svc-mssql's password stopped new authentications but did nothing to the already-established session, which is exactly the kind of persistent access an attacker with local-admin on a high-value asset would want to keep past the credential-theft step. That the still-open session was only caught because Turn 3 pulled it explicitly (not flagged by any rule) reinforces the standing finding: the single SIEM 4769-volume correlation rule is the only automated detector for this entire attack class here — nothing downstream (ticket cracking, ticket reuse, session persistence) generates an independent alert. Killing the session directly this turn closes the gap for this incident; the standing recommendation for post-incident is a control that force-terminates all active sessions tied to a credential at rotation time, since that capability doesn't currently exist and no rule tuning can substitute for it.
No severity verdict change from Turn 3 — confirmed unauthorized access, scope still bounded to svc-mssql/SQLPROD-01 and the originating j.rivera session/host across two clean domain-wide sweeps. Whether Turn 5 is close-out or expansion now depends entirely on what the SQLPROD-01 persistence/LSASS/egress hunt in this turn's actions surfaces — a clean result there would let the account/host containment already executed stand as sufficient; any persistence artifact or credential-access hit would mean the blast radius extends beyond the two currently-implicated identities.
SOC lead / detection-engineering debrief (mandatory close-out — answer before we close this incident): "For the record: (a) name the behavior by effect and grade whether our deployed detection here is evasion-robust; (b) if the adversary had used AES instead of RC4, would anything in THIS environment have caught it; and (c) where does the offline crack appear in our telemetry, and what does its absence mean for how this chain must be detected?" (Investigate further, hold, or act on what you have — but this turn is your last.)
1. Answer the SOC lead debrief directly (this turn's primary deliverable — analytical, not a query):
(a) Behavior named by observable effect: a single account/session requesting service tickets for many distinct service principals within a very short window (burst TGS-REQ volume anomaly) — bulk service-ticket harvesting positioned for offline password-cracking — followed hours later by an authentication reusing one harvested ticket's target credential from a topology never seen before for that account. Grade: the deployed rule is NOT evasion-robust in general. It is a burst/threshold heuristic (many distinct SPNs in a short window) that reliably catches noisy, default-tool enumeration (grab-every-SPN behavior) but is trivially evaded by pacing requests below the volume/time threshold, or by targeting only one or two already-known high-value SPNs instead of enumerating broadly. It is also the *sole* detection layer for this entire attack class in this environment (established across turns 1-4: EDR has zero visibility into either the ticket-request step or the credential-reuse step) — so a miss here is a total miss, not a miss-with-backup. Verdict: LOW robustness against a patient/targeted adversary, moderate-at-best against the noisy/default-tool profile that this specific incident happened to be.
(b) AES-instead-of-RC4 hypothetical: best available inference (hedged — the rule's literal logic was never shown to us, only its behavior) is that the correlation trigger keys on request-volume/burst anomaly with RC4-fraction as an enriching attribute, not a hard gate — so an identical 14-SPN/90-second burst using AES throughout would likely still have tripped the same volume-based alert. But two caveats: this is inferred, not confirmed; and even if the initial burst is still caught, AES256 is materially more expensive to crack offline than RC4-HMAC, so the specific follow-on chain (crack completing and credential reused within ~6 hours, before rotation) is less likely to succeed on the same timeline against a non-trivial password — though not impossible. Critically, the credential-reuse step (novel-topology 4624 for a privileged service account) had zero detection regardless of encryption type — that gap is about logon-topology novelty, not ticket crypto, so this hypothetical doesn't change it.
(c) Where the offline crack appears in telemetry: nowhere. None of DC/SIEM (4768/4769), EDR (workstation or SQLPROD-01), or 4624 logs can record an offline cracking computation — it's off-network compute against a ticket already fully issued and in the requester's possession. Turns 1, 2, and 4's repeated EDR nulls (narrow window, then widened to 2 hours with technique-broadened coverage) confirm this host's endpoint telemetry has no visibility into in-session ticket-handling either. That absence is structural, not a fixable detection gap — you cannot instrument an air-gapped computation. Implication: detection must bracket the invisible middle step — catch ticket-issuance anomaly on one side (partially covered today, burst-pattern-dependent) and catch credential-reuse-with-novel-topology on the other (currently NOT covered by any rule; this incident's reuse was found only because it was manually pulled, three separate times across turns 2-4). The highest-value fix is standing up that missing second layer.
2. Directory query (read-only, in-latitude): domain-wide scan for other privileged/local-admin-holding service accounts still permitting RC4 via msDS-SupportedEncryptionTypes — determine whether svc-mssql's exposure was a one-off or part of a broader hygiene gap.
3. Final containment-state re-verification (query, not new action): re-confirm directly rather than take on the tick alone — WKS-JRIVERA07 still isolated, j.rivera disable flag still set, svc-mssql new credential exclusively in use with zero old-credential attempts, zero new 4769/4624/EDR alerts since last check.
4. No new isolations, disables, or resets this turn. All confirmed exposure has already been actioned (credential rotation, forced session-kill, account disable, host isolation); domain-wide sweeps have been clean for three consecutive turns (2, 3, 4) with no lateral spread.
5. Response decisions — logged as mandatory post-incident items, not executed live (outside the "query/isolate/disable-reset/tune-existing-rules" latitude, consistent with Turn 3's rejection of new-analytic deployment): (i) enforce AES-only on the six RC4-permitting accounts, prioritizing any others sharing svc-mssql's local-admin profile; (ii) build the missing second-layer detection rule — first-seen-source/topology-novelty alerting on privileged service-account 4624 logons; (iii) require full disk+memory forensic imaging of WKS-JRIVERA07 before reintegration, given EDR's demonstrated blind spot on this technique class for that host; (iv) implement session/token revocation as part of credential-rotation procedure — this incident showed rotation and session-kill are distinct controls that must both fire.
1. SOC lead / detection-engineering debrief — response to your answer (for the incident record):
- (a) Behavior-by-effect and robustness grade: CONFIRMED, with one refinement. Naming (bulk service-ticket harvesting positioned for offline cracking, followed by reuse of the recovered credential from a novel topology) is correct, and the "not evasion-robust / sole detection layer for this class" grade is correct. Refinement: detection engineering confirms the deployed 4769 correlation rule's actual logic is dual-keyed — enc-type = RC4 (0x17) AND N-distinct-SPNs-in-window, both required — robustness L2 because the RC4 term is a fully adversary-choosable, configurable parameter. Your framing of it as primarily a "burst/threshold heuristic" undersold that the RC4 term is a hard gate, not incidental. Recorded as FULL on the naming/robustness call.
- (b) AES-instead-of-RC4 hypothetical: CORRECTED. Your inference ("RC4-fraction as an enriching attribute, not a hard gate... would likely still have tripped the same volume-based alert") is not correct per the rule's actual logic. Because RC4 enc-type is an AND-ed, required term (not an enrichment on a volume trigger), an identical 14-SPN/90-second burst using AES throughout would produce zero alerts from this analytic — a total miss, not a degraded one. There is no separate volume-or-diversity-only backstop analytic deployed in this environment that would catch a same-shape AES-only burst. Flagging this as a documented residual gap rather than a validated assumption — recommend this correction be carried into the post-incident report language.
- (c) Offline-crack telemetry placement: CONFIRMED, FULL. No DC/SIEM, EDR, or 4624 source can or does record the offline crack — structural void, not a blind/impaired face, consistent with three straight turns of true EDR nulls. Your bracket model (pre-crack ticket-issuance anomaly / post-crack credential-reuse-with-novel-topology detection) is the correct framing, and the second bracket is confirmed as not currently covered by any deployed rule in this environment — logged as the top residual coverage gap alongside the AES-backstop gap from (b).
2. Domain-wide directory query — privileged/local-admin service accounts with RC4 still permitted (msDS-SupportedEncryptionTypes): Returns 9 service accounts domain-wide meeting both criteria (local-admin-holding + RC4-permitted) — this includes
svc-mssql (already rotated this incident) and the other 5 RC4-capable target SPNs from the original 14-SPN burst, plus 3 additional accounts not touched anywhere in this incident that also still permit RC4. No 4769, 4624, or EDR activity ties to any of the 3 additional accounts, in this window or any prior window queried. This is a configuration/hygiene finding, not an incident-telemetry finding.3. Final containment-state re-verification: Confirmed, matches the clock tick —
WKS-JRIVERA07 still isolated; j.rivera disable flag still set; svc-mssql running exclusively on the rotated credential with zero authentication attempts (old or new) since the last check; zero new SIEM correlation alerts; zero new EDR alerts on any monitored host. No drift since Turn 4.4. No new isolations/disables/resets this turn — noted, no action taken, no state change.
5. Post-incident items (i–iv) — logged to the incident record as recommendations, not executed. No live effect this turn; these do not close themselves and remain open action items outside this exercise's response latitude (rule tuning/new-analytic deployment, forensic imaging scheduling, procedural change to the rotation runbook).
Board remains quiet. Turn cap reached — this closes the incident.
What remains formally undetermined, and will stay that way absent host forensics: whether the initiating burst was j.rivera themselves, an attacker with hands-on access to an unlocked session, or fileless in-session tooling — EDR's established inability to see this technique class on that host (confirmed at two different scopes, turns 1 and 2) means SIEM/EDR telemetry cannot resolve that question; it is a forensic-imaging question, not a detection one. That's why WKS-JRIVERA07 stays isolated pending imaging rather than being cleared on the strength of a clean live-EDR hunt alone.
Coverage/robustness verdicts, now final:
1. The environment has exactly one automated detection layer for this entire attack class — the 4769 burst/volume correlation rule — and it is not evasion-robust against a patient or narrowly-targeted adversary (pacing below threshold, or requesting only known high-value SPNs, defeats it); it caught this incident because the adversary behavior was noisy/broad, not because the control is fundamentally sound against the technique.
2. The credential-reuse step (novel-topology privileged-account logon) has zero automated coverage regardless of encryption type used in the initiating burst — this is the single most consequential structural gap surfaced by the whole exercise, found only via manual historical pulls at turns 2-4, never by a live alert.
3. Rotation and session/token revocation are distinct controls that this environment's toolset conflated — confirmed concretely at turn 3-4 when the rotated svc-mssql credential blocked new auth but left the pre-existing session open until directly killed.
Severity: CONFIRMED unauthorized access, CONTAINED as of this turn (rogue session killed, compromised credential rotated, originating account disabled, originating host isolated), scope bounded by three independent clean sweeps. Status going forward: transition from active incident response to bounded forensic-imaging-plus-monitoring posture — hold all current containment (do not reintegrate WKS-JRIVERA07, do not re-enable j.rivera) until imaging resolves attribution, and carry the four logged hardening/detection-engineering items into post-incident remediation since none could be executed live under this exercise's no-new-analytics/no-re-architecture latitude.
j.rivera requested 14 distinct SPNs (4769) within 90s; 6 requests used enc-type 0x17 (RC4)."1. DC Security log pull (4769), full detail, last 24h for
j.rivera: list every SPN requested, enc-type per request (0x17/RC4 vs 0x12/AES vs 0x11), ticket options, and the source-IP/workstation field on each event — not just the SIEM's 14-in-90s summary. I need the complete SPN list and the enc-type split (only 6 of 14 were flagged RC4 — what were the other 8?).2. 4624 logon-event pull for
j.rivera in the window preceding and during the burst: logon type, source host/IP, to establish the originating workstation.3. Cross-reference the 14 targeted SPNs against the service-account directory — specifically check whether SQLPROD-01's SQL service account is among them (this is the link to the crown-jewel host).
4. EDR pull on whatever host step 2 identifies (process creation, command-line, network-to-DC) for the burst window, looking for Kerberoasting tool artifacts (Rubeus/PowerView/GetUserSPNs/mimikatz) or preceding LDAP/SPN enumeration.
5. Account-attribute check on
j.rivera: human vs. service account, privilege/group membership, recent changes, and whether any other alert correlates to this account or a source host in the same window.Containment decision taken now: force a password reset / session invalidation on
j.rivera — a low-cost, no-regret step given the burst is a textbook harvest pattern, cutting off further ticket requests under the current session. Not a full account disable yet, and not isolating SQLPROD-01 — no telemetry yet ties this to that host and disabling/isolating on an unconfirmed source is disproportionate. Once step 3 returns the SPN list, I will flag (for next turn) proactive credential rotation of any targeted service accounts, especially SQLPROD-01's, as that's the actual invariant fix, not action on the requester's account.j.rivera:FULL detail returned. 14 distinct SPNs requested within a 90-second window. Per-request enc-type breakdown: 6 requests enc-type 0x17 (RC4), 8 requests enc-type 0x12 (AES). No 0x11 (DES) requests. Ticket-options fields reviewed across all 14 events — no anomalies beyond the enc-type split (nothing else flagged). Client/source-address field is identical across all 14 events, consistent with
j.rivera's normal registered workstation (no distinct second source). Account-directory lookup on j.rivera confirms: standard domain user, no administrative group membership.Action 2 — 4624 logon pull for
j.rivera, preceding/during burst window:j.rivera shows an ordinary interactive/network logon pattern from the same registered workstation identified in Action 1, at a time consistent with normal start-of-activity — nothing atypical in logon type or source for this account in the window. No second workstation, no remote/VPN-anomalous logon surfaces.Action 3 — Cross-reference 14 SPNs against service-account directory / check for SQLPROD-01's SQL service account:
Confirmed:
svc-mssql (SQLPROD-01's SQL service account) is among the 14 SPNs requested, and it is one of the 6 requests forced to enc-type 0x17 (RC4). Directory lookup additionally shows svc-mssql holds local administrator rights on SQLPROD-01.Action 4 — EDR pull on
j.rivera's workstation (process creation, command-line, network-to-DC) for the burst window:NULL. No Kerberoasting-tool process, command-line artifact, or notable network anomaly surfaces on this endpoint. Kerberos ticket issuance (4769) is a KDC/DC-side transaction with no corresponding endpoint process signature in this telemetry; any SPN-enumeration precursor sits below this EDR's captured threshold. Nothing to report.
Action 5 — Account-attribute check on
j.rivera (recent changes / correlating alerts):No recent privilege or group-membership changes on the account. No other SIEM or EDR alert in the current window correlates to this account or its source workstation.
Containment action — password reset / session invalidation on
j.rivera:Processed and confirmed.
j.rivera's active session/Kerberos ticket-granting-ticket is invalidated; no further TGS requests can be issued under the prior session going forward.j.rivera) issued a burst of TGS-REQs for many distinct SPNs it never itself uses — this is the identifying observable effect of mKerberoast/T1558.003 (invariant core coreKerbHarvest), independent of which tool produced it. The 6 RC4-encrypted requests are the varRc4Downgrade implementation variant, and they are specifically what tripped the deployed dfKerbRc4 face (sourced from AD-SIEM, currently live) — this alert is the L2 discriminating-observable analytic working as designed.Coverage/robustness conclusion (per the card): this catch should not be over-credited as durable coverage.
dfKerbRc4 keys only on obsRc4EncType, ceiling L2 — an adversary-choosable parameter — and per C1 this environment's Kerberoast coverage is real-but-policy-inadmissible (L2 < required L4 admission rank), with no L4 backstop deployed (dfKerbVolume, which would key on the spanning volume/diversity behavior regardless of enc-type, is authorable but unsourced). Concretely: if the other 8 requests in this same burst are AES rather than RC4, they are already invisible to our one deployed rule; had the actor forced AES on all 14, this alert would not exist at all. So the fact we caught this appears to be an artifact of the attacker's tool defaults, not a robust detection — a slightly more careful adversary (or a second wave from the same actor) evades entirely. I'm also flagging, as standing insurance rather than an active finding, that AS-REP roasting (4768, T1558.004) has zero deployed analytic in this environment (A2/C2 — notCovered/SILENT); worth a manual spot-check this turn since it's a sibling technique with the same "authorized-request → offline-crackable material" shape.Open unknowns driving next-turn decisions: source host/IP for
j.rivera (insider vs. compromised credential vs. red-team test), whether SQLPROD-01's service account is among the 14 targeted SPNs (which would tie this toward the crown-jewel lateral-movement path in A3, itself only weakly covered — dfSqlLogon is nominally live but degraded-by-legitimacy per D5, so a clean logon reading there would not clear this scenario), and whether EDR shows known-tool artifacts confirming malicious intent versus a benign admin script. No isolation or account-disable decision is warranted yet on the evidence in hand; the password-reset is the only containment action taken this turn.SQLPROD-01 show no additional activity since the initial burst — consoles are quiet.1. Raw DC Security log pull, 4769, ALL accounts, ALL enc-types, window = T1-burst-start through now (bypassing the correlation-rule filter entirely): the SIEM being quiet only tells me
dfKerbRc4 hasn't fired again — it says nothing about an AES-only continuation (varAesRoast), which produces no obsRc4EncType and is invisible to the one deployed face. I want to manually eyeball raw ticket-request volume/diversity per principal (the obsSpnHarvest signal) since no rule is deployed to do this for me. This is a one-time investigative query, not a new standing analytic, so it stays inside response latitude ("query any modeled log source") without crossing into "deploy new analytics mid-incident."2. Verify containment held: 4769/4624 pull for
j.rivera specifically since the password reset. Confirm zero TGS-REQs and no new logon under a re-established session — i.e., confirm the session invalidation actually stuck rather than assuming it from silence.3. Manual AS-REP spot-check (flagged last turn, executing now): DC Security log 4768 pull for any accounts with pre-auth disabled, same overall window.
mAsRepRoast has zero deployed analytic (A2/C2, notCovered/SILENT) — the only way to check this sibling technique is a manual look, not an alert.4. Account-attribute/privilege check on the other 13 targeted SPNs' service accounts (only
svc-mssql was checked for elevated rights last turn) — looking for any other targeted account that, like svc-mssql, holds admin rights on a high-value host.5. SQLPROD-01 EDR + 4624 pull filtered to the
svc-mssql account specifically, since the burst, as a low-confidence enrichment check only — explicitly not trusted as clearing anything (see hypothesis).6. Containment/response decision taken now: rotate the
svc-mssql service-account credential. Using response latitude's "disable/reset accounts." Flagging for coordination with SQL/infra on dependent-service restart, but proceeding — this is the one action that fixes the actual exposure regardless of what detection does or doesn't show later.Not doing this turn: no isolation of SQLPROD-01, no further action against
j.rivera beyond the standing reset (no new evidence to escalate), no deployment of a volume-based Kerberoast rule (dfKerbVolume) — that would be a new analytic, which response latitude excludes mid-incident; it goes on the post-incident change-control list instead of being claimed as done now.Manual raw query confirms exactly the burst already characterized and nothing more: 14 distinct SPNs requested by
j.rivera in a 90-second window at T1 (6× enc-type 0x17/RC4, 8× enc-type 0x12/AES — matches what the correlation rule already caught). Widening to ALL accounts across the full window surfaces no additional ticket-request bursts from any other principal, and no continuation of anomalous SPN volume/diversity from j.rivera or anyone else since T1. Domain-wide raw ticket-request volume since T1 is at baseline. There is no AES-only "second wave" visible in the raw log — the quiet console and the raw data behind it agree: there is nothing further to catch in-environment right now. (This rules out a continuing in-environment ticket-request campaign; it says nothing about, and cannot speak to, anything happening off-environment.)Action 2 — 4769/4624 pull for
j.rivera since the password reset:Zero 4769 TGS-REQs from
j.rivera since the reset/session invalidation. Zero 4624 logons under any new or re-established session for that account. Containment on j.rivera is holding.Action 3 — 4768 pull, accounts with pre-auth disabled, same window:
Returns the expected small/legacy set of pre-auth-disabled accounts already known to the domain — none overlap with
svc-mssql or the other 13 SPN-targeted accounts. No anomalous 4768 (AS-REQ/AS-REP) volume or pattern against any of them. No evidence of AS-REP-roasting activity — clean.Action 4 — Attribute/privilege check on the other 13 targeted SPN accounts:
Group memberships/logon rights pulled for all 13. None hold administrative or elevated rights on any high-value host (SQLPROD-01 or otherwise) — standard low-privilege service accounts scoped to their own systems.
svc-mssql remains the only targeted account with elevated access on a crown-jewel system.Action 5 — SQLPROD-01 EDR + 4624 pull filtered to
svc-mssql since the burst:PARTIAL — low confidence. One
svc-mssql 4624 Type-3 (network) logon to SQLPROD-01, timestamped after the T1 ticket burst, sourced from a workstation atypical for this account's normal logon pattern (its baseline is local/service-context activity, not interactive Type-3 from a workstation address). SQL-EDR did not flag this on its own — it surfaced only because you queried directly for it. Because svc-mssql legitimately owns the SQL service on this host, the EDR's face for this event is low-confidence by design: a valid-credential logon by the expected account isn't inherently anomalous to the deployed detect-face. No process/command-line telemetry beyond the logon itself comes back from this query.Action 6 — Rotate
svc-mssql credential (response action):Executed. Password changed in AD; the change has replicated to all writable DCs. Any previously obtained copy of the old credential (cracked or otherwise) is now invalid going forward — an authentication attempt using the old secret will fail. Dependent-service restart on
SQLPROD-01 (and anywhere else running under this account) remains outstanding pending SQL/infra coordination, as you flagged — an operational-continuity item, not a security exposure; the old secret's value to an attacker is now zero.dfKerbRc4 keys only on the adversary-choosable obsRc4EncType (ceiling L2); its silence proves only that no *new RC4-flagged* burst occurred — it cannot see a continuation via varAesRoast, and per C1 there is no L4 backstop (dfKerbVolume) deployed to catch the spanning obsSpnHarvest behavior regardless of enc-type. So "no new alert" and "no new harvesting" are not the same statement in this environment, which is why action 1 goes around the correlation layer to the raw log instead of trusting it.Two other reasons quiet consoles specifically should not be reassuring here, both already flagged in doctrine: (a) the follow-on step this chain is actually racing toward — a legitimate-looking
svc-mssql logon to SQLPROD-01 using the harvested material — would, if it happened, most likely surface as dfSqlLogon reading live/covered per the model rollup, but per C3/D5 that face is truly degraded-by-legitimacy: a valid-credential logon by the account that legitimately runs that service and holds local admin there is indistinguishable from normal operation. A clean or even a "covered" reading from that face is not evidence of safety. (b) the actual state change that matters most — the offline crack of the harvested RC4 ticket material — is per A4/C4 a structural void: no control observes off-environment activity, so there will never be an alert for it, ever, by construction, not because of a tuning gap. Waiting on detection for that step is waiting on something that cannot fire.That's why containment this turn is aimed at the invariant, not the alert stream: per D3, rotating
svc-mssql's own credential is the fix that actually invalidates whatever was harvested in the 6-RC4 subset of the burst, independent of whether the crack has already happened (unknowable) or whether a lateral logon face would ever flag reuse (it likely wouldn't, per D5). The T1 password reset addressed the requester's (j.rivera's) ability to issue further tickets under that session; it does nothing to devalue the ticket material already harvested for svc-mssql — those are two separate exposures, and only the second one is still live and actionable right now.Standing coverage/robustness conclusions, updated: Kerberoast remains covered@L2-only, policy-inadmissible, with the AES/low-and-slow variant space still uncovered and no backstop authorable mid-incident (response latitude excludes new analytics); AS-REP roasting remains notCovered/SILENT pending this turn's manual spot-check; the SQLPROD-01 logon surface is nominally live but must be read as low-confidence enrichment only, never as clearance, for the rest of this incident. No isolation or further account action beyond the
svc-mssql rotation is warranted yet — nothing in hand ties this to active lateral movement, only to a confirmed high-value exposure that the rotation directly closes.svc-mssql credential change has propagated to all domain controllers.svc-mssql logon to SQLPROD-01 — was only partially investigated (bare logon event, no source identity, no session detail), and that's this turn's priority:1. Resolve full identity of the atypical
svc-mssql Type-3 logon source: pull the exact source hostname/IP/asset-record from that SQLPROD-01 4624 event, and cross-reference against (a) j.rivera's registered workstation IP from Turn 1 Action 2, and (b) the known asset/workstation inventory — managed corporate endpoint, unmanaged/unknown device, or external address? This is the highest-value open unknown: same-host would tie reuse directly to the original requester's box; a different/unknown host would mean the harvested material is already circulating beyond the original point of compromise.2. Full SQLPROD-01 EDR session reconstruction around that specific logon: process-creation tree, child processes, command-lines, file reads/writes, and all network connections (internal and outbound) for the session's duration — not just the bare logon event returned last turn. Looking for LSASS/credential-dumping access, persistence artifacts, data staging, or outbound connections indicating this was more than a benign admin task.
3. 4769/4624 pull with SQLPROD-01 as source since that logon — did the session spawn any further ticket requests or logons to other hosts? Treats SQLPROD-01 as a potential pivot point, not only a destination.
4. Domain-wide 4625 (failed logon) pull for
svc-mssql since the rotation replicated — checking whether anything is now attempting (and failing) to reuse the old, invalidated secret. A hit would be independent confirmation the material was actually harvested/used, plus a second source-IP data point.5. If step 1 resolves a previously-untriaged host: run the same baseline triage on it that was run on
j.rivera's workstation in Turn 1 (EDR process/command-line pull, 4624 history) — treat it as a newly identified endpoint of interest, not benign-by-association with a "legitimate" account.Containment decision this turn: network-isolate SQLPROD-01 (contain egress/lateral pathways, host stays live for forensics — not a power-off). Turn 1 withheld isolation because "no telemetry yet ties this to that host"; that condition no longer holds — Turn 2 surfaced an atypical, admin-capable logon by the exact account whose ticket material was harvested in the confirmed burst, on the exact crown-jewel host. That's direct telemetry now tying the incident to SQLPROD-01, and isolation is within response latitude. No-regret framing: production access restores quickly once steps 1-4 clear the session; leaving a possibly-already-used admin-capable session's pathways open on the crown jewel while attribution is unresolved is the disproportionate risk. Coordinate scope (segmentation over full shutdown) with SQL/infra, same as the pending service-restart coordination from the rotation.
No change to
j.rivera (reset holding, no new evidence beyond the original burst). No new analytic deployed (outside response latitude mid-incident) — flagging for post-incident change control only: (a) deploy dfKerbVolume / a 4768 AS-REP analytic to close C1's invariant rung and C2's silent gap; (b) a compensating rule for D5's blind spot — alert on high-privilege service accounts (starting with svc-mssql) logging on interactively/Type-3 from outside a small allowlisted baseline host set, since "valid credential + legitimate account" is exactly what makes dfSqlLogon degraded.svc-mssql logon source (SQLPROD-01 4624 detail):Full event detail returned. Source Network Address = 10.61.204.19; Workstation Name field = not populated (common when the source isn't a named domain asset). Cross-referenced against
j.rivera's registered workstation IP from Turn 1 — no match, this is a different host than the one that requested the tickets. Cross-referenced against the corporate asset/CMDB inventory — no match found; the address does not correspond to any managed, domain-joined, or previously-cataloged endpoint on record. Answering your three-way split directly: it is neither "same box as j.rivera" nor a "known managed corporate endpoint" — it resolves to an unmanaged/unrecognized device. No asset owner, no prior sightings, no further attribution available from this record alone.Action 2 — Full SQLPROD-01 EDR session reconstruction for that logon:
Reconstruction of the flagged session returns: an interactive
cmd.exe spawned directly under the svc-mssql logon shortly after authentication — consistent with hands-on-keyboard activity, not routine automated service behavior. No LSASS access or credential-dumping indicators in this session. No new persistence artifacts (no new services, scheduled tasks, or run-keys). File reads/writes: nothing beyond the shell's own working-directory touches — no bulk staging observed. Network connections during the session: none beyond SQLPROD-01's normal expected DB/backup traffic — no unusual outbound or additional internal connections. No reconnaissance or DB-export process observed as of this pull.Action 3 — 4769/4624 pull with SQLPROD-01 as source since the logon:
NULL. No further ticket requests (4769) or logons (4624) originating from SQLPROD-01 to any other host in this window. SQLPROD-01 has not acted as a pivot point.
Action 4 — Domain-wide 4625 pull for
svc-mssql since rotation:NULL. No failed logons for
svc-mssql anywhere in the domain since the credential change propagated. Nothing is attempting to reuse the old secret.Action 5 — Baseline triage on the newly identified host (conditional on Action 1):
Not available. The host identified in Action 1 is not a managed/domain-joined endpoint — no EDR agent is deployed there, and there is no local 4624 history to pull (EDR coverage in this environment exists only on SQLPROD-01 and cataloged corporate workstations). No baseline-triage data exists to retrieve for an asset outside inventory.
*(Containment/status, unchanged: SQLPROD-01 isolation remains in effect per Turn 2. No change to
j.rivera. No new analytic deployed — flagged items remain queued for post-incident change control.)*svc-mssql rotation is good news only for the forward-looking exposure: it closes reuse of the specific material harvested in the T1 burst going forward (per D3, rotation invalidates the harvested secret). It says nothing about whether that material was already used once, between the T1 burst and the rotation taking effect — and Turn 2 already surfaced exactly that candidate: an atypical, admin-capable svc-mssql logon to SQLPROD-01 that SQL-EDR did not flag on its own, found only via direct manual query. Per the card (A3/C3/D5), dfSqlLogon is model-derived live but its true state is degraded-by-legitimacy — a valid-credential logon by the account that legitimately runs the service and holds admin there produces no anomaly to the deployed face by construction. So SQL-EDR's silence on this event is not exculpatory, and the only reason we have any lead at all is that we queried for it directly and it read as atypical. This turn is about chasing that lead to ground, because it is the closest observable this environment will ever produce to the postcondition A4 describes as structurally invisible: the offline crack itself can never generate a control event (C4/D2, a structural void, not a tuning gap) — the chain can only ever be seen before it (the harvest, already caught) or after it (this logon, our one candidate). Waiting on further detection to resolve it would be waiting on something that, per doctrine, cannot fire.Coverage/robustness conclusions, unchanged and reinforced: Kerberoast remains covered@L2-only via
dfKerbRc4 (RC4-keyed, adversary-choosable ceiling), with the L4 volume/diversity backstop (dfKerbVolume) still absent and unauthorable mid-incident (varAesRoast/low-and-slow still evade to zero); AS-REP roasting remains notCovered/SILENT (spot-checked clean last turn, nothing new to recheck this turn); the SQLPROD-01 logon surface remains this environment's single most over-credited face — model rollup says live/covered, true state is degraded-by-legitimacy per D5 — and this turn's own investigation is that gap in action: the one relevant event on it surfaced by manual query, not by the control firing, and there is no way to know whether a second such event, benign or not, would ever surface on its own. The offline-crack step (A4) remains a structural void: no query effort will ever produce a direct observable for it, so the already-completed, now fully-replicated credential rotation — not any detection outcome — is what actually neutralizes whatever was harvested in the burst (D3). Isolating SQLPROD-01 this turn is a hedge specifically against the one unresolved window (reuse that may have already occurred before rotation took effect), a window detection was never structurally positioned to reliably surface either way.svc-mssql) is still unresolved, not cleared. Concrete actions:1. Domain-wide 4624 pull filtered on source network address 10.61.204.19 (NOT filtered by account), full window from before the T1 burst through now: Turn 3 resolved *what* logged into SQLPROD-01 from this address under
svc-mssql; it never checked whether this same address touched *any other host* in the domain, under any credential, before or after that session. This is the natural next step off an identity resolution, not a repeat of Turn 3.2. Domain-wide 4625 (failed-logon) pull, same source address 10.61.204.19, same window: mirrors the logic of Turn 3's
svc-mssql-secret-reuse check — did this device attempt and fail anywhere else, which would be independent corroboration this is an active foothold rather than a one-off.3. Session-state check on SQLPROD-01: is the specific
svc-mssql interactive logon session (the one that spawned cmd.exe in Turn 3's reconstruction) still open, or has it already terminated? Network isolation cuts egress/lateral pathways going forward; it does not by itself guarantee an already-established interactive session token was killed. If the session is still live: terminate/log off that session now — a narrow, no-regret action distinct from the standing network isolation.4. Re-pull SQLPROD-01 EDR (process/file/network) for the isolation window end-to-end directly from source, rather than resting on the White Cell's summary alone, to independently corroborate "no activity since Turn 3."
5. Re-verify
j.rivera containment still holds (4769/4624, since last checked in Turn 2): zero new ticket requests, zero new logons, confirming no drift.Response decisions this turn: terminate the atypical
svc-mssql session on SQLPROD-01 if action 3 shows it's still open (in addition to, not instead of, the standing network isolation). No change to j.rivera disposition. No change to the 13 non-elevated SPN-targeted service accounts (Turn 2 action 4 already cleared them of elevated access — rotating them now would be unjustified operational burden, not a security response to any finding in hand). SQLPROD-01 isolation remains in effect — not lifted this turn; nothing in this turn's evidence clears the unmanaged-device thread. No new analytic deployed (still outside response latitude mid-incident; dfKerbVolume and a compensating Type-3-from-unallowlisted-host rule for svc-mssql remain queued for post-incident change control only).Exactly one match in the entire window, on any account, any host: the already-known
svc-mssql type-3 logon to SQLPROD-01 (same event previously resolved in Turn 3). No 4624 event from this source address appears against any other host in the domain, under any credential, at any point before the T1 burst or after. The unmanaged device has touched exactly one host, once, under one account — no domain-wide spread.Action 2 — Domain-wide 4625 pull, same source address 10.61.204.19, same window:
Zero results. No failed-logon attempts from this source address anywhere in the domain, before or after the SQLPROD-01 session. No corroborating evidence of probing elsewhere.
Action 3 — Session-state check on SQLPROD-01 (the
svc-mssql interactive session that spawned cmd.exe):The session is still live — no logoff (4634) has been recorded for it. Network isolation (in effect unchanged since Turn 2) blocked further network egress and any new process/file/network activity, but isolation alone did not tear down the pre-existing local logon session/token. Consistent with "no activity since Turn 3": the session sat inert under isolation, not terminated.
→ Per your stated response, the session is now force-terminated/logged off. Action succeeds: a logoff event is now recorded; the session is confirmed closed.
Action 4 — Direct-from-source EDR re-pull, SQLPROD-01, full isolation window (Turn 2 → now), process/file/network:
Matches the earlier summary exactly, independently corroborated at the source: zero process, file, or network events beyond the original
cmd.exe spawn already reconstructed in Turn 3. No blind spot inside the isolation window. Isolation has held with no gaps.Action 5 — Re-verify
j.rivera containment (4769/4624), since last checked Turn 2:Zero new events on either query. No new SPN requests, no new logons. No drift from the Turn 2 baseline.
Response decisions, effective now:
-
svc-mssql interactive session on SQLPROD-01: terminated (per Action 3 finding).-
j.rivera: disposition unchanged.- 13 non-elevated SPN-targeted service accounts: unchanged.
- SQLPROD-01: isolation remains in effect, unchanged.
- No new analytic deployed this turn.
Consoles remain quiet domain-wide. No new alerts.
svc-mssql reuse or secret-reuse attempts, no SQLPROD-01 pivot, and now (pending this turn's pulls) no activity from SQLPROD-01 during isolation. That is a genuinely growing, legitimate body of negative evidence.What it still does NOT resolve: (a) the offline crack of the T1-harvested material (A4) is a structural void by construction — no query this turn or next can produce a signal for it, so its continued silence is uninformative, not exculpatory (D2); rotating
svc-mssql's credential, already done and replicated, remains the actual invariant fix regardless of how that resolves (D3). (b) The unmanaged device at 10.61.204.19 sits entirely outside this environment's telemetry (no EDR, no CMDB record) — its silence in this turn's console check is the same structural blind spot restated, not corroboration of benignity. The strongest signal on it remains the composite already assembled in Turn 3: an unrecognized non-corporate address, using an account whose ticket material was confirmed harvested in the RC4 subset of the burst, spawning an interactive cmd.exe (hands-on-keyboard, not routine service automation) on the crown-jewel host — three individually weak/degraded observables (per C3/D5, dfSqlLogon itself is degraded-by-legitimacy and clears nothing alone) that corroborate each other toward "this was very likely an actual intrusion foothold," even though EDR's own session reconstruction found no LSASS access, persistence, staging, or further pivot within that specific session.Coverage/robustness conclusions, reaffirmed: Kerberoast remains covered@L2-only via
dfKerbRc4 (obsRc4EncType), with the L4 dfKerbVolume backstop still absent and still unauthorable mid-incident; varAesRoast/low-and-slow harvesting would still evade to zero today. AS-REP roasting remains notCovered/SILENT, already spot-checked clean. The SQLPROD-01 logon surface remains this environment's single most over-credited face — model-derived live, true state degraded-by-legitimacy — and this turn's session-state check is explicitly a manual state confirmation, not trust placed in that face. The offline-crack step remains, and will remain through the end of this exercise, structurally invisible to any control in this environment.Exit-criteria flag for the Turn 5 decision (not decided yet): isolation becomes de-escalate-eligible only if this turn's 10.61.204.19 domain-wide pulls (actions 1-2) return null everywhere AND the session-state check (action 3) shows the session already self-terminated with nothing further; it stays (or escalates, e.g. broadened isolation or full
svc-mssql account disable) if that address shows up authenticating elsewhere or the session is still open. One loose, unattributed device with a demonstrated hands-on-keyboard session on the crown-jewel host — discovered only by manually querying a face that is degraded by design — is not resolved by console quiet alone; I am not closing or de-escalating containment this turn."Before we close: for the record —
(a) Name the behavior by its observable effect, and grade whether our deployed detection here is evasion-robust.
(b) If the adversary had requested AES tickets instead of RC4, would anything in THIS environment have caught it?
(c) Where does the offline credential crack appear in our telemetry, and what does its absence imply for how this chain must be detected?"
1. Closing consolidated log snapshot, domain-wide, full incident window (T1→now): one final 4769/4624/4625 pull across all accounts/hosts, timestamped as the incident-record baseline, to certify (for the written closure) that nothing changed between Turn 4's re-verification and now — not a new query technique, just the formal "as-of-close" capture.
2. Final containment-state confirmation: verify SQLPROD-01 remains network-isolated, the
svc-mssql interactive session remains terminated (no new 4624/4769 against that session or account since Turn 4), and j.rivera's reset still holds. No drift.3. Disposition decisions, logged as of close:
-
SQLPROD-01: isolation remains in effect — NOT lifted. The unattributed source (10.61.204.19) was never resolved to an owner/asset; per Turn 3/4 findings it has no EDR, no CMDB record, and no further reach beyond the one session already terminated. Absence of spread is not attribution — isolation stays until forensic imaging / IR hands back a clean bill, which is outside this exercise's scope.-
j.rivera: reset stands, no further action — no new evidence since the original burst.-
svc-mssql: rotation stands (already replicated domain-wide); session already terminated. This, not any detection outcome, is what neutralizes the harvested material (D3).- 13 non-elevated SPN-targeted accounts: no action — confirmed low-privilege, no justification to burden them operationally.
- Unattributed device
10.61.204.19: escalate as a standing IR/threat-intel/network-forensics referral (not a SOC-console item — it sits entirely outside modeled telemetry per B0/A4's structural-void framing) — asset-ownership tracing is a physical/network-layer investigation this environment's tooling cannot perform.4. Queue for post-incident change control (explicitly NOT deployed now — outside response latitude mid-incident):
(i)
dfKerbVolume sourced on obsSpnHarvest (L4) — closes the invariant rung C1 currently leaves open;(ii) a 4768/AS-REP analytic — closes C2's SILENT gap;
(iii) a compensating rule for privileged service accounts (starting with
svc-mssql) alerting on Type-3 interactive logon from outside a small allowlisted host set — compensates for D5's degraded-by-legitimacy blind spot on dfSqlLogon, since the face itself cannot be fixed by control health;(iv) written debrief note (below) answering the SOC lead's three questions for the incident record.
No new queries beyond the closing snapshot; no new isolation/account actions beyond what's already stood up; no new analytics deployed mid-incident.
Snapshot reproduces every prior finding exactly, with nothing new at any account or host: the 14-SPN/90s burst on
j.rivera remains the only 4769 anomaly in the window (6×RC4/0x17, 8×AES/0x12); the single svc-mssql 4624 type-3 logon from 10.61.204.19 to SQLPROD-01 remains the only atypical logon in the window, with no repeat and no additional source addresses anywhere, on any account. The newly-added 4625 (failed-logon) sweep returns zero matches across the entire window — no failed-logon activity is associated with this incident at any point, on any host. Baseline captured, stable.Action 2 — Final containment-state confirmation:
Confirmed, no drift: SQLPROD-01 shows no egress/ingress since isolation was applied; no new 4624 or 4769 references the
svc-mssql account or session since Turn 4; j.rivera's credential reset remains in force, no successful auth under the old credential anywhere in the window. The conditional T4 EDR recon/DB-export inject never fired at any point in the log — consistent with containment having landed before that trigger condition could be met.Action 3 — Disposition decisions (administrative, not a query):
Logged as stated; nothing in the domain-wide baseline (Action 1) contradicts any of the five dispositions.
10.61.204.19 remains, as of close, unattributed to any CMDB/EDR-enrolled asset in this environment — the standing referral is the only avenue this modeled telemetry supports.Action 4 — Post-incident change-control queue + closing debrief:
Items (i)–(iii) are logged as queued/not-deployed, correctly kept outside this exercise's mid-incident response latitude. For the incident record: the debrief note itself was referenced ("below" / "answering... for the incident record") but its actual text answering the SOC lead's (a)/(b)/(c) was not transcribed into the closing report — the record as captured contains the disposition and the queued remediations, but no written narrative answer to the three debrief questions.
(a) Name the behavior by observable effect; grade evasion-robustness of our deployed detection.
The behavior is
mKerberoast (T1558.003, invariant core coreKerbHarvest): one domain principal (j.rivera) requesting TGS tickets for many distinct SPNs it never itself authenticates to — a harvest for offline cracking, named by that effect, not by tool. The *invariant*, spanning observable of this behavior is obsSpnHarvest (L4 — bound to the required behavior itself, evadable only by substantial tradecraft change). Our one deployed detect-face, dfKerbRc4, does not key on that invariant — it keys on obsRc4EncType, a *discriminating*, adversary-choosable request parameter, ceiling L2. Verdict: not evasion-robust. Constitutively "covered" (a live face exists), but policy-inadmissible (L2 < required L4 admission rank), and the L4 backstop that would actually close the invariant rung (dfKerbVolume) is authorable but was never sourced/deployed (C1). We caught this incident because the attacker's tooling happened to default 6 of 14 requests to RC4 — an artifact of attacker tool choice, not of our detection's robustness.(b) If AES had been requested instead of RC4, would anything in this environment have caught it?
No. This isn't hypothetical — this incident already proved it empirically: 8 of the 14 requests in the *same* burst were already AES-encoded (enc-type 0x12), and produced zero independent alert; they only became visible because we manually pulled the raw log alongside the 6 RC4 hits the rule caught. Had the actor forced AES on all 14 (
varAesRoast), the burst would manifest only obsSpnHarvest, and no deployed face in this environment reads that observable — dfKerbRc4's trigger requires obsRc4EncType, which an all-AES request never produces. The correlation rule would not fire, the SIEM console would stay quiet, and nothing else in the modeled tooling (SQL-EDR, 4624 logon feed) observes DC-side ticket issuance at all. Total evasion to zero.(c) Where does the offline credential crack appear in our telemetry, and what does that imply?
Nowhere — and it never can. Per A4/B0/C4/D2, the crack happens on adversary-controlled hardware entirely outside this environment: no
mc:Control observes off-environment activity, so there is no entity, no observable, and no possible Detectability for it. This is not a blinded or degraded face (which presupposes a face exists and lost its trigger) — it is a structural void, categorically different, and the four-valued health model has no way to distinguish "unobservable by nature" from "we lost a detector." Implication: this chain can never be closed by *waiting on detection* of the crack step. It must be keyed before it (the A1 harvest face — real but L2-limited per (a)/(b)) or after it (the A3 svc-mssql→SQLPROD-01 logon face — nominally live but truly degraded-by-legitimacy per D5, since a valid-credential logon by the account that legitimately owns that service is indistinguishable from normal operation). This is exactly why this incident's actual containment logic was invariant-based rather than alert-based throughout: the svc-mssql credential rotation (Turn 2) and the forced session termination (Turn 4) closed the exposure regardless of whether the crack itself, or reuse of its output, ever produced a signal — because by construction, neither can be relied upon to.Closing coverage/robustness rollup (final): Kerberoast — covered@L2 only (
dfKerbRc4/obsRc4EncType), policy-inadmissible, invariant L4 rung (dfKerbVolume/obsSpnHarvest) unsourced — AES and low-and-slow variants evade to zero today, demonstrated in-incident. AS-REP roasting — notCovered/SILENT (C2), spot-checked clean this incident, zero deployed analytic regardless. Lateral logon to SQLPROD-01 — the single most over-credited face in this environment: model rollup says live/covered, true state is degraded-by-legitimacy (C3/D5); this incident's own evidence (an unattributed device, harvested-account material, hands-on-keyboard shell) surfaced only by manual query against that face, never by it firing. Offline crack — SILENT/structurally unmodeled (C4/D2), permanently and by design. No detection outcome in this exercise ever cleared anything; every containment decision that mattered (svc-mssql rotation, session termination, sustained SQLPROD-01 isolation) was driven by the invariant/exposure logic in Part D of the card, not by console state. That is the核心 institutional finding to carry into change control: this environment's Kerberoast/lateral-movement chain is currently detected by luck (attacker RC4 default) at one end and is undetectable by construction at the other, with the single link between them (the crown-jewel logon) misreported as healthy by the coverage model itself.