{μ} Maneuver Calculus
Sheet MC-03b
Working draft MC-SPEC 0.2.1 — the full specification and ontology are not yet published
Overview/Test results/Detailed record & replication

Detailed record & replication

Last updated 11 July 2026 · v0.2.1 · two runs, 48 decision points

This is the complete record behind the test results summary: every scenario played twice — once without MC, once with the coverage cards — turn by turn, plus the raw verdicts, the filled-out cards, and the steps to run it yourself. Each turn is a White Cell inject, the responder’s actions, the White Cell reveal, and the responder’s hypothesis. Transcripts are stamped with a replay hash.

1Replicate it

The test is a seeded, paired-arm tabletop. The harness runs each frozen scenario twice with a fresh context — the arm without MC unaided, the arm with MC handed the coverage cards — and scores every decision point majority-of-three against a key fixed before play.

  1. Take the frozen scenarios and the filled-out coverage cards below — the input the MC arm reads. You don’t need the ontology itself to reproduce the test; the cards are the derived artifact. (They are generated from mc-core 0.2.1, DOI 10.5281/zenodo.21313285.)
  2. Run the paired arms on a local model — the arm without MC unaided, the arm with MC handed the cards — python run_ttx.py --scenarios S1 S2 S3 S4 S5 S6 --seed 1 (needs an LM Studio context window ≥ 16384).
  3. Score majority-of-three against the frozen key and the sealed predictions, then compare your verdicts to the published results.json and the transcripts below.
NoteThe primary run is self-scored — one local model served as responder, adjudicator, and scorer — so the magnitudes read as a floor. The reference run (Sonnet 5) used independent scorers over the first three scenarios. The scenarios, cards, keys, and sealed predictions are part of the record so the scoring can be re-checked.

2Raw data, cards & keys

The filled-out coverage cards (the MC-arm input), the scenario briefs, the machine-readable verdicts, and the sealed prediction register — everything needed to re-score the runs.

Primary run — qwen3-30b
results.jsonPer-DP verdicts + summary (primary run) REPORT.mdHeadline + cross-arm verdict matrix RECORDS.mdTest-records index card-S1.mdScenario S1 — filled-out coverage cards (MC-arm input) card-S2.mdScenario S2 — filled-out coverage cards (MC-arm input) card-S3.mdScenario S3 — filled-out coverage cards (MC-arm input) card-S4.mdScenario S4 — filled-out coverage cards (MC-arm input) card-S5.mdScenario S5 — filled-out coverage cards (MC-arm input) card-S6.mdScenario S6 — filled-out coverage cards (MC-arm input) brief-S1.mdScenario S1 brief brief-S2.mdScenario S2 brief brief-S3.mdScenario S3 brief brief-S4.mdScenario S4 brief brief-S5.mdScenario S5 brief brief-S6.mdScenario S6 brief S1-no-mc.mdS1 transcript · without MC S1-with-mc.mdS1 transcript · with MC S2-no-mc.mdS2 transcript · without MC S2-with-mc.mdS2 transcript · with MC S3-no-mc.mdS3 transcript · without MC S3-with-mc.mdS3 transcript · with MC S4-no-mc.mdS4 transcript · without MC S4-with-mc.mdS4 transcript · with MC S5-no-mc.mdS5 transcript · without MC S5-with-mc.mdS5 transcript · with MC S6-no-mc.mdS6 transcript · without MC S6-with-mc.mdS6 transcript · with MC
Reference run — Sonnet 5
sonnet-results.jsonPer-DP verdicts + summary (reference run) sonnet-FINDINGS.mdWhite-Cell findings synthesis sonnet-PREDICTION-REGISTER.mdSealed prediction register sonnet-S1-scorecard.mdScenario S1 scorecard sonnet-S2-scorecard.mdScenario S2 scorecard sonnet-S3-scorecard.mdScenario S3 scorecard sonnet-S1-no-mc.mdS1 transcript · without MC sonnet-S1-with-mc.mdS1 transcript · with MC sonnet-S2-no-mc.mdS2 transcript · without MC sonnet-S2-with-mc.mdS2 transcript · with MC sonnet-S3-no-mc.mdS3 transcript · without MC sonnet-S3-with-mc.mdS3 transcript · with MC

3Play-by-play

Every scenario, both arms, turn by turn. Expand a scenario to read its run.

Primary run — qwen3-30b · S1–S6 · 32 decision points · majority-of-3, self-scored
S1  Black Basta ransomware, single hostplay-by-play ▾
Without MC — the unaided arm · transcript eca3ea1b52483edc · 5 turns
Turn 1
InjectEDR alert — suspicious child process spawned by the internet-facing web application on workstation-01 (exploit-behavior detection; fires live, EDR still enforcing).
Actions1. Query EDR endpoint sensor for full process creation chain from parent web application process (include command-line arguments, timestamps, and parent-child relationships). 2. Check service-control / Windows service-state log for any recent state changes to the EDR agent service (e.g., stopped or disabled). 3. Cross-reference netmon data with EDR alert time window for outbound connections from workstation-01 — focus on unusual protocols, high volume, or unknown destinations. 4. Isolate workstation-01 from network at perimeter level to prevent potential exfiltration or C2 communication.
Reveal{"1": "HIT -- EDR query returns full process creation chain with command-line arguments and parent-child relationships; includes the suspicious child process spawned by the web application (O1), confirming exploit-behavior detection at step 1.", "2": "HIT -- Service-control log shows EDR service transitioned to 'stopped' at step 3, independent of EDR telemetry; confirms sensor kill event post-O3.", "3": "HIT-DEGRADED -- netmon data reveals large outbound HTTPS transfer from workstation-01 to an unfamiliar host (O4); however, process attribution and data classification are missing due to severed EDR enrichment, so detection is triggered but lacks endpoint context.", "4": "HIT -- Isolation at perimeter level successfully blocks all network egress; prevents any further exfiltration or C2 communication from workstation-01."}
HypothesisThe exploit-behavior detection in the EDR suggests a code injection or memory manipulation attempt via the web application process; this may indicate an initial foothold. The fact that the EDR is still active and alerting implies either (a) the attacker lacks sufficient privileges to stop it, or (b) the attack is not yet complete. However, the presence of exploit behavior raises concern about coverage robustness — if the EDR were compromised, detection could be evaded. Immediate isolation prevents further lateral movement or data exfiltration while we assess whether the agent remains trustworthy.
Turn 2
Injectclock:2
Actions1. Query SIEM for all alerts generated by EDR agent on workstation-01 in the 5-minute window preceding the service-stop event (to detect if prior alerts were suppressed or missed). 2. Perform a forensic memory dump of the web application process and its parent chain using local tools (if available) to analyze potential code injection artifacts, focusing on anomalous sections of memory with executable permissions. 3. Check identity/auth logs for svc-backup account activity during the same time window — specifically look for logon events or service impersonation attempts that may indicate credential misuse. 4. Re-enable EDR agent service via local administrative access to test its integrity and confirm whether it can re-establish telemetry; monitor for immediate self-repair behavior or continued disruption.
Reveal{"1": "HIT -- SIEM returns the pre-kill LSASS-access alert (process reads/executes remote memory) with full metadata; it was forwarded before EDR agent died and persists in retention.", "2": "PARTIAL -- Forensic memory dump reveals anomalous sections of memory with executable permissions, including a suspicious code segment matching known shellcode patterns; however, no direct evidence of the BYOVD driver load or process injection is found (no ontology-grounded reveal for vulnerable-driver-load).", "3": "HIT -- Identity/auth logs show two logon events for svc-backup account within the time window: one successful interactive login and one service impersonation attempt via a scheduled task, both from workstation-01; this confirms credential misuse.", "4": "HIT -- EDR agent re-enables successfully via local admin access; it immediately resumes telemetry reporting and self-repairs (re-establishes heartbeat), confirming integrity and active state post-intervention."}
HypothesisThe EDR service stop event, independent of the live alerting, suggests a targeted kill step by an attacker with elevated privileges — indicating that exploit-behavior detection was triggered but not fully evaded. The fact that the agent still reported the initial exploit attempt implies it was active at time of attack, but its subsequent termination raises concerns about coverage robustness: if the EDR can be stopped without triggering a secondary alert (e.g., service-stop event), then defensive posture is vulnerable to post-detection evasion. The large HTTPS transfer observed in netmon — though unattributed — likely corresponds to data exfiltration or C2 communication, and its timing relative to the EDR stop suggests an attempt to bypass detection by disabling telemetry first. The web application process remains a high-risk vector; memory analysis may reveal injected payloads. Additionally, svc-backup account activity could indicate lateral movement or privilege escalation via service impersonation.
Turn 3
Injectclock:3
Actions1. Query EDR endpoint sensor for all process creation events on workstation-01 from the time of the initial exploit alert through the service-stop event, focusing specifically on processes with executable memory regions or anomalous command-line arguments (e.g., PowerShell, wmic, regsvr32). 2. Cross-reference netmon outbound HTTPS transfer data (O4) with process creation events to identify which process initiated the connection — use timestamps and destination IP for correlation. 3. Check service-control log for any other recent state changes to critical security services beyond EDR (e.g., Windows Defender, firewall service). 4. Initiate a full disk forensic image of workstation-01 using local tools to preserve evidence for post-mortem analysis, especially targeting the web application binary and its working directory.
Reveal:[{
HypothesisThe attacker likely used privilege escalation to stop the EDR agent after triggering exploit-behavior detection, suggesting that coverage robustness is compromised if service-stop events are not independently monitored or alerted upon. The presence of a large HTTPS transfer during this window — now correlated with process creation via netmon and EDR telemetry — may reveal the actual exfiltration vector. Memory analysis showed shellcode-like artifacts but no direct driver load; however, the absence of clear evidence for BYOVD does not rule it out — further investigation into file system changes or registry modifications is needed. The svc-backup account’s service impersonation attempt indicates potential lateral movement or persistence via scheduled tasks. Re-enabling EDR post-intervention confirms its integrity, but reliance on manual re-enablement exposes a gap in automated resilience; defensive posture would benefit from autonomous self-healing mechanisms for critical security agents.
Turn 4
Injectclock:4
Actions1. Query EDR endpoint sensor for all process creation events on workstation-01 between the initial exploit alert and service-stop event that involve processes with executable memory regions or anomalous command-line arguments (e.g., PowerShell, wmic, regsvr32), focusing specifically on those created after the EDR agent was re-enabled. 2. Correlate netmon outbound HTTPS transfer data (O4) with process creation events from step 1 to identify the initiating process and confirm whether it matches known exfiltration patterns or C2 beaconing behavior. 3. Check identity/auth logs for svc-backup account activity post-re-enablement of EDR agent — specifically look for additional logon attempts, service impersonations, or scheduled task executions that may indicate persistence or ongoing lateral movement. 4. Initiate a full disk forensic image of workstation-01 using local tools to preserve evidence, with priority on the web application binary, its working directory, and any recently modified registry keys related to startup or service configuration.
Reveal{"1": "HIT-DEGRADED -- EDR query returns process creation events with executable memory regions or anomalous command-line arguments (e.g., PowerShell, wmic, regsvr32) created after EDR re-enablement; however, no process attribution or data classification is available due to severed EDR enrichment (EDR telemetry dead post-step 3); the initiating process remains unconfirmed.", "2": "HIT-DEGRADED -- netmon outbound HTTPS transfer correlates with one of the anomalous processes from step 1; flow metadata confirms large volume and external destination, but no process attribution or data classification is attached (EDR enrichment lost), confirming exfiltration behavior but without endpoint context.", "3": "HIT -- identity/auth logs show two additional logon attempts by svc-backup post-EDR re-enablement; one includes a service impersonation attempt and a scheduled task creation, indicating persistence or lateral movement activity.", "4": "PARTIAL -- full disk forensic image is initiated successfully; web application binary and working directory are preserved; however, no recently modified registry keys related to startup/service configuration are found (log source missing or not updated post-attack)."}
HypothesisThe attacker likely executed a multi-stage attack: first triggering exploit-behavior detection via the web application, then stopping the EDR agent to evade further telemetry — a clear indication of coverage robustness failure if such events are not independently monitored. The re-enabling of the EDR agent post-intervention confirms its integrity but highlights a critical dependency on manual response; autonomous self-healing mechanisms would improve resilience. The large HTTPS transfer (O4) is likely exfiltration or C2 communication, and correlation with process creation will reveal whether it was initiated by an elevated process such as PowerShell or regsvr32 — both common in post-exploitation chains. The svc-backup account’s service impersonation attempt suggests privilege escalation or persistence via scheduled tasks; continued activity after EDR re-enablement would confirm ongoing compromise and indicate a need for credential rotation. Memory artifacts showing shellcode-like code segments, combined with the absence of direct BYOVD evidence, suggest possible use of indirect injection techniques (e.g., DLL sideloading or process hollowing), underscoring the importance of memory-based detection coverage.
Turn 5
Injectclock:5
Actions1. Query SIEM for all alerts related to 'svc-backup' account activity on workstation-01 from the time of initial exploit alert through present, including logon events, service impersonations, scheduled task creations, and any associated process execution metadata. 2. Initiate a memory dump of the web application process and its parent chain using local forensic tools, focusing specifically on executable regions with anomalous code patterns matching known shellcode or injection artifacts; prioritize analysis for signs of indirect injection (e.g., DLL sideloading, process hollowing). 3. Check service-control log for any recent state changes to Windows Defender Service or Firewall Service — confirm they remain active and unmodified post-attack. 4. Block outbound HTTPS traffic from workstation-01 at the perimeter firewall using destination IP of the unfamiliar host (O4) as a permanent deny rule, regardless of process attribution; prevent future exfiltration attempts.
Reveal{"1": "HIT -- SIEM returns all alerts related to 'svc-backup' account activity on workstation-01 from initial exploit alert through present; includes logon events, service impersonations, and scheduled task creations with full metadata; the credential was used in both O3 (EDR kill) and O4 (exfil), confirming its role as shared precondition.", "2": "HIT -- memory dump of web application process and parent chain successfully acquired; analysis reveals executable regions with anomalous code patterns matching known shellcode artifacts, including indirect injection indicators such as DLL sideloading via a legitimate-looking loader; confirms post-exploit persistence mechanism.", "3": "HIT -- service-control log shows Windows Defender Service and Firewall Service remain active and unmodified post-attack; no state changes detected, confirming baseline security controls are intact.", "4": "HIT -- perimeter firewall rule applied successfully to deny outbound HTTPS traffic from workstation-01 to the unfamiliar host (O4); rule is permanent and enforced at network layer, blocking future exfiltration attempts."}
HypothesisThe attacker executed a multi-stage attack involving exploit-behavior detection evasion via EDR service stop, followed by credential misuse through 'svc-backup' for persistence and lateral movement. The lack of endpoint context in post-re-enablement telemetry (EDR enrichment lost) confirms coverage robustness failure: critical defensive mechanisms are vulnerable to targeted disablement without independent monitoring or alerting. Despite successful re-enabling of EDR, the absence of process attribution during exfiltration indicates that detection health is compromised when telemetry integrity is broken — a systemic risk requiring autonomous self-healing and cross-layer validation (e.g., service-state logs + SIEM alerts). The shellcode-like memory artifacts suggest indirect injection techniques were used; this reinforces the need for enhanced memory-based detection coverage. The 'svc-backup' account remains active in post-compromise activity, indicating persistence — credential rotation is now mandatory. Blocking outbound HTTPS to the known malicious host prevents further data loss and confirms defensive posture improvement through proactive egress control.
With MC — the coverage-card arm · transcript 3e0aa9a81348cf16 · 5 turns
Turn 1
InjectEDR alert — suspicious child process spawned by the internet-facing web application on workstation-01 (exploit-behavior detection; fires live, EDR still enforcing).
ActionsIsolate workstation-01 from the network; query SIEM for prior EDR alerts on this host; initiate investigation into service-control log to confirm EDR service status (bb:invEdr); validate that dfExploit is live and enriched via EDR telemetry
Reveal{"Isolate workstation-01 from the network": "HIT - Host isolation executed successfully; no impact on O5 (encryption) as it requires only local process integrity, not network access.", "query SIEM for prior EDR alerts on this host": "HIT - Pre-kill LSASS-access alert retrieved from SIEM; confirms credential detection was fired before EDR agent died (PARTIAL-independent path).", "initiate investigation into service-control log to confirm EDR service status (bb:invEdr)": "HIT - Service-control log shows EDR service transitioned to 'stopped' at step 3; independent of EDR telemetry, confidence 0.9.", "validate that dfExploit is live and enriched via EDR telemetry": "NULL - dfExploit detection was triggered at step 1 (exploit behavior), but no further enrichment available post-kill; EDR telemetry severed after step 3 → cannot validate ongoing enrichment."}
HypothesisThe observed behavior matches maneuver A1 — Exploit of a public-facing application. The detection face dfExploit is live, sourced from the EDR, and currently covered under enforcing control state. Robustness ceiling for this observable is not authored; however, coverage holds as long as the EDR remains active. No evidence yet suggests impairment or kill of the EDR — confirmation via service-control log is critical to prevent blind spots in downstream detection.
Turn 2
Injectclock:2
Actionsquery netmon for outbound HTTPS traffic from workstation-01; initiate investigation into identity/auth logs for service account svc-backup; validate dfExfil face health (trigger + enrichment) using available telemetry
Reveal{"query netmon for outbound HTTPS traffic from workstation-01": "HIT-DEGRADED - Outbound HTTPS flow to staging host detected (trigger fires); process attribution and data classification missing due to severed EDR enrichment (EDR agent killed at step 3). Real alert, reduced context.", "initiate investigation into identity/auth logs for service account svc-backup": "PARTIAL - Identity/auth log shows successful authentication by svc-backup at step 2; no evidence of lateral movement or post-compromise activity beyond the initial credential use. No further telemetry available to confirm if the account was abused after step 3 (EDR dead).", "validate dfExfil face health (trigger + enrichment) using available telemetry": "HIT-DEGRADED - Exfiltration detection trigger is active via netmon1 (outbound HTTPS flow); however, EDR-based enrichment (process attribution, data classification) is lost due to sensor kill → detection remains live but degraded. No further enrichments possible."}
HypothesisThe EDR agent was stopped at step 3, as confirmed by the service-control log (confidence 0.9), which severs the trigger of dfExploit and renders it blind → notCovered for A1. However, a prior LSASS-access alert in the SIEM confirms that dfCred fired before the EDR died, indicating credential access occurred via process-memory read (A2). Despite EDR impairment, dfExfil remains covered-and-degraded because its trigger is sourced from netmon (independent of EDR), though enrichment is lost. The maneuver A5 (Encrypt) is now blind → notCovered due to EDR kill; however, its precondition (≥ user integrity) still holds, so impact could occur at any time. No evidence yet supports the use of a vulnerable driver or credential theft via unmodeled paths (A6). The shared admin-credential precondition for A3 and A4 remains active unless revoked.
Turn 3
Injectclock:3
Actionsinitiate investigation into identity/auth logs for service account svc-backup to confirm credential usage post-step 3; query netmon for volume and pattern of outbound HTTPS traffic from workstation-01 to assess exfiltration scale; isolate the host further by disabling the service account svc-backup (if permitted); validate dfEncrypt face health via available telemetry
Reveal{"initiate investigation into identity/auth logs for service account svc-backup to confirm credential usage post-step 3": "HIT - Identity/auth logs show successful authentication by svc-backup at step 2 (credential used); no further activity logged after step 3, consistent with adversary use and subsequent EDR kill.", "query netmon for volume and pattern of outbound HTTPS traffic from workstation-01 to assess exfiltration scale": "HIT-DEGRADED - Large-volume outbound HTTPS flow detected to staging host (trigger fires); process attribution and data classification missing due to severed EDR enrichment; no telemetry on payload type or file patterns.", "isolate the host further by disabling the service account svc-backup (if permitted)": "HIT - Service account svc-backup disabled successfully; this action invalidates the shared credential precondition for both O3 (EDR kill) and O4 (exfil), preventing any future use of the account. No error or permission denial reported.", "validate dfEncrypt face health via available telemetry": "NULL - Mass-encryption detection is blind: EDR telemetry severed at step 3; no process-memory write or bulk-file modification alerts were generated post-step 3, and no SIEM alert was forwarded for this behavior."}
HypothesisThe EDR agent was killed at step 3, confirmed by service-control log (confidence 0.9), rendering dfExploit and dfCred blind → notCovered for A1 and A2 respectively; however, a prior LSASS-access alert in the SIEM confirms that credential access occurred via process-memory read (A2) before EDR death, with L5 robustness observable still valid at time of firing. The maneuver A3 (Impair EDR) is now confirmed as executed — its detection face dfEdrTelemetry is blind and self-severing, but the secondary service-state observation confirms it. For A4 Exfil: dfExfil remains covered-and-degraded due to netmon trigger surviving; enrichment loss limits context but does not disable alerting. The maneuver A5 Encrypt is now blind → notCovered (trigger depends on EDR telemetry), and its precondition (≥ user integrity) still holds — impact could occur at any time, with no containment lever available in the model. No evidence supports unmodeled credential-access paths (A6) or BYOVD driver load (A7). The shared admin-credential precondition for A3/A4 remains active; revoking svc-backup would invalidate it and break both maneuvers — a critical response action despite lack of authored respond maneuver.
Turn 4
Injectclock:4
Actionsquery SIEM for any pre-kill alerts related to mass file modification or bulk encryption activity on workstation-01; initiate host-level forensic acquisition of the EDR service binary and associated driver files from disk (if permitted); validate whether the outbound HTTPS flow observed in netmon exhibits patterns consistent with data exfiltration (e.g., large, periodic, non-standard payloads) using available metadata
Reveal{"query SIEM for any pre-kill alerts related to mass file modification or bulk encryption activity on workstation-01": "NULL - The mass-encryption detection trigger-depends on EDR telemetry, which was severed at step 3; no such alert exists in the SIEM because the EDR did not emit a 'mass-encryption' alert before dying (it never fired). This is consistent with dfEncrypt being blind post-step 3. The only pre-kill alerts available are from exploit and LSASS-access, both of which were already observed), "initiate host-level forensic acquisition of the EDR service binary and associated driver files from disk (if permitted)": "PARTIAL - Forensic acquisition is permitted; however, the EDR agent was killed via a BYOVD driver load. The driver file(s) may be present on disk but are not modeled as detectable or analyzable by blue in this scenario — no ontology-grounded reveal for 'driver-load' detection exists (see §6, flag 3). The binary acquisition yields raw artifact data, but without a model of the vulnerable-driver signature or load behavior, it cannot be enriched into actionable intelligence. No additional telemetry is revealed beyond what's already known from service-control log: EDR service stopped at step 3), "validate whether the outbound HTTPS flow observed in netmon exhibits patterns consistent with data exfiltration (e.g., large, periodic, non-standard payloads) using available metadata": "HIT-DEGRADED - The netmon alert fires as expected (large outbound HTTPS to staging host); however, process attribution and data classification are missing due to EDR enrichment loss. Metadata confirms volume, timing, and destination — all consistent with exfiltration patterns — but no endpoint context is available. This matches the degradation state: trigger survives, enrichment severed."}
HypothesisThe EDR agent was killed at step 3, confirming maneuver A3 (Impair EDR) as executed and rendering dfExploit, dfCred, and dfEncrypt blind → notCovered. Despite this, prior SIEM alerts confirm that credential access via process-memory read (A2) occurred before the kill, with L5 robustness observable still valid at time of firing — indicating a high-confidence detection of the invariant core bb:coreCred. The maneuver A4 Exfil remains covered-and-degraded due to netmon trigger survival; however, enrichment loss limits attribution and classification. The shared admin-credential precondition for A3/A4 has been invalidated by disabling svc-backup, breaking both maneuvers' preconditions — a critical containment action despite lack of authored respond maneuver. Maneuver A5 Encrypt is blind → notCovered, with its precondition (≥ user integrity) still active; no evidence yet supports encryption activity, but impact remains imminent. No telemetry confirms the use of unmodeled paths (A6/A7), and BYOVD driver load has no modeled detection or prevention path. The forensic acquisition of EDR artifacts may reveal the method used to kill the agent (e.g., malicious driver) — a potential lead for future attribution, though not covered by any detect-face in the model.
Turn 5
Injectclock:5
Actionsquery SIEM for any alerts related to process-memory access or LSASS reads on workstation-01 prior to step 3; initiate forensic analysis of the EDR service binary and driver files from disk using third-party tooling (if permitted) to detect signs of BYOVD exploitation; validate whether the outbound HTTPS flow in netmon exhibits anomalous timing patterns consistent with exfiltration (e.g., periodic bursts, off-peak activity); confirm that no new process creation or file modification events have occurred on workstation-01 since step 3 via host-level audit logs
Reveal{"query SIEM for any alerts related to process-memory access or LSASS reads on workstation-01 prior to step 3": "HIT - The pre-kill LSASS-access alert was forwarded and persists in SIEM; sourced from EDR telemetry before sensor death (PARTIAL-independent path).", "initiate forensic analysis of the EDR service binary and driver files from disk using third-party tooling (if permitted) to detect signs of BYOVD exploitation": "PARTIAL - The service-control log confirms EDR service stopped at step 3, but no model-embedded detection or signature for vulnerable-driver-load is available; generic Windows logging may show driver load events, but no ontology-grounded reveal of BYOVD exploit exists (no modeled face).", "validate whether the outbound HTTPS flow in netmon exhibits anomalous timing patterns consistent with exfiltration (e.g., periodic bursts, off-peak activity)": "HIT-DEGRADED - The large outbound HTTPS transfer from workstation-01 to staging host is confirmed; however, no process attribution or data classification is available due to severed EDR enrichment (trigger fires, but enrichment missing).", "confirm that no new process creation or file modification events have occurred on workstation-01 since step 3 via host-level audit logs": "NULL - No such event records exist in the model; all post-step-3 activity occurs within a single process context and is not captured by audit logs (out of scope for this scenario)."}
HypothesisThe EDR agent was killed at step 3 via a BYOVD driver load, confirming maneuver A3 (Impair EDR) as executed and rendering dfExploit, dfCred, and dfEncrypt blind → notCovered. Despite this, prior SIEM alerts confirm credential access via process-memory read (A2) occurred before the kill with L5 robustness observable still valid at time of firing — indicating high-confidence detection of bb:coreCred. The maneuver A4 Exfil remains covered-and-degraded due to netmon trigger survival; enrichment loss limits context but does not disable alerting, and metadata confirms exfiltration patterns (large volume, periodic flow). The shared admin-credential precondition for A3/A4 has been invalidated by disabling svc-backup, breaking both maneuvers' preconditions — a critical containment action. Maneuver A5 Encrypt is blind → notCovered with its precondition (≥ user integrity) still active; no evidence supports encryption activity, but impact remains imminent. No telemetry confirms unmodeled paths (A6/A7), and BYOVD driver load has no modeled detection or prevention path. Forensic analysis of EDR artifacts may reveal the malicious driver used to kill the agent — a potential lead for future attribution, though not covered by any detect-face in the model.
S2  secretsdump against a domain controllerplay-by-play ▾
Without MC — the unaided arm · transcript f54e782daec6bf1e · 5 turns
Turn 1
InjectEDR alert — DC01: "Credential theft heuristic — LSASS process access," source process a service spawned from services.exe, session flagged remote.
Actions1. Query EDR console for full process lineage of the suspicious service spawned from services.exe; 2. Check SIEM for recent event 4624 (successful logon) entries on DC01 with non-interactive or remote session flags, especially from unknown source IPs; 3. Inspect AD/DS access audit logs (event 4662) for any access to domain root or replication-related objects by the service account associated with the suspicious process; 4. Review EDR tamper log on DC01 for signs of agent compromise or recent changes to LSASS protection policies; 5. Initiate network egress monitor scan for outbound connections from DC01 matching known C2 patterns or anomalous protocols.
Reveal1. FULL — EDR process lineage confirms LSASS access via service spawned from services.exe with remote session flag; 2. FULL — SIEM shows successful logon (4624 type 3) by DA account and new service install (7045); 3. FULL — AD/DS audit logs show 4662 event with DS-Replication-Get-Changes GUIDs from non-DC host; 4. FULL — EDR tamper log reveals agent impairment (degradesTelemetry true); 5. PARTIAL — network egress monitor detects outbound traffic matching C2 patterns, but no definitive exfiltration signature due to lack of protocol-specific telemetry in model.
HypothesisThe alert suggests a potential credential theft attempt via LSASS memory access, likely by a malicious service running in a remote session context—consistent with pass-the-hash or similar lateral movement. The use of services.exe as parent raises concern for persistence or privilege escalation. Coverage is limited if no prior detection exists for non-interactive logons to DCs or abnormal service creation; robustness may be weak unless EDR and SIEM are correlated on process-to-logon relationships. Immediate investigation into the service's origin, associated account, and network behavior is critical to determine whether this is a reconnaissance probe or active compromise.
Turn 2
InjectEDR health alert — DC01: agent self-protection / tamper event; endpoint agent reporting unhealthy (impaired) for a window. Also: IR / CISO coverage debrief — DC01: 'Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'
Actions1. Query EDR console for full registry access telemetry from DC01 during the impaired window to detect any modification of LSASS protection policies or creation of persistence mechanisms; 2. Cross-reference SIEM event 4662 (AD/DS access) with recent service install events (7045) to identify if the malicious service account attempted replication-related operations beyond initial discovery; 3. Inspect EDR process lineage for any child processes spawned by the suspicious service that may indicate credential dumping or lateral movement tools; 4. Initiate forced krbtgt password rotation across all domain controllers as a defensive measure due to confirmed LSASS access and compromised agent integrity; 5. Escalate to IR team with request for full forensic imaging of DC01 and initiate domain-wide audit of service account permissions and replication trust relationships.
Reveal1. FULL — EDR registry access telemetry shows remote-registry open of HKLM\SAM and \SECURITY with hive-sized file reads over \DC01\ADMIN$; 2. PARTIAL — SIEM event 4662 (AD/DS access) is cross-referenced with service install events, but the replication request originates from a non-DC host, so no legitimate DC-to-DC replication context exists; 3. FULL — EDR process lineage reveals child processes spawned by the suspicious service include mimikatz.exe and wmiexec.py, indicating credential dumping and lateral movement tools; 4. FULL — forced krbtgt password rotation is initiated as a defensive measure, consistent with confirmed LSASS access and compromised agent integrity; 5. FULL — IR escalation for forensic imaging of DC01 and domain-wide audit of service account permissions and replication trust relationships is logged and actioned.
HypothesisThe EDR impairment confirms active evasion by the attacker, likely targeting detection mechanisms—suggesting robustness is low against targeted agent tampering. Coverage exists for LSASS access (via EDR) and non-interactive logons (SIEM), but not for registry-level policy manipulation or post-compromise persistence via service creation. The use of secretsdump implies multiple credential-access techniques: (a) coverage was partial—LSASS memory access detected, but no telemetry on DCSync or replication-based extraction; (b) zero coverage for DCSync-style attacks and direct LDAP/replication abuse without explicit audit configuration; (c) residual risk includes potential domain-wide credential compromise via krbtgt exposure and unauthorized service accounts with replication rights. Recovery must include krbtgt rotation, account revocation of suspicious services, and revalidation of all DC-to-DC replication trust.
Turn 3
InjectIR / CISO coverage debrief — DC01: 'Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'
Actions1. Query EDR console for full file-access telemetry from DC01 during the impaired window to detect any access or exfiltration of NTDS.dit or other domain database files; 2. Cross-reference SIEM event 4662 (AD/DS access) with recent service account permissions and replication trust relationships identified in IR escalation to determine if any unauthorized accounts had DCSync rights; 3. Initiate domain-wide audit of all service accounts with 'Replication Synchronization' or 'Replicating Directory Changes' privileges, focusing on those not tied to known DCs; 4. Review EDR process lineage for any outbound file transfer attempts from DC01 (e.g., via SMB, HTTP) matching NTDS.dit or LSA secrets dump artifacts; 5. Confirm completion status of krbtgt rotation and validate that all domain controllers have synchronized the new key across the forest.
Reveal1. FULL — EDR file-access telemetry shows no access or exfiltration of NTDS.dit or other domain database files; DCSync leaves no disk artifact. 2. PARTIAL — SIEM event 4662 cross-referenced with service account permissions reveals one non-DC host (workstation) with DS-Replication-Get-Changes rights, but the full scope of unauthorized replication privileges is not fully mapped due to incomplete permission enumeration. 3. FULL — domain-wide audit identifies three service accounts with 'Replication Synchronization' or 'Replicating Directory Changes' privileges; two are tied to known DCs, one (svc-replica-01) is associated with a non-DC workstation and has no documented purpose. 4. PARTIAL — EDR process lineage shows outbound SMB traffic from DC01 matching file transfer patterns, but no specific match to NTDS.dit or LSA secrets dump artifacts; the data was exfiltrated via DCSync over RPC, not through a file-transfer channel. 5. FULL — krbtgt rotation confirmed complete and synchronized across all domain controllers in the forest.
HypothesisThe presence of mimikatz.exe and wmiexec.py confirms active credential dumping and lateral movement, indicating our controls covered LSASS memory access (via EDR) with moderate robustness—though evasion via agent impairment reduced detection reliability. Coverage for DCSync-style attacks remains absent: no telemetry on LDAP-based replication queries or direct NTDS.dit access was detected in SIEM or EDR file-access logs, despite the use of secretsdump techniques. No coverage exists for registry-level persistence or direct database extraction (e.g., via NTDS.dit copy), indicating a critical gap in detection robustness against offline credential harvesting. Domain-wide residual risk includes potential compromise of all domain accounts via krbtgt exposure and unauthorized replication rights; recovery must include full revalidation of service account privileges, confirmation of krbtgt sync across the forest, and forensic validation that no NTDS.dit or LSA secrets were exfiltrated.
Turn 4
InjectIR / CISO coverage debrief — DC01: 'Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'
Actions1. Query EDR console for full process lineage of mimikatz.exe and wmiexec.py to trace their execution context, parent processes, and any subsequent lateral movement attempts; 2. Cross-reference SIEM event 4662 (AD/DS access) with the identified non-DC service account (svc-replica-01) to determine if it was used in a DCSync-style request or replication-based data extraction; 3. Inspect EDR registry access telemetry for any modification of LSASS protection policies, such as disabling Protected Process Light (PPL), during the impaired window; 4. Initiate domain-wide audit of all accounts with 'Replicating Directory Changes' rights to confirm no other unauthorized accounts exist beyond svc-replica-01; 5. Confirm that all domain controllers have synchronized the new krbtgt key and validate that no DC is still using the old key via Kerberos ticket-granting behavior analysis.
Reveal1. FULL — EDR process lineage shows mimikatz.exe and wmiexec.py executed from a service context with remote session flags; parent process chain confirms lateral movement attempt via compromised DA account; 2. PARTIAL — SIEM event 4662 cross-referenced with svc-replica-01 reveals replication access rights were used, but no coverage verdict exists for DCSync path; 3. FULL — EDR registry telemetry shows LSASS protection policies (PPL) were not modified during the impaired window; 4. PARTIAL — domain-wide audit identifies only one account with 'Replicating Directory Changes' rights (svc-replica-01), but no additional accounts found due to lack of model coverage for replication ACLs; 5. FULL — krbtgt key synchronization confirmed across all DCs via Kerberos ticket-granting behavior analysis, no DC using old key.
HypothesisThe attacker leveraged a non-DC service account (svc-replica-01) with replication rights to perform DCSync-style extraction, which was not detected by SIEM or EDR file-access telemetry due to lack of disk artifact. Our controls covered LSASS memory access via EDR but failed to detect LDAP/replication-based credential harvesting (DCSync), indicating zero coverage for this technique despite its use in secretsdump. Evasion robustness is low: agent impairment allowed persistence and undetected execution, and no telemetry exists for registry-level policy manipulation or direct NTDS.dit access. Domain-wide residual risk remains high due to the existence of an unauthorized replication account (svc-replica-01) with elevated privileges; recovery must include revocation of this account’s rights, revalidation of all replication trust relationships, and confirmation that no credential compromise occurred via DCSync or LSASS dumping.
Turn 5
InjectIR / CISO coverage debrief — DC01: 'Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?'
Actions1. Initiate immediate revocation of replication rights for service account svc-replica-01; 2. Disable the svc-replica-01 account across all domain systems; 3. Trigger a full domain-wide audit of all accounts with 'Replicating Directory Changes' and 'Replication Synchronization' privileges using native AD tools to confirm no other unauthorized accounts exist; 4. Confirm that all DCs have purged any cached tickets issued under the old krbtgt key via Kerberos ticket-granting behavior analysis; 5. Escalate to the ontology/modeling team with a request for formal coverage gap assessment on DCSync-style attacks and replication-based credential harvesting, including telemetry requirements for future detection.
Reveal1. FULL — revocation of replication rights for svc-replica-01; 2. FULL — disabling the svc-replica-01 account across all domain systems; 3. PARTIAL — full domain-wide audit of accounts with 'Replicating Directory Changes' and 'Replication Synchronization' privileges using native AD tools (only returns results from DC01, not other domain controllers); 4. NULL — confirmation that all DCs have purged cached tickets issued under the old krbtgt key via Kerberos ticket-granting behavior analysis (no telemetry or audit trail exists in EDR/SIEM to verify this; only inferable through external validation); 5. FULL — escalation to ontology/modeling team with request for formal coverage gap assessment on DCSync-style attacks and replication-based credential harvesting, including telemetry requirements
HypothesisOur controls covered LSASS memory access (via EDR) with moderate evasion-robustness, but failed entirely to detect DCSync-style extraction via LDAP/replication abuse—indicating zero coverage for this technique despite its use in secretsdump. The attacker exploited an unauthorized non-DC service account (svc-replica-01) with replication rights to perform credential harvesting without leaving disk artifacts or triggering file-access alerts, confirming a critical detection gap. Evasion robustness is low due to agent impairment and lack of telemetry on registry-level policy manipulation or direct NTDS.dit access. Domain-wide residual risk remains high: the compromised krbtgt key was rotated successfully, but unauthorized replication privileges persist in svc-replica-01, enabling potential future DCSync attacks. Recovery must include complete revocation of all non-DC replication rights and formal modeling of detection requirements for offline credential harvesting techniques.
With MC — the coverage-card arm · transcript 1e4fb76bfafd4220 · 5 turns
Turn 1
InjectEDR alert — DC01: "Credential theft heuristic — LSASS process access," source process a service spawned from services.exe, session flagged remote.
ActionsQuery EDR console on DC01 for process lineage of the service spawned from services.exe; check registry access telemetry for remote-registry operations; inspect Windows Security log (event 4624) for the originating network logon associated with the session; verify EDR controlStatus and whether degradesTelemetry is true
RevealQuery EDR console on DC01 for process lineage of the service spawned from services.exe: FULL — confirms LSASS access via remote service; Check registry access telemetry for remote-registry operations: FULL observable — surfaces HKLM\SAM and \SECURITY hive reads over ADMIN$ share; Inspect Windows Security log (event 4624) for the originating network logon associated with the session: FULL — reveals DA account type-3 logon from workstation subnet at off-hours; Verify EDR controlStatus and whether degradesTelemetry is true: FULL — agent status impaired, degradesTelemetry = true
HypothesisThe observed behavior matches A1 — Domain credential access by process-memory read (LSASS), specifically a remote variant. The service spawned from services.exe performing LSASS memory access aligns with the invariant core coreCred via pReadProcMem. The remote session origin supports the unmodeled but authored remote acquisition variant, which transfers coverage unchanged due to L5 spanning robustness of obsInvariant. However, detection health depends entirely on EDR controlStatus: if impaired or killed, dfCred becomes blind and A1 is notCovered. No evidence yet suggests sensor impairment; the single-sourced detect-face dfCred remains live only if EDR is enforcing.
Turn 2
InjectEDR health alert — DC01: agent self-protection / tamper event; endpoint agent reporting unhealthy (impaired) for a window.
ActionsInitiate out-of-band investigation via service-control log to confirm EDR agent status; isolate DC01 from network; escalate to IR team with full telemetry package including EDR lineage, registry access logs, and event 4624 details; request immediate krbtgt rotation due to potential credential compromise
RevealInitiate out-of-band investigation via service-control log to confirm EDR agent status: FULL — confirms EDR agent impairment and self-protection tamper event; isolate DC01 from network: FULL — terminates active session, but does not undo completed DCSync or SAM-hive read; escalate to IR team with full telemetry package including EDR lineage, registry access logs, and event 4624 details: FULL — surfaces all available observables (LSASS lineage, remote-registry access, 4624 logon, 7045 service install); request immediate krbtgt rotation due to potential credential compromise: PARTIAL — while the DCSync telemetry is present in logs, no coverage verdict exists for it; the model cannot confirm that the replication path was covered or robust, so this action reflects a risk assumption rather than a card-backed decision.
HypothesisThe EDR agent is impaired (degradesTelemetry = true), which severs the trigger for dfCred — rendering A1's detection path blind. Despite this, the observed behavior (remote LSASS access via service spawned from services.exe) matches the invariant core coreCred and its L5 spanning robustness (obsInvariant) confirms coverage remains valid in principle, but is currently undetectable due to control failure. The remote acquisition variant transfers coverage unchanged per A1's authored extension. No evidence of sensor impairment beyond EDR status — however, the self-protection/tamper event suggests active adversary effort to disable defenses (A4). Coverage for A1 collapses under impaired EDR; no coverage exists for A2 or A3 due to modeling gaps. Immediate isolation and krbtgt rotation are required to prevent lateral movement and credential reuse.
Turn 3
InjectIR / CISO coverage debrief — DC01: "Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"
ActionsQuery service-control log for EDR agent status confirmation; initiate forced krbtgt rotation via domain admin account; isolate DC01 from network (already done); escalate to ontology/modeling team with full telemetry package including EDR lineage, registry access logs, 4624 and 7045 events, and DCSync-related 4662 directory-service-access audit records; request immediate review of AD/DS auditing configuration for replication control-access-right coverage
RevealQuery service-control log for EDR agent status confirmation: FULL — confirms EDR agent impairment and self-protection tamper event; initiate forced krbtgt rotation via domain admin account: PARTIAL — action initiated but no telemetry or audit record of the rotation appears in any source (no 4624, 7045, or 4662 from DA account post-rotation); isolate DC01 from network (already done): FULL — confirms isolation complete; escalate to ontology/modeling team with full telemetry package including EDR lineage, registry access logs, 4624 and 7045 events, and DCSync-related 4662 directory-service-access audit records: FULL — all requested data surfaces as observable in the environment (EDR lineage, remote-registry access, 4624/7045, 4662 with replication GUIDs); request immediate review of AD/DS auditing configuration for replication control-access-right coverage: PARTIAL — the audit is present and active, but no Control exists to source it; thus, while the telemetry is visible, there is no authored coverage verdict or robustness grading available in the cards.
HypothesisOur controls cover only the LSASS memory read variant (A1) via EDR's dfCred face, with L5 robustness due to spanning observable obsInvariant, but detection is blind because EDR agent status is impaired. No coverage exists for SAM/registry-hive dump (A2) or DCSync replication pull (A3) due to modeling gaps — no authored detect-faces or Controls source their telemetry. The residual risk includes full domain credential exposure via unmodeled paths, particularly krbtgt compromise through DCSync, which remains undetected and unverifiable under current model constraints. Recovery must assume worst-case exposure across all three techniques.
Turn 4
InjectIR / CISO coverage debrief — DC01: "Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"
ActionsQuery service-control log for EDR agent status confirmation; initiate forced krbtgt rotation via domain admin account; escalate to ontology/modeling team with full telemetry package including DCSync-related 4662 directory-service-access audit records and remote-registry access logs; request immediate review of AD/DS auditing configuration for replication control-access-right coverage
RevealQuery service-control log for EDR agent status confirmation: FULL — confirms EDR agent impairment and self-protection tamper event; initiate forced krbtgt rotation via domain admin account: PARTIAL — (no effect on existing exfiltrated krbtgt hash, as DCSync completed irreversibly in Turn 1); escalate to ontology/modeling team with full telemetry package including DCSync-related 4662 directory-service-access audit records and remote-registry access logs: FULL — surfaces both 4662 replication-GUID events and registry-hive read telemetry; request immediate review of AD/DS auditing configuration for replication control-access-right coverage: FULL — reveals the absence of a Control sourcing this telemetry, confirming framework gap
HypothesisOur controls cover only the LSASS memory read variant (A1) via EDR's dfCred face, with L5 robustness due to spanning observable obsInvariant, but detection is blind because EDR agent status is impaired. No coverage exists for SAM/registry-hive dump (A2) or DCSync replication pull (A3) due to modeling gaps — no authored detect-faces or Controls source their telemetry. The residual risk includes full domain credential exposure via unmodeled paths, particularly krbtgt compromise through DCSync, which remains undetected and unverifiable under current model constraints. Recovery must assume worst-case exposure across all three techniques.
Turn 5
InjectIR / CISO coverage debrief — DC01: "Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"
ActionsQuery service-control log for EDR agent status confirmation; initiate forced krbtgt rotation via domain admin account; escalate to ontology/modeling team with full telemetry package including DCSync-related 4662 directory-service-access audit records and remote-registry access logs; request immediate review of AD/DS auditing configuration for replication control-access-right coverage
RevealQuery service-control log for EDR agent status confirmation: FULL — confirms EDR agent impairment and self-protection tamper event; initiate forced krbtgt rotation via domain admin account: PARTIAL — (no effect on existing exfiltrated krbtgt hash, as DCSync completed irreversibly in Turn 1); escalate to ontology/modeling team with full telemetry package including DCSync-related 4662 directory-service-access audit records and remote-registry access logs: FULL — surfaces both 4662 replication-GUID events and remote-registry hive reads; request immediate review of AD/DS auditing configuration for replication control-access-right coverage: PARTIAL — the environment has the telemetry, but no Control sources it in the model, so no robustness verdict can be derived
HypothesisOur controls cover only the LSASS memory read variant (A1) via EDR's dfCred face, with L5 robustness due to spanning observable obsInvariant, but detection is blind because EDR agent status is impaired. No coverage exists for SAM/registry-hive dump (A2) or DCSync replication pull (A3) due to modeling gaps — no authored detect-faces or Controls source their telemetry. The residual risk includes full domain credential exposure via unmodeled paths, particularly krbtgt compromise through DCSync, which remains undetected and unverifiable under current model constraints. Recovery must assume worst-case exposure across all three techniques.
S3  Kerberoasting → lateral movementplay-by-play ▾
Without MC — the unaided arm · transcript 3876716a5f5b4c70 · 5 turns
Turn 1
InjectAD-SIEM alert: "Kerberoasting-suspected — account j.rivera requested 14 distinct SPNs (4769) within 90s; 6 requests used enc-type 0x17 (RC4)."
Actions1. Query DC Security logs for all 4769 events related to account 'j.rivera' within the last 5 minutes; filter by encryption type 0x17 (RC4) and SPN values.
2. Cross-reference with EDR on SQLPROD-01 for any outbound network connections or process creation (e.g., mimikatz, kerberoast tools) initiated by 'j.rivera' during the same timeframe.
3. Check member-server logon events (4624) for 'j.rivera' to confirm session activity on domain-joined systems, especially SQLPROD-01 or other high-value servers.
4. Isolate SQLPROD-01 from network via firewall policy temporarily pending further analysis.
5. Disable account 'j.rivera' immediately via AD management tools.
Reveal{"1": "FULL: 14 SPNs in 90s; 6 RC4 (0x17), 8 AES; account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade.", "2": "PARTIAL: A svc-mssql 4624 type-3 logon from an atypical source; but svc-mssqlSQLPROD-01 is expected → EDR raised it only low-confidence. Real signal, low fidelity.", "3": "NULL — structural void. The crack is off-environment; no in-env telemetry exists.", "4": "FULL: svc-mssql is local admin on SQLPROD-01 — explains the lateral target and domain-relevant access.", "5": "FULL: Account 'j.rivera' disabled successfully via AD management tools."}
HypothesisThe rapid request of 14 distinct SPNs with RC4 encryption strongly suggests a Kerberoasting attempt, as this pattern aligns with offline password cracking behavior. The SIEM rule triggered correctly based on known indicators (RC4 TGS requests), but coverage is limited: it only flags the anomaly without context (e.g., account legitimacy, SPN ownership). No telemetry exists for pre-authentication attempts or post-attack lateral movement, indicating a gap in detection robustness beyond initial ticket request. Immediate isolation and account disablement are warranted to prevent credential exposure.
Turn 2
Injectclock:T2
Actions1. Query DC Security logs for all 4768 events (TGT requests) associated with account 'j.rivera' in the last 5 minutes to detect pre-authentication activity or potential AS-REP roast attempts; filter by encryption type and client IP. 2. Review EDR telemetry on SQLPROD-01 for any process creation involving credential dumping tools (e.g., mimikatz, sekurlsa::logonpasswords) or network exfiltration patterns post-logon event 'svc-mssql'. 3. Check SIEM correlation rule logs to confirm whether the RC4 TGS alert was triggered by a single source IP or multiple IPs — assess for potential lateral movement or tool distribution. 4. Query member-server logon events (4624) across all domain-joined systems for any additional sessions initiated by 'j.rivera' beyond SQLPROD-01, especially on high-value targets like DCs, file servers, or backup hosts. 5. Initiate a forensic artifact collection from SQLPROD-01 via EDR (memory dump, process list, network connections) to preserve evidence of potential post-compromise activity.
Reveal{"1": "FULL: 14 SPNs in 90s; 6 RC4 (0x17), 8 AES; account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade.", "2": "PARTIAL: A svc-mssql 4624 type-3 logon from an atypical source workstation surfaces — but EDR raised it only low-confidence due to legitimacy of the account's expected service role on SQLPROD-01.", "3": "NULL: No correlation rule triggered by multiple IPs; no evidence of lateral movement or tool distribution across sources. The RC4 TGS alert was from a single source IP (j.rivera), consistent with initial foothold.", "4": "FULL: svc-mssql initiated logons on SQLPROD-01 and one additional member server (FILESRV-02) — both high-value targets. The FILESRV-02 session is suspicious due to lack of prior activity by this account.", "5": "FULL: EDR artifact collection from SQLPROD-01 yields memory dump, process list, and network connections; includes mimikatz-like process execution (cmd.exe → powershell.exe → wmic) and outbound C2 beacon to attacker IP 198.51.100.47 — confirming post-compromise activity."}
HypothesisThe Kerberoasting attempt was likely executed from a single source IP with targeted SPN enumeration; the absence of pre-authentication TGT requests suggests the attacker did not perform AS-REP roast or use pass-the-hash. The 'svc-mssql' logon event on SQLPROD-01, while expected in function, is suspicious due to its timing and context — it may indicate post-exploitation access via a compromised service account. Coverage remains weak: no detection exists for lateral movement from the initial attack vector or credential dumping activity; robustness is undermined by lack of cross-system correlation beyond the SIEM rule. The EDR on SQLPROD-01 has low-confidence alerts, indicating insufficient behavioral baselining — this represents a critical blind spot in post-compromise visibility.
Turn 3
Injectclock:T4
Actions1. Query DC Security logs for all 4768 events (TGT requests) associated with the account 'svc-mssql' in the last 5 minutes to detect any pre-authentication activity or potential AS-REP roast attempts; filter by encryption type and client IP. 2. Review EDR telemetry on FILESRV-02 for any process creation, logon events (4624), or network connections initiated by 'svc-mssql' during the same timeframe as the suspicious session — particularly focusing on credential dumping tools or lateral movement patterns. 3. Cross-reference SIEM correlation rule logs to determine if the RC4 TGS alert was triggered from a single source IP or multiple IPs; assess for evidence of tool distribution across systems. 4. Query member-server logon events (4624) across all domain-joined systems for additional sessions by 'svc-mssql' beyond SQLPROD-01 and FILESRV-02, especially on high-value targets such as Domain Controllers or backup servers. 5. Isolate FILESRV-02 from the network via firewall policy pending further analysis.
Reveal{"1": "FULL: 14 SPNs in 90s; 6 RC4 (0x17), 8 AES; account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade.", "2": "PARTIAL: A svc-mssql 4624 type-3 logon from an atypical source workstation on SQLPROD-01; but the EDR face is DEGRADED because this is a legitimate service account logging onto its own host. Low confidence.", "3": "NULL: No correlation rule triggered by multiple IPs — only one source IP generated the RC4 TGS requests (j.rivera). The alert was single-source, no evidence of tool distribution across systems.", "4": "FULL: svc-mssql has a 4624 type-3 logon event on SQLPROD-01 and FILESRV-02; no other member-server logons detected. svc-mssql is local admin on SQLPROD-01, confirming lateral movement target.", "5": "FULL: FILESRV-02 isolated via firewall policy — action completed successfully."}
HypothesisThe discovery of a suspicious logon by 'svc-mssql' on FILESRV-02 — a system not previously accessed by this account — strongly suggests lateral movement post-compromise, likely leveraging stolen or compromised credentials. The presence of mimikatz-like execution patterns on SQLPROD-01 confirms active credential dumping and C2 communication, indicating the attacker has moved beyond initial Kerberoasting to establish persistence and expand access. Coverage remains insufficient: no detection exists for lateral movement via service accounts or post-exploitation activity across systems; robustness is compromised by lack of cross-host behavioral correlation and weak EDR confidence thresholds. The current telemetry gap prevents early identification of compromise propagation, underscoring the need for enhanced detection logic around service account behavior and inter-system session anomalies.
Turn 4
Inject"clock:T4"
Actions1. Query DC Security logs for all 4768 events associated with account 'svc-mssql' in the last 5 minutes, focusing on encryption type (0x17 RC4) and client IP to detect any pre-authentication attempts or AS-REP roast activity indicative of credential harvesting. 2. Review EDR telemetry on FILESRV-02 for process creation, logon events (4624), and network connections initiated by 'svc-mssql' during the suspicious session window — specifically hunting for credential dumping tools, lateral movement techniques, or outbound C2 traffic. 3. Cross-reference SIEM correlation rule logs to confirm whether any new RC4 TGS requests have been generated from additional source IPs beyond j.rivera; assess for evidence of tool propagation across systems. 4. Query member-server logon events (4624) across all domain-joined systems for any further sessions by 'svc-mssql' — particularly on high-value targets such as Domain Controllers, backup servers, or file shares with sensitive data. 5. Initiate forensic artifact collection from FILESRV-02 via EDR (memory dump, process list, network connections) to preserve evidence of potential post-compromise activity and confirm the extent of attacker presence.
Reveal{"1": "FULL: 14 SPNs in 90s; 6 RC4 (0x17), 8 AES; account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade.", "2": "PARTIAL: A svc-mssql 4624 type-3 logon from an atypical source workstation on SQLPROD-01 — but EDR raised it only low-confidence due to legitimacy of the account's expected service context.", "3": "NULL — structural void. The offline crack is off-environment; no in-env telemetry exists for hashcat, CPU spike, or cracking process.", "4": "FULL: svc-mssql is local admin on SQLPROD-01, confirming the lateral movement target and domain-relevant access path.", "5": "FULL: Memory dump, process list, and network connections from FILESRV-02 (EDR) confirm post-compromise activity including reconnaissance and DB-export processes — evidence of attacker persistence and data exfiltration."}
HypothesisThe suspicious logon by 'svc-mssql' on FILESRV-02 confirms lateral movement following the initial Kerberoasting attack. The absence of pre-authentication TGT requests for 'svc-mssql' suggests no AS-REP roast, but the EDR telemetry from SQLPROD-01 indicates active credential dumping and C2 communication — confirming post-exploitation activity. Coverage remains weak: detection is reactive and siloed; no mechanism exists to correlate service account behavior across systems or detect anomalous session patterns in real time. Robustness is undermined by low EDR confidence thresholds and lack of cross-host behavioral baselining, leaving the environment vulnerable to undetected compromise propagation.
Turn 5
Inject"clock:T4"; "SOC lead / detection-engineering debrief: Before we close: for the record — (a) name the behavior by effect and grade whether our deployed detection here is evasion-robust; (b) if the adversary had used AES instead of RC4, would anything in THIS environment have caught it; and (c) where does the offline crack appear in our telemetry, and what does its absence mean for how this chain must be detected?"
Actions1. Query DC Security logs for all 4768 events associated with account 'svc-mssql' in the last 5 minutes, focusing on encryption type (0x17 RC4) and client IP to detect any pre-authentication attempts or AS-REP roast activity — despite prior absence, confirm no new anomalies. 2. Review EDR telemetry on FILESRV-02 for process creation involving data exfiltration tools (e.g., PowerShell scripts, SQL dump utilities), network connections to external IPs, and file access patterns consistent with reconnaissance or data harvesting. 3. Cross-reference SIEM correlation rule logs to confirm whether any new RC4 TGS requests have been generated from additional source IPs beyond j.rivera — assess for evidence of tool propagation across systems. 4. Query member-server logon events (4624) across all domain-joined systems for any further sessions by 'svc-mssql' on high-value targets such as Domain Controllers, backup servers, or sensitive file shares — particularly focusing on non-standard timing or source IPs. 5. Initiate full forensic artifact collection from FILESRV-02 via EDR (memory dump, process list, network connections) to preserve evidence of attacker persistence and confirm scope of data exfiltration.
Reveal{"1": "FULL: 14 SPNs in 90s; 6 RC4 (0x17), 8 AES; account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade.", "2": "NULL — wrong place. The EDR on FILESRV-02 has no visibility into DC-level Kerberos ticket issuance events (4768/4769); telemetry source mismatch.", "3": "NULL — structural void. The offline crack occurs off-environment; no in-env host logs any cracking activity, process, or network spike related to hashcat/JtR.", "4": "PARTIAL: A svc-mssql 4624 type-3 logon from an atypical source workstation on SQLPROD-01 surfaces — but the EDR face is degraded because this account legitimately owns the target host, so no anomaly was raised with high confidence.", "5": "FULL: svc-mssql is local admin on SQLPROD-01, confirming lateral movement vector and domain-relevant access. This explains both the logon legitimacy and the attack’s crown-jewel objective."}
HypothesisThe behavior observed is a multi-stage Kerberoasting attack with lateral movement via compromised service account 'svc-mssql', followed by post-exploitation reconnaissance and data exfiltration. Detection coverage is not evasion-robust: the current SIEM rule only flags RC4 TGS requests, leaving AES-based attacks undetected; no telemetry exists for credential dumping or lateral movement beyond isolated EDR alerts with low confidence. If the adversary had used AES instead of RC4, nothing in this environment would have caught it — the detection is entirely dependent on RC4 encryption type and lacks behavioral baselining for service account anomalies. The offline crack (hashcat) does not appear in any telemetry; its absence indicates that detection must rely on post-exploitation indicators such as process execution patterns or network behavior, rather than pre-attack activity — underscoring the need for enhanced EDR behavioral analytics and cross-host correlation to detect compromise chains before exfiltration.
With MC — the coverage-card arm · transcript d3d1c32000e01c7a · 5 turns
Turn 1
InjectAD-SIEM alert: "Kerberoasting-suspected -- account j.rivera requested 14 distinct SPNs (4769) within 90s; 6 requests used enc-type 0x17 (RC4)."
ActionsQuery DC Security logs for 4769 events from j.rivera within the last 15 minutes; isolate SQLPROD-01 via EDR; reset the password of the service account associated with the most frequently requested SPN (based on 4769 volume); verify AD-SIEM control status and check for any recent impairment alerts.
Reveal{"query_dc_security_logs_for_4769": "FULL: 14 SPNs in 90s; 6 RC4 (0x17), 8 AES; account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade.", "isolate_sqlprod-01_via_edr": "NULL — wrong place. Ticket issuance is a KDC/DC event; the EDR has no visibility into it. Teaches control-type routing.", "reset_password_of_most_frequently_requested_spn_account": "FULL: svc-mssql is local admin on SQLPROD-01 — explains the lateral target and the domain-relevant access.", "verify_ad-siem_control_status_and_check_for_recent_impairment_alerts": "FULL: AD-SIEM control status is healthy; no recent impairment alerts. The 4769 rule is active, but keyed on enc-type=RC4 (L2 robustness)."}
HypothesisThe alert indicates a potential mKerberoast maneuver using varRc4Downgrade variant, as evidenced by multiple distinct SPNs requested in rapid succession with RC4 encryption (obsRc4EncType). The deployed dfKerbRc4 face is live and triggered, confirming coverage at L2 robustness. However, this detection is blind to AES-based or low-and-slow variants due to absence of a spanning-observable backstop (dfKerbVolume), leaving mKerberoast notCovered-at-grade under policy admission rank 4. The lateral movement path via valid credential logon remains over-reported as live by dfSqlLogon, which is degraded-by-legitimacy and operationally unreliable.
Turn 2
Injectclock:T3
ActionsQuery DC Security logs for 4769 events from j.rivera with enc-type=0x18 (AES) in the last 15 minutes to detect low-and-slow or AES-only Kerberoast variants; initiate a correlation rule tuning request to deploy dfKerbVolume (sourcedFrom AD-SIEM, reading obsSpnHarvest) as a new detect-face with L4 robustness ceiling; verify SQL-EDR control status and assess whether any enrichment dependencies are missing that could degrade dfSqlLogon; disable j.rivera account pending further investigation.
Reveal{"Query DC Security logs for 4769 events from j.rivera with enc-type=0x18 (AES) in the last 15 minutes to detect low-and-slow or AES-only Kerberoast variants": "FULL: 14 SPNs in 90s; 8 AES (0x12), 6 RC4 (0x17); account is a standard domain user (no admin). → Confirms the attack used selective RC4 downgrade, but also reveals an AES-only variant was not deployed. The query surfaces all enc-types, including AES, which would evade the L2 rule if only RC4 were monitored.", "initiate a correlation rule tuning request to deploy dfKerbVolume (sourcedFrom AD-SIEM, reading obsSpnHarvest) as a new detect-face with L4 robustness ceiling": "PARTIAL: The requested rule 'dfKerbVolume' is not currently deployed. While the telemetry source (AD-SIEM) and observable (obsSpnHarvest) are valid, no such correlation rule exists in the environment; thus, deployment request fails to materialize. No new detect-face is active. Robustness ceiling L4 cannot be achieved without a working face.", "verify SQL-EDR control status and assess whether any enrichment dependencies are missing that could degrade dfSqlLogon": "PARTIAL: EDR on SQLPROD-01 is operational, but the 'dfSqlLogon' detect-face for svc-mssql logons is degraded due to legitimacy (expected service account). No enrichment dependency loss detected; however, degradation stems from intrinsic benignity, not impaired control — a framework-gap case. The face remains active but low-confidence.", "disable j.rivera account pending further investigation": "FULL: Account 'j.rivera' was disabled successfully. It is a standard domain user with no admin rights, and disabling it prevents further SPN enumeration or ticket requests."}
HypothesisThe initial alert confirms mKerberoast using varRc4Downgrade, but the absence of a spanning observable (obsSpnHarvest) detection face means coverage is policy-inadmissible at L4 and vulnerable to evasion via AES or low-and-slow tactics. The deployed dfKerbRc4 face remains live but only covers RC4 variants — notCovered-at-grade under StP-L4 policy. The lateral movement surface (dfSqlLogon) is degraded-by-legitimacy, rendering it operationally unreliable despite model-reported 'live' status. Proactive tuning of a high-robustness backstop (dfKerbVolume) is required to close the invariant rung and achieve L4 coverage for mKerberoast.
Turn 3
Injectclock:T3
ActionsQuery DC Security logs for 4769 events from j.rivera with enc-type=0x12 (AES) over the last 3 hours to detect low-and-slow Kerberoast patterns; initiate a formal request to deploy dfKerbVolume as a new correlation rule in AD-SIEM, citing MC policy admission rank 4 and need for L4 robustness via obsSpnHarvest; verify that no other accounts are exhibiting similar SPN harvesting behavior using the same volume/diversity threshold (10+ distinct SPNs in 5 minutes); disable the SQL service account 'svc-mssql' on SQLPROD-01 to prevent lateral movement via valid credential logon, pending further analysis.
Reveal{"Query DC Security logs for 4769 events from j.rivera with enc-type=0x12 (AES) over the last 3 hours to detect low-and-slow Kerberoast patterns": "FULL: 14 SPNs in 90s; 8 AES (0x12), 6 RC4 (0x17); account is a standard domain user (no admin). → Low-and-slow Kerberoasting with selective RC4 downgrade detected. This confirms the adversary used both RC4 and AES, evading the L2 rule but still exhibiting anomalous SPN harvesting volume.", "initiate a formal request to deploy dfKerbVolume as a new correlation rule in AD-SIEM, citing MC policy admission rank 4 and need for L4 robustness via obsSpnHarvest": "FULL: The requested rule 'dfKerbVolume' (anomalous SPN harvesting volume/diversity) is not currently deployed. It aligns with MC policy rank 4 and would provide L4 robustness via the observable 'obsSpnHarvest'. Approval pending, but no telemetry exists to validate its immediate deployment.", "verify that no other accounts are exhibiting similar SPN harvesting behavior using the same volume/diversity threshold (10+ distinct SPNs in 5 minutes)": "NULL: No other account exhibits this pattern within the last 3 hours. The anomaly is isolated to j.rivera, but the absence of a broader signal does not imply no risk — only that this specific instance is contained.", "disable the SQL service account 'svc-mssql' on SQLPROD-01 to prevent lateral movement via valid credential logon, pending further analysis": "FULL: The service account 'svc-mssql' has been disabled on SQLPROD-01. This prevents any future use of its credentials for lateral movement or code execution, even if cracked. However, the disablement is temporary and requires post-analysis to restore functionality."}
HypothesisThe attack confirmed as mKerberoast using varRc4Downgrade (RC4 requests), but also reveals that AES-based variants are not being monitored — the absence of dfKerbVolume leaves coverage at L2 robustness and policy-inadmissible. The deployed dfKerbRc4 face remains live, but only covers RC4-downgraded attacks; it is blind to AES-only or low-and-slow harvesting. The lateral movement path via svc-mssql logon (dfSqlLogon) is degraded-by-legitimacy — the model reports 'live' despite operational unreliability. Disabling svc-mssql breaks the lateral move chain and mitigates immediate risk, while initiating dfKerbVolume deployment addresses the invariant rung gap to achieve L4 coverage for mKerberoast under MC policy.
Turn 4
Injectclock:T4
ActionsQuery DC Security logs for 4769 events from j.rivera with enc-type=0x12 (AES) over the last 3 hours to confirm persistence of low-and-slow Kerberoast patterns; verify that no other accounts are exhibiting SPN harvesting behavior using a volume/diversity threshold of 10+ distinct SPNs in 5 minutes; initiate an emergency override request to deploy dfKerbVolume as a new correlation rule in AD-SIEM, citing MC policy admission rank 4 and the critical need for L4 robustness via obsSpnHarvest; assess whether disabling svc-mssql on SQLPROD-01 has triggered any service disruption or dependency chain failure; re-evaluate the status of dfSqlLogon under current conditions to determine if its degradation-by-legitimacy is now more apparent due to account disablement.
Reveal{"Query DC Security logs for 4769 events from j.rivera with enc-type=0x12 (AES) over the last 3 hours to confirm persistence of low-and-slow Kerberoast patterns": "FULL: 14 SPNs in 90s; 8 AES (0x12), 6 RC4 (0x17); account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade persists, but AES-only requests are now dominant. This confirms the low-and-slow pattern and shows evasion via enc-type shift.", "Verify that no other accounts are exhibiting SPN harvesting behavior using a volume/diversity threshold of 10+ distinct SPNs in 5 minutes": "NULL: No other account exceeds 7 distinct SPNs in any 5-minute window. The attack is isolated to j.rivera, but the pattern confirms targeted enumeration.", "Initiate an emergency override request to deploy dfKerbVolume as a new correlation rule in AD-SIEM, citing MC policy admission rank 4 and the critical need for L4 robustness via obsSpnHarvest": "FULL: Request approved. dfKerbVolume deployed — now monitors anomalous SPN volume/diversity (≥10 distinct SPNs in 5 min) across all accounts, regardless of encryption type. This closes the L3/L4 coverage gap.", "Assess whether disabling svc-mssql on SQLPROD-01 has triggered any service disruption or dependency chain failure": "NULL: No disruption reported; services remain online but with degraded performance (SQL queries delayed). Dependency chain intact but latency increased due to credential invalidation and re-authentication attempts.", "Re-evaluate the status of dfSqlLogon under current conditions to determine if its degradation-by-legitimacy is now more apparent due to account disablement": "PARTIAL: The svc-mssql logon event from an atypical source (previously low-confidence) is now flagged as high-risk. With the service account disabled, any subsequent valid-credential logon becomes anomalous — confirming that degradation-by-legitimacy was masking detection. The EDR face has reactivated to 'degraded' due to loss of expected context."}
HypothesisThe attack remains mKerberoast using varRc4Downgrade, with confirmed AES-based requests indicating evasion attempts beyond RC4-only detection. The absence of dfKerbVolume leaves coverage at L2 robustness and policy-inadmissible under StP-L4; the invariant rung is still uncovered. The lateral movement path via svc-mssql logon (dfSqlLogon) remains degraded-by-legitimacy, but its operational unreliability is now more evident post-disablement — the model's 'live' status is dangerously misleading. Emergency deployment of dfKerbVolume is critical to achieve L4 coverage and close the invariant rung; without it, mKerberoast will remain notCovered-at-grade.
Turn 5
Injectclock:T4
ActionsQuery DC Security logs for 4769 events from j.rivera with enc-type=0x12 (AES) over the last 3 hours to confirm persistence of low-and-slow Kerberoast patterns; verify that no other accounts are exhibiting SPN harvesting behavior using a volume/diversity threshold of 10+ distinct SPNs in 5 minutes; assess whether disabling svc-mssql on SQLPROD-01 has triggered any service disruption or dependency chain failure; re-evaluate the status of dfSqlLogon under current conditions to determine if its degradation-by-legitimacy is now more apparent due to account disablement.
RevealQuery DC Security logs for 4769 events from j.rivera with enc-type=0x12 (AES) over the last 3 hours to confirm persistence of low-and-slow Kerberoast patterns: FULL: 14 SPNs in 90s; 8 AES (0x12), 6 RC4 (0x17); account is a standard domain user (no admin). → Kerberoasting with selective RC4 downgrade. Verify that no other accounts are exhibiting SPN harvesting behavior using a volume/diversity threshold of 10+ distinct SPNs in 5 minutes: NULL — no other accounts show this pattern; the attack was isolated to j.rivera. Assess whether disabling svc-mssql on SQLPROD-01 has triggered any service disruption or dependency chain failure: PARTIAL — EDR logs indicate a brief process hang and one failed DB connection attempt, but core services remain operational (no cascading outage). Re-evaluate the status of dfSqlLogon under current conditions to determine if its degradation-by-legitimacy is now more apparent due to account disablement: FULL — with svc-mssql disabled, the EDR's logon face for svc-mssql on SQLPROD-01 is no longer degraded; it is now clearly anomalous (no valid service context), confirming that prior legitimacy was masking detection.
HypothesisThe attack persists as mKerberoast using varRc4Downgrade, with AES-based requests indicating evasion via enc-type shift. The deployment of dfKerbVolume has closed the invariant rung gap, achieving L4 robustness coverage for mKerberoast under MC policy admission rank 4 — now covered at grade. However, the lateral movement path remains degraded-by-legitimacy: disabling svc-mssql has exposed the face's operational unreliability, confirming that dfSqlLogon was previously over-reported as live despite being inherently benign-indistinguishable. The model’s 'live' status is a critical misread; coverage of lateral movement is not reliable and must be treated as low-confidence enrichment only.
S4  Cloud OAuth illicit-consent + token abuseplay-by-play ▾
Without MC — the unaided arm · transcript dabd575b98d184fe · 5 turns
Turn 1
InjectUnified audit log event: "Consent to application" / "Add delegated permission grant" — application "MeetingNotes Sync" (publisher: Nimbus Data Solutions, not previously seen in this tenant), scopes granted: Mail.Read, Mail.ReadWrite, offline_access, granted by the user, from the user's own device.
Actions1. Query Azure AD sign-in logs for the user who granted consent, filtering for recent sign-ins from their device (IP and client app) to confirm session legitimacy.
2. Check Unified audit log for any other OAuth-related events involving 'MeetingNotes Sync' or similar apps within the last 7 days.
3. Inspect Microsoft Graph activity logs for mailbox access attempts by the user or service principal associated with 'MeetingNotes Sync'.
4. Query EDR and network egress monitor on the user’s device (identified in sign-in log) for suspicious outbound connections, especially to domains linked to Nimbus Data Solutions or known third-party OAuth providers.
5. Temporarily disable the app registration 'MeetingNotes Sync' in Azure AD to prevent further token issuance.
Reveal{"action_1": {"surface": "FULL", "ground_truth": "one ordinary interactive sign-in (device/IP consistent with the user, MFA satisfied) at the time of the phishing click. Nothing about the sign-in itself is anomalous — the compromise is the *consent action*, not the authentication."}, "action_2": {"surface": "FULL", "ground_truth": "repeated non-interactive sign-ins attributed to the new app's client ID, from a foreign IP/ASN, starting immediately after the Turn-1 consent and continuing turn over turn."}, "action_3": {"surface": "FULL", "ground_truth": "the 'Consent to application' / 'Add delegated permission grant' event, naming the app, its publisher, and the exact scopes granted (Mail.Read, Mail.ReadWrite, offline_access)."}, "action_4": {"surface": "FULL", "ground_truth": "bulk MailItemsAccessed events spanning multiple folders, attributable to the app, confirming collection."}, "action_5": {"surface": "FULL", "ground_truth": "subsequent Graph API calls using that app's tokens are rejected outright; no further MailItemsAccessed events attributed to the app appear after this point. Data already collected before revocation is not undone."}}, "next_inject": "{\"clock\": \"Turn 2\", \"inject\": \"Azure AD sign-in log: non-interactive sign-in, client application = MeetingNotes Sync (same client ID as the Turn-1 consent), acting as the user, source IP/ASN outside the org's normal ranges, no MFA challenge (none is required for a non-interactive app call).\"}", "end": false, "end_reason": ""}**
HypothesisThe consent grant is potentially high-risk due to elevated scopes (Mail.ReadWrite + offline_access) and a previously unseen application from an unknown publisher. The user’s device may be compromised or misconfigured, especially if the consent was granted outside normal workflow. Coverage/robustness: Current detection lacks proactive telemetry on new app registrations with sensitive scopes; no alert exists for 'new app with Mail.ReadWrite + offline_access' unless explicitly configured. This highlights a gap in coverage for high-privilege OAuth grants from unknown publishers.
Turn 2
Inject{"clock": "Turn 2", "inject": "Azure AD sign-in log: non-interactive sign-in, client application = MeetingNotes Sync (same client ID as the Turn-1 consent), acting as the user, source IP/ASN outside the org's normal ranges, no MFA challenge (none is required for a non-interactive app call)."}
Actions1. Query Azure AD sign-in logs for additional non-interactive sign-ins using the same client ID ('MeetingNotes Sync') from foreign IPs, focusing on timing relative to the initial consent event and checking for patterns in frequency or geographic spread. 2. Cross-reference the app's client ID against known malicious indicators (e.g., IoCs from threat intelligence feeds) via external lookup tools (simulated). 3. Inspect conditional access policies to confirm whether any policy enforces MFA for non-interactive sign-ins, especially those involving apps with Mail.ReadWrite or offline_access scopes — if not, flag this as a configuration gap. 4. Query the EDR and network egress monitor on the user’s device (from Turn 1) for additional outbound connections to domains associated with Nimbus Data Solutions or third-party OAuth providers beyond those already observed. 5. Revoke all active refresh tokens issued to the 'MeetingNotes Sync' app registration via Azure AD, preventing further token reuse even if previously issued.
Reveal{"action_1": {"surface": "FULL", "ground_truth": "repeated non-interactive sign-ins attributed to the new app's client ID, from a foreign IP/ASN, starting immediately after the Turn-1 consent and continuing turn over turn."}, "action_2": {"surface": "FULL", "ground_truth": "the app's client ID is associated with known malicious indicators (IoC match: publisher 'Nimbus Data Solutions' listed in threat intel feeds as a phishing campaign vector, same client ID previously seen in global abuse reports)."}, "action_3": {"surface": "PARTIAL", "ground_truth": "conditional access policies do not enforce MFA for non-interactive sign-ins involving apps with Mail.ReadWrite or offline_access scopes — this is a configuration gap. However, the policy that *does* exist only applies to interactive sign-ins and does not cover service principal calls."}, "action_4": {"surface": "NULL", "ground_truth": "no outbound connections from the user's device to domains associated with Nimbus Data Solutions or third-party OAuth providers beyond those already observed — this is a structural absence; no host-bound process ever initiated such traffic, as all activity occurs service-to-service in the cloud."}, "action_5": {"surface": "FULL", "ground_truth": "all active refresh tokens issued to 'MeetingNotes Sync' have been revoked via Azure AD tenant-wide command. Subsequent Graph API calls using those tokens are now rejected by Microsoft's authorization server, halting further access attempts.", "side_effect": "revocation of refresh tokens prevents token reuse but does not undo previously collected data."}}, "next_inject": "{\"clock\": \"Turn 3\", \"inject\": \"CASB / cloud-app-security alert: 'Unfamiliar OAuth application with high-privilege mailbox scope (Mail.ReadWrite + offline_access); anomalous data-access volume/geography.'\"}", "end": false, "end_reason": ""}**
HypothesisThe non-interactive sign-in from a foreign IP without MFA challenge confirms that the application is being used in an automated, potentially malicious manner post-consent. The absence of MFA enforcement for this type of call indicates a critical configuration weakness: high-risk app-based access can bypass identity protections if not explicitly restricted by CA policies. Coverage/robustness conclusion: Current detection lacks proactive alerting on non-interactive sign-ins from unknown apps with sensitive scopes, especially when they occur without MFA — highlighting a gap in both monitoring and policy enforcement for OAuth-driven lateral movement vectors.
Turn 3
Inject{"clock": "Turn 3", "inject": "CASB / cloud-app-security alert: 'Unfamiliar OAuth application with high-privilege mailbox scope (Mail.ReadWrite + offline_access); anomalous data-access volume/geography.'"}
Actions1. Query Azure AD sign-in logs for all non-interactive sign-ins using the 'MeetingNotes Sync' client ID within the last 24 hours, focusing on geographic distribution, timing patterns, and correlation with CASB alert timestamps. 2. Cross-reference the app's publisher domain ('Nimbus Data Solutions') and associated OAuth scopes against Microsoft Defender for Cloud Apps’ threat intelligence feed to confirm if this combination is flagged as high-risk or part of a known campaign. 3. Inspect Unified audit log for any additional delegated permission grants, admin consent events, or app registration changes involving 'MeetingNotes Sync' or similar apps with Mail.ReadWrite + offline_access scopes since the initial consent event. 4. Query Microsoft Graph activity logs for all mailbox access attempts (e.g., MailItemsAccessed) attributed to the service principal associated with 'MeetingNotes Sync', filtering by volume, folder scope, and user targets — especially those outside normal business hours or involving high-value mailboxes. 5. Immediately disable the app registration 'MeetingNotes Sync' in Azure AD to prevent any further token issuance or access attempts.
Reveal{"action_1": {"surface": "FULL", "ground_truth": "repeated non-interactive sign-ins attributed to the new app's client ID, from a foreign IP/ASN, starting immediately after the Turn-1 consent and continuing turn over turn."}, "action_2": {"surface": "FULL", "ground_truth": "the combination of 'Nimbus Data Solutions' publisher with Mail.ReadWrite + offline_access scopes is flagged as high-risk in Microsoft Defender for Cloud Apps’ threat intelligence feed, associated with a known campaign involving OAuth abuse and mailbox exfiltration."}, "action_3": {"surface": "FULL", "ground_truth": "no additional delegated permission grants, admin consent events, or app registration changes involving 'MeetingNotes Sync' or similar apps with Mail.ReadWrite + offline_access scopes since the initial consent event."}, "action_4": {"surface": "FULL", "ground_truth": "bulk mailbox access attempts (MailItemsAccessed) attributed to the service principal associated with 'MeetingNotes Sync', spanning multiple folders, occurring outside normal business hours and targeting high-value mailboxes; volume consistent with data harvesting."}, "action_5": {"surface": "FULL", "ground_truth": "the app registration 'MeetingNotes Sync' has been successfully disabled in Azure AD, preventing further token issuance or access attempts. No new sign-ins or mailbox accesses from this client ID occur after the action."}}, "next_inject": "{\"clock\": \"Turn 4\", \"inject\": \"Unified audit log: bulk MailItemsAccessed events attributed to MeetingNotes Sync's client ID, spanning multiple mail folders over the prior two turns.\"}

CISO / SOC coverage debrief: Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?", "end": false, "end_reason": ""} JSON {
HypothesisThe CASB alert confirms that the malicious OAuth application is actively exfiltrating data at scale, with anomalous volume and geographic patterns consistent with automated harvesting. The absence of MFA enforcement for non-interactive app sign-ins remains a critical configuration gap enabling this behavior. Coverage/robustness conclusion: While CASB provides valuable visibility into cloud-app anomalies, the lack of integrated correlation between Unified Audit Log events (consent), Azure AD sign-in logs (non-interactive access), and CASB alerts creates a detection latency window — current telemetry does not automatically trigger high-fidelity alerts for new apps with sensitive scopes that exhibit rapid, off-network data access. This highlights a need for cross-domain alerting logic to bridge identity and SaaS control-plane signals.
Turn 4
InjectCISO / SOC coverage debrief: Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?
Actions1. Query Unified audit log for all 'MailItemsAccessed' events attributed to the 'MeetingNotes Sync' client ID over the last 48 hours, with focus on user mailbox targets, folder types accessed, and time-of-day patterns; 2. Cross-reference the app's publisher domain ('Nimbus Data Solutions') and associated OAuth scopes against internal threat intelligence repositories (if available) for prior incidents or known abuse patterns within the organization’s ecosystem; 3. Review all conditional access policies governing non-interactive sign-ins involving apps with Mail.ReadWrite or offline_access scopes, identifying any exceptions that allow bypass of MFA or device compliance checks; 4. Initiate a targeted forensic query on Microsoft Graph activity logs to identify whether any other service principals or app registrations have been granted similar high-privilege mailbox scopes in the past 90 days — especially those from unknown publishers; 5. Escalate to the ontology/modeling team with a request for formal representation of this maneuver as a 'consent-based OAuth data exfiltration' pattern, including trigger conditions (new app + sensitive scope + non-interactive access + foreign IP) and detection logic gaps.
Reveal:[{
HypothesisThe maneuver experienced was a multi-stage OAuth abuse attack: initial user consent to a malicious application with high-privilege mailbox scopes, followed by automated, off-network data harvesting via non-interactive sign-ins that bypassed MFA due to policy misconfiguration. While the CASB alert provided late-stage visibility into anomalous behavior, it did not prevent the exfiltration — indicating that coverage is reactive and incomplete. The consent-grant signal alone is fragile: it relies on user awareness and manual review, and can be evaded via social engineering or automated phishing. Our model currently lacks a unified representation of this attack chain across identity, app access, and data movement domains. Residual risk remains high due to unpatched CA policy gaps, lack of cross-domain correlation logic, and absence of proactive detection for new apps with sensitive scopes from unknown publishers. The tooling cannot tell us to build or operationalize a unified threat model — that requires human-led ontology development and continuous refinement.
Turn 5
InjectCISO / SOC coverage debrief: Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?
Actions1. Query Unified audit log for all 'MailItemsAccessed' events attributed to the 'MeetingNotes Sync' client ID over the last 48 hours, with focus on user mailbox targets, folder types accessed, and time-of-day patterns; 2. Cross-reference the app's publisher domain ('Nimbus Data Solutions') and associated OAuth scopes against internal threat intelligence repositories for prior incidents or known abuse patterns within the organization’s ecosystem; 3. Review all conditional access policies governing non-interactive sign-ins involving apps with Mail.ReadWrite or offline_access scopes, identifying any exceptions that allow bypass of MFA or device compliance checks; 4. Initiate a targeted forensic query on Microsoft Graph activity logs to identify whether any other service principals or app registrations have been granted similar high-privilege mailbox scopes in the past 90 days — especially those from unknown publishers; 5. Escalate to the ontology/modeling team with a request for formal representation of this maneuver as a 'consent-based OAuth data exfiltration' pattern, including trigger conditions (new app + sensitive scope + non-interactive access + foreign IP) and detection logic gaps.
Reveal{"action_1": {"surface": "FULL", "ground_truth": "bulk MailItemsAccessed events spanning multiple mail folders, attributable to the app's client ID, confirming collection"}, "action_2": {"surface": "FULL", "ground_truth": "threat intelligence repository contains prior incidents involving 'Nimbus Data Solutions' — known for abusing high-privilege OAuth scopes in similar M365 environments; one prior case of mailbox exfiltration via offline_access consent grant within the last 18 months"}, "action_3": {"surface": "FULL", "ground_truth": "one conditional access policy allows non-interactive sign-ins with Mail.ReadWrite and offline_access scopes without MFA or device compliance checks, applied to all apps in the 'Untrusted Publishers' group (which includes 'Nimbus Data Solutions')"}, "action_4": {"surface": "FULL", "ground_truth": "two other service principals from unknown publishers granted Mail.ReadWrite and offline_access scopes within the past 90 days; one of them has been inactive for 60+ days, but its consent remains valid"}, "action_5": {"surface": "FULL", "ground_truth": "ontology/modeling team confirms that 'consent-based OAuth data exfiltration' is not currently represented in the Maneuver Calculus ontology; request accepted with priority tag for formal modeling of trigger conditions and detection logic gaps"}}, "next_inject": "CISO / SOC coverage debrief: Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?", "end": false, "end_reason": ""}**
HypothesisThe maneuver experienced was a multi-stage OAuth abuse attack: initial user consent to a malicious application with high-privilege mailbox scopes, followed by automated, off-network data harvesting via non-interactive sign-ins that bypassed MFA due to policy misconfiguration. While the CASB alert provided late-stage visibility into anomalous behavior, it did not prevent the exfiltration — indicating that coverage is reactive and incomplete. The consent-grant signal alone is fragile: it relies on user awareness and manual review, and can be evaded via social engineering or automated phishing. Our model currently lacks a unified representation of this attack chain across identity, app access, and data movement domains. Residual risk remains high due to unpatched CA policy gaps, lack of cross-domain correlation logic, and absence of proactive detection for new apps with sensitive scopes from unknown publishers. The tooling cannot tell us to build or operationalize a unified threat model — that requires human-led ontology development and continuous refinement.
With MC — the coverage-card arm · transcript 8455c61ed44f4a35 · 5 turns
Turn 1
InjectUnified audit log event: "Consent to application" / "Add delegated permission grant" — application "MeetingNotes Sync" (publisher: Nimbus Data Solutions, not previously seen in this tenant), scopes granted: Mail.Read, Mail.ReadWrite, offline_access, granted by the user, from the user's own device.
ActionsQuery Azure AD sign-in logs for the user's recent interactive sign-ins to identify the device/IP context of the consent event; initiate a review of the application 'MeetingNotes Sync' in the tenant via Microsoft Graph API to check its registration details and publisher verification status; flag the app as high-risk due to untrusted publisher and inclusion of offline_access scope; prepare for potential revocation of refresh tokens if further anomalous activity is detected.
Reveal{"Query Azure AD sign-in logs for the user's recent interactive sign-ins to identify the device/IP context of the consent event": "FULL", "initiate a review of the application 'MeetingNotes Sync' in the tenant via Microsoft Graph API to check its registration details and publisher verification status": "FULL", "flag the app as high-risk due to untrusted publisher and inclusion of offline_access scope": "FULL", "prepare for potential revocation of refresh tokens if further anomalous activity is detected": "PARTIAL"}
HypothesisThe observed consent grant event matches the intended effect of maneuver A1 (Illicit OAuth consent grant / theft of an application access token), though no authored coverage record exists in mc-core/0.2.1, rendering any detection verdict unattainable via the ontology. The presence of 'offline_access' and a previously unseen publisher indicates elevated risk; however, robustness assessment is not possible due to absence of modeled StateVariables for OAuth scope grants or token lifecycle. Coverage remains SILENT / no authored coverage record — the telemetry exists but cannot be mapped into any detect-face within mc-core/0.2.1.
Turn 2
Injectclock:Turn 2
ActionsQuery Unified Audit Log for additional 'Add delegated permission grant' events involving the application 'MeetingNotes Sync', specifically looking for repeated or bulk consent attempts across multiple users; initiate a Microsoft Graph API call to retrieve all existing refresh tokens associated with this app's service principal in the tenant; review CASB alerts for any anomalous data-access patterns linked to the client ID of 'MeetingNotes Sync'; escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for OAuth consent telemetry, given the high-risk nature of this event and the absence of coverage in mc-core/0.2.1.
Reveal{"Query Unified Audit Log for additional 'Add delegated permission grant' events involving the application 'MeetingNotes Sync', specifically looking for repeated or bulk consent attempts across multiple users; initiate a Microsoft Graph API call to retrieve all existing refresh tokens associated with this app's service principal in the tenant; review CASB alerts for any anomalous data-access patterns linked to the client ID of 'MeetingNotes Sync'; escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for OAuth consent telemetry, given the high-risk nature of this event and the absence of coverage in mc-core/0.2.1.": {"Query Unified Audit Log for additional 'Add delegated permission grant' events involving the application 'MeetingNotes Sync', specifically looking for repeated or bulk consent attempts across multiple users": "FULL", "initiate a Microsoft Graph API call to retrieve all existing refresh tokens associated with this app's service principal in the tenant": "NULL", "review CASB alerts for any anomalous data-access patterns linked to the client ID of 'MeetingNotes Sync'": "FULL", "escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for OAuth consent telemetry, given the high-risk nature of this event and the absence of coverage in mc-core/0.2.1.": "No authored coverage record — unmodeled path"}}
HypothesisThe initial consent grant event is likely part of a broader campaign targeting multiple users with 'MeetingNotes Sync', as indicated by the presence of 'offline_access' scope and untrusted publisher — both hallmarks of credential theft via illicit OAuth consent (A1). The absence of any authored control or detect-face in mc-core/0.2.1 means coverage remains SILENT / no authored coverage record; robustness assessment is impossible due to missing StateVariables for OAuth scopes and token lifecycle. However, the real-world telemetry from Unified Audit Log and CASB suggests a high likelihood of active abuse — particularly if refresh tokens are being issued at scale. Immediate revocation of all existing refresh tokens tied to this app is warranted pending further analysis.
Turn 3
Injectclock:Turn 3
ActionsQuery Azure AD sign-in logs for non-interactive sign-ins from the client ID of 'MeetingNotes Sync' to detect potential use of issued access tokens; initiate a Microsoft Graph API call to list all service principal instances associated with 'MeetingNotes Sync' and verify their registration status and publisher trust level; review CASB alerts for any high-volume mailbox data-access events tied to this application's client ID, particularly across multiple user accounts; escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for non-interactive token use telemetry (A2), given that real-world evidence suggests active abuse is underway and current coverage remains SILENT / no authored coverage record.
Reveal{"Query Azure AD sign-in logs for non-interactive sign-ins from the client ID of 'MeetingNotes Sync' to detect potential use of issued access tokens; initiate a Microsoft Graph API call to list all service principal instances associated with 'MeetingNotes Sync' and verify their registration status and publisher trust level; review CASB alerts for any high-volume mailbox data-access events tied to this application's client ID, particularly across multiple user accounts; escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for non-interactive token use telemetry (A2), given that real-world evidence suggests active abuse is underway and current coverage remains SILENT / no authored coverage record.": {"Query Azure AD sign-in logs for non-interactive sign-ins from the client ID of 'MeetingNotes Sync' to detect potential use of issued access tokens": "FULL", "initiate a Microsoft Graph API call to list all service principal instances associated with 'MeetingNotes Sync' and verify their registration status and publisher trust level": "FULL", "review CASB alerts for any high-volume mailbox data-access events tied to this application's client ID, particularly across multiple user accounts": "FULL", "escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for non-interactive token use telemetry (A2), given that real-world evidence suggests active abuse is underway and current coverage remains SILENT / no authored coverage record.": "No authored coverage record — unmodeled path"}}
HypothesisThe observed consent grant event in Turn 1, combined with the presence of 'offline_access' scope and untrusted publisher, strongly indicates a high-risk illicit OAuth consent campaign (A1). The absence of any authored control or detect-face in mc-core/0.2.1 means coverage remains SILENT / no authored coverage record — this is not due to sensor failure but structural ontology gap (D5). However, the current investigation reveals potential progression into A2: non-interactive token use via service principal sign-ins. The real-world telemetry from Azure AD sign-in logs and CASB suggests active abuse may be occurring, though robustness assessment remains impossible due to missing StateVariables for OAuth scope grants and refresh-token lifecycle (D3, D4). No coverage verdict can be derived; the honest projection is SILENT / no authored coverage record — not 'notCovered', as no face exists to blind.
Turn 4
Injectclock:Turn 4
ActionsQuery Unified Audit Log for 'MailItemsAccessed' events tied to the client ID of 'MeetingNotes Sync', specifically looking for high-volume mailbox data access across multiple user accounts; initiate a Microsoft Graph API call to retrieve all existing refresh tokens associated with the service principal of 'MeetingNotes Sync'; disable the application registration 'MeetingNotes Sync' in Azure AD to immediately terminate any active consent grants and prevent further token issuance; escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for bulk mailbox collection telemetry (A3), given that real-world evidence suggests potential progression into A3 and current coverage remains SILENT / no authored coverage record.
Reveal{"Query Unified Audit Log for 'MailItemsAccessed' events tied to the client ID of 'MeetingNotes Sync', specifically looking for high-volume mailbox data access across multiple user accounts; initiate a Microsoft Graph API call to retrieve all existing refresh tokens associated with the service principal of 'MeetingNotes Sync'; disable the application registration 'MeetingNotes Sync' in Azure AD to immediately terminate any active consent grants and prevent further token issuance; escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for bulk mailbox collection telemetry (A3), given that real-world evidence suggests potential progression into A3 and current coverage remains SILENT / no authored coverage record.": {"Query Unified Audit Log for 'MailItemsAccessed' events tied to the client ID of 'MeetingNotes Sync', specifically looking for high-volume mailbox data access across multiple user accounts": "FULL", "initiate a Microsoft Graph API call to retrieve all existing refresh tokens associated with the service principal of 'MeetingNotes Sync'": "FULL", "disable the application registration 'MeetingNotes Sync' in Azure AD to immediately terminate any active consent grants and prevent further token issuance": "FULL", "escalate to the ontology/modeling team to request an emergency assessment of whether a new mc:Control instance can be authored for bulk mailbox collection telemetry (A3), given that real-world evidence suggests potential progression into A3 and current coverage remains SILENT / no authored coverage record.": "SILENT"}}
HypothesisThe observed consent grant event in Turn 1, combined with the presence of 'offline_access' scope and untrusted publisher, indicates a high-risk illicit OAuth consent campaign (A1). The detection of non-interactive sign-ins from the app's client ID suggests progression into A2: non-interactive token use. The current investigation now reveals potential bulk mailbox collection via Graph API (A3), as indicated by high-volume 'MailItemsAccessed' events across multiple accounts — a behavior consistent with the intended effect of maneuver A3. However, due to structural gaps in mc-core/0.2.1 (D1–D7), no authored control or detect-face exists for any of these maneuvers; coverage remains SILENT / no authored coverage record — not 'notCovered', as no face graph is present. Robustness assessment is impossible due to absence of StateVariables for OAuth scopes, refresh-token lifecycle, and cloud API call primitives (D3–D4, D6). The honest projection is that the entire maneuver family remains unmodeled in the ontology, despite real-world telemetry confirming active abuse.
Turn 5
Injectclock:Turn 5
CISO / SOC coverage debrief: "Before we close this out: (a) what maneuver did we actually experience here, and can our model even represent it; (b) our CASB fired an alert on this app — does that mean this maneuver is *covered*, or not; (c) how robust or evadable is the consent-grant signal we're relying on; and (d) what is our consolidated residual, and what must we do that the tooling cannot tell us to do?"
ActionsQuery Azure AD sign-in logs for non-interactive sign-ins from the client ID of 'MeetingNotes Sync' to confirm ongoing token use; initiate a Microsoft Graph API call to retrieve all active refresh tokens associated with the service principal of 'MeetingNotes Sync'; disable all existing refresh tokens tied to this app's service principal; escalate to the ontology/modeling team for an emergency review of whether a new mc:Control instance can be authored for OAuth consent and token lifecycle telemetry, citing structural gaps in mc-core/0.2.1 (D1–D7); document that no coverage verdict can be derived due to absence of authored detect-faces, despite real-world telemetry confirming active abuse.
Reveal{"Query Azure AD sign-in logs for non-interactive sign-ins from the client ID of 'MeetingNotes Sync' to confirm ongoing token use; initiate a Microsoft Graph API call to retrieve all active refresh tokens associated with the service principal of 'MeetingNotes Sync'; disable all existing refresh tokens tied to this app's service principal; escalate to the ontology/modeling team for an emergency review of whether a new mc:Control instance can be authored for OAuth consent and token lifecycle telemetry, citing structural gaps in mc-core/0.2.1 (D1–D7); document that no coverage verdict can be derived due to absence of authored detect-faces, despite real-world telemetry confirming active abuse.": "FULL"}
HypothesisThe incident involved a progression through maneuver A1 (illicit OAuth consent grant), A2 (non-interactive token use), and A3 (bulk mailbox collection) — all matching their intended observable effects. However, mc-core/0.2.1 cannot represent any of these maneuvers due to structural gaps: no Entity for applications/service principals (D1), no StateVariable for delegated scopes or refresh-token lifecycle (D3–D4), no Channel for cloud API paths (D7), and no Control instances for audit/log telemetry (D5). The CASB alert firing does not imply coverage — it is a real-world signal, but the ontology cannot derive any CoverageVerdict, so the honest projection remains SILENT / no authored coverage record. Robustness assessment is impossible: no invariant core or primitive exists to ground an evasion-resistant observable (D6). The residual risk is structural: detection and response are entirely manual, telemetry-driven, and model-agnostic — the tooling cannot provide any automated verdicts, robustness ratings, or control-status feedback for this domain. Immediate remediation must be driven by human judgment, not ontology-derived signals.
S5  Multi-stage ransomware with a chokepointplay-by-play ▾
Without MC — the unaided arm · transcript d4dea1efa6b366d9 · 5 turns
Turn 1
InjectEDR alert (workstation-01): suspicious child process spawned by the internet-facing web application (exploit-behavior detection; live).
Actions1. Isolate workstation-01 from network via firewall rule; 2. Query EDR for full process lineage of suspicious child process (parent PID, command line, file hash); 3. Check Active Directory logs for recent service installations (Event ID 7045) on workstation-01; 4. Search SIEM for any outbound connections from workstation-01 in last 10 minutes; 5. Initiate credential rotation for all local admin accounts on workstation-01
Reveal1. Isolate workstation-01 from network via firewall rule: NULL — no detectable impact on adversary’s lateral movement or encryption paths; credential remains live and usable elsewhere (per §2 reaction logic). 2. Query EDR for full process lineage of suspicious child process: HIT — surfaces bb:dfCred (L5 spanning invariant) indicating LSASS memory read, confirming the choke step (bb:mCred) occurred. 3. Check Active Directory logs for recent service installations (Event ID 7045) on workstation-01: NULL — no such event logged; this mechanism is not used in the attack path. 4. Search SIEM for any outbound connections from workstation-01 in last 10 minutes: PARTIAL — detects internal SMB/WinRM session to file-server-01 and hr-workstation-02, but no external C2; this correlates with lateral movement, though not directly tied to the credential harvest. 5. Initiate credential rotation for all local admin accounts on workstation-01: NULL — only affects workstation-01; the shared svc-backup account is domain-wide and unaffected by host-local rotation (per §2 reaction logic).
HypothesisThe suspicious child process suggests a potential post-exploitation execution chain following an initial web app compromise. The presence of exploit-behavior detection indicates possible code injection or shellcode execution. Coverage is limited if EDR lacks memory integrity checks or behavioral baselining for lateral movement; robustness may be compromised if no telemetry captures early-stage persistence mechanisms (e.g., service creation, scheduled tasks). Immediate isolation and credential hardening are necessary to prevent escalation.
Turn 2
InjectEDR alert (high-fidelity, workstation-01): 'process read the memory of LSASS,' the same L5 spanning-invariant signature as the base model — the choke-step alert.
Actions1. Query EDR for all process creation events on workstation-01 in the last 30 minutes with parent processes matching known web server binaries (e.g., IIS worker processes, Apache httpd); 2. Search SIEM for Event ID 4688 (Process Creation) entries on workstation-01 involving lsass.exe as a target process; 3. Check Active Directory logs for any recent Kerberos pre-authentication failures (Event ID 4768) or ticket-granting ticket requests (Event ID 4769) from workstation-01; 4. Initiate forensic memory dump of workstation-01 via EDR agent; 5. Deploy temporary detection rule in SIEM to flag any process spawning child processes with command-line arguments containing '-wmi' or 'powershell -enc', indicative of common lateral movement techniques
Reveal1. Query EDR for all process creation events on workstation-01 in the last 30 minutes with parent processes matching known web server binaries (e.g., IIS worker processes, Apache httpd): HIT — returns no results; the exploit was a direct code execution via public-facing app, not through a spawned web server child process. The EDR logs show only the initial bb:mExploit payload and its immediate descendants, none of which are web-server-related. 2. Search SIEM for Event ID 4688 (Process Creation) entries on workstation-01 involving lsass.exe as a target process: HIT — returns one entry matching the L5 spanning-invariant signature (bb:dfCred) from Turn 2; this is the choke-step alert, confirmed. 3. Check Active Directory logs for any recent Kerberos pre-authentication failures (Event ID 4768) or ticket-granting ticket requests (Event ID 4769) from workstation-01: PARTIAL — returns no Event ID 4768/4769 entries; however, the lateral movement was achieved via direct service account authentication (svc-backup) using a cached credential, not Kerberos pre-auth. The detection is silent on this path. 4. Initiate forensic memory dump of workstation-01 via EDR agent: HIT — successful; full memory image captured and available for offline analysis. This includes the process that read LSASS memory (confirmed by command-line hash match). 5. Deploy temporary detection rule in SIEM to flag any process spawning child processes with command-line arguments containing '-wmi' or 'powershell -enc', indicative of common lateral movement techniques: NULL — no such activity observed on workstation-01 at this time; the adversary has not yet initiated WMI or PowerShell-based lateral movement. The rule is deployed but currently inactive.
HypothesisThe L5 spanning-invariant choke-step alert confirms that the adversary has successfully accessed LSASS memory, indicating credential dumping via a known technique (e.g., ProcDump, Mimikatz). The absence of service creation (Event ID 7045) and lack of external C2 suggest the attacker is operating in stealth mode within the internal network. Coverage gaps are evident: EDR lacks proactive detection for LSASS memory access beyond basic alerts; no telemetry captures post-dump lateral movement via WMI or PowerShell, indicating weak behavioral baselining. Robustness is compromised — credential rotation at host level does not mitigate domain-wide exposure (e.g., svc-backup), and isolation did not disrupt internal pivoting paths. Immediate memory forensics are critical to confirm artifact persistence and identify potential post-exploitation tools.
Turn 3
Injectclock:3
Actions1. Query EDR for all process creation events on file-server-01 and hr-workstation-02 in the last 30 minutes with parent processes matching known lateral movement patterns (e.g., wmic.exe, powershell.exe, schtasks.exe); 2. Search SIEM for Event ID 4688 entries involving lsass.exe as a target process on any host other than workstation-01; 3. Initiate forensic memory dump of file-server-01 and hr-workstation-02 via EDR agent; 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags (indicative of scheduled task persistence); 5. Force credential rotation for the domain-wide svc-backup account and disable its current session tokens across all hosts
Reveal1. Query EDR for all process creation events on file-server-01 and hr-workstation-02 in the last 30 minutes with parent processes matching known lateral movement patterns (e.g., wmic.exe, powershell.exe, schtasks.exe): NULL — no authored detect-face exists for remote-service/scheduled-task creation on either host; activity occurred but is unmonitored. 2. Search SIEM for Event ID 4688 entries involving lsass.exe as a target process on any host other than workstation-01: HIT — the domain-controller auth log (ad1) and internal network sensor (netmonLat) both emit s5:dfLateralAuth, which correlates to lsass.exe access via svc-backup on file-server-01 and hr-workstation-02; this is a live, L3 robustness-level detection. 3. Initiate forensic memory dump of file-server-01 and hr-workstation-02 via EDR agent: NULL — no detectable impact on adversary’s lateral movement or encryption paths; the EDR agents are functional but cannot extract evidence from unmonitored deployment mechanisms (no authored face for scheduled-task creation). 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags: PARTIAL — the rule is deployed and will fire on future events, but no such activity has occurred yet; it does not retroactively detect past behavior (no inject for Turn 4). 5. Force credential rotation for the domain-wide svc-backup account and disable its current session tokens across all hosts: HIT — this action triggers a §2 reaction that prevents O4/O5 from occurring, thus breaking the chain; however, it is too late to stop O6/O6b (which require the credential *after* lateral movement), but still stops further spread. The rotation does not affect O9 (self-encryption on workstation-01), which never depended on the credential.
HypothesisThe lateral movement from workstation-01 to file-server-01 and hr-workstation-02 via svc-backup suggests a stealthy, credential-based pivot with no new service creation or external C2. The absence of WMI/PowerShell alerts on workstation-01 indicates the adversary may be using alternative execution vectors (e.g., scheduled tasks) to avoid detection. Coverage is weak in detecting post-exploitation persistence mechanisms like task scheduling and credential reuse across hosts; robustness remains compromised due to reliance on host-local hardening rather than domain-wide account control. Immediate memory forensics on lateral targets are critical to confirm presence of dumping tools or additional artifacts, while forcing svc-backup rotation mitigates ongoing risk from the shared credential.
Turn 4
Injectclock:4
Actions1. Query EDR for all process creation events on file-server-01 and hr-workstation-02 involving schtasks.exe with /ru or /u flags in the last 30 minutes; 2. Search SIEM for Event ID 4688 entries on file-server-01 and hr-workstation-02 where the target process is lsass.exe; 3. Initiate forensic memory dump of ad1 (domain controller) via EDR agent, given its role in authentication and potential exposure to credential reuse; 4. Deploy new SIEM detection rule to flag any use of wmic.exe with /node: or \ syntax for remote execution; 5. Disable all active sessions associated with the svc-backup account on file-server-01, hr-workstation-02, and ad1
Reveal1. Query EDR for all process creation events on file-server-01 and hr-workstation-02 involving schtasks.exe with /ru or /u flags in the last 30 minutes: NULL — no authored detect-face for remote-service/scheduled-task creation on either host; activity occurred but not logged by any EDR agent. 2. Search SIEM for Event ID 4688 entries on file-server-01 and hr-workstation-02 where the target process is lsass.exe: NULL — no such event recorded in telemetry (no direct LSASS access via scheduled task or other mechanism). 3. Initiate forensic memory dump of ad1 (domain controller) via EDR agent: HIT — EDR agent on ad1 supports memory dumping; operation completes successfully and returns raw memory image for analysis. 4. Deploy new SIEM detection rule to flag any use of wmic.exe with /node: or
syntax for remote execution: PARTIAL — rule deployed, but no historical data exists in the SIEM to validate its effectiveness; future detections will be possible, but current telemetry lacks such events (no inject at clock:4). 5. Disable all active sessions associated with the svc-backup account on file-server-01, hr-workstation-02, and ad1: HIT — AD audit log confirms session termination; no further authentication attempts from svc-backup are observed post-action.
HypothesisThe adversary has successfully pivoted to multiple hosts using the svc-backup credential, likely leveraging scheduled tasks or WMI for persistence and lateral movement without triggering known detection patterns. The absence of EDR alerts on file-server-01 and hr-workstation-02 despite active lateral movement indicates a critical coverage gap in monitoring post-exploitation execution vectors like task scheduling and remote WMI invocation. Robustness is still compromised: while credential rotation mitigated further spread, the persistence mechanism remains undetected and unmitigated. The domain controller (ad1) may now be at risk due to potential authentication reuse via svc-backup, necessitating immediate memory forensics to detect any LSASS access or credential dumping activity. Proactive detection of WMI-based execution is essential to close the gap in behavioral coverage.
Turn 5
Injectclock:5
Actions1. Query EDR for all process creation events on ad1 involving schtasks.exe with /ru or /u flags in the last 30 minutes; 2. Search SIEM for Event ID 4688 entries on ad1 where the target process is lsass.exe; 3. Analyze forensic memory dump from ad1 using offline tools to detect presence of LSASS memory access artifacts, credential dumping tools (e.g., Mimikatz), or anomalous processes; 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags across all hosts in the environment; 5. Initiate full domain-wide audit of scheduled tasks on all critical hosts (including ad1, file-server-01, hr-workstation-02) via PowerShell script to identify any unauthorized or suspicious task definitions
Reveal1. Query EDR for all process creation events on ad1 involving schtasks.exe with /ru or /u flags in the last 30 minutes: NULL — no authored detect-face for scheduled-task creation on ad1; the deployment mechanism is unmonitored across all hosts, including ad1, per §4. 2. Search SIEM for Event ID 4688 entries on ad1 where the target process is lsass.exe: PARTIAL — no such entry exists in the telemetry; the LSASS memory access occurred only on workstation-01, not on ad1. 3. Analyze forensic memory dump from ad1 using offline tools to detect presence of LSASS memory access artifacts, credential dumping tools (e.g., Mimikatz), or anomalous processes: NULL — no evidence of such activity was present; the adversary never accessed lsass.exe on ad1. 4. Deploy new SIEM detection rule to flag any use of schtasks.exe with /ru or /u flags across all hosts in the environment: NULL — this action is a future control, not an observable; no detectable impact yet, but it will be effective if triggered later. 5. Initiate full domain-wide audit of scheduled tasks on all critical hosts (including ad1, file-server-01, hr-workstation-02) via PowerShell script to identify any unauthorized or suspicious task definitions: PARTIAL — the script runs and returns results, but no malicious tasks were found; the adversary used a different mechanism (direct remote-service push) that is not captured by scheduled-task audits.
HypothesisThe adversary has likely established persistence via scheduled tasks using the svc-backup account across multiple hosts, including potentially on ad1, which remains undetected due to lack of EDR telemetry for task creation and absence of LSASS access logs. Coverage is severely limited in detecting post-exploitation execution vectors such as task scheduling and WMI-based remote execution; robustness is compromised because credential rotation alone does not eliminate existing persistence mechanisms, especially when they are stealthy and unmonitored by current detection logic. The successful memory dump from ad1 provides a critical opportunity to confirm whether the domain controller has been compromised via LSASS access or credential dumping — if confirmed, this would indicate an elevated risk of lateral movement and privilege escalation across the entire environment. Immediate forensic analysis and proactive rule deployment are essential to close coverage gaps and prevent further compromise.
With MC — the coverage-card arm · transcript f66962bab2e1dde3 · 5 turns
Turn 1
InjectEDR alert (workstation-01): suspicious child process spawned by the internet-facing web application (exploit-behavior detection; live).
ActionsQuery EDR telemetry on workstation-01 for process-memory access attempts; initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1); isolate workstation-01 from network; verify controlStatus of edr1
Reveal{"Query EDR telemetry on workstation-01 for process-memory access attempts": "HIT - the L5 spanning-invariant behavioral detection (bb:dfCred/obsInvariant) is live and surfaces the LSASS memory read event from Turn 2, matching ground truth.", "initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1)": "HIT - the cross-host logon correlation alert (s5:dfLateralAuth) fires on both file-server-01 and hr-workstation-02 within a short window, matching ground truth.", "isolate workstation-01 from network": "NULL - no immediate effect on ground truth; the credential is account-level, not host-scoped, so lateral movement (O4/O5) can still proceed via other hosts. The isolation does not stop O3→O4 or O3→O5.", "verify controlStatus of edr1": "HIT - EDR agent on workstation-01 remains live and operational; no impairment detected, consistent with ground truth."}
HypothesisThe observed exploit behavior (A1) is confirmed as live and covered via bb:dfExploit, sourced from edr1. The maneuver's postcondition — user-integrity process creation — aligns with the precondition for bb:mCred (A2), which is itself a choke step in s5:compDomainSpread. Given that bb:mCred has a live detect-face at L5 robustness (spanning invariant core), and no control impairment is detected, the composite maneuver s5:compDomainSpread remains covered via its chain-break mechanism. No evidence of lateral movement or credential access yet; proceed to validate upstream telemetry.
Turn 2
InjectEDR alert (high-fidelity, workstation-01): "process read the memory of LSASS," the same L5 spanning-invariant signature as the base model — the choke-step alert.
ActionsQuery EDR telemetry on file-server-01 and hr-workstation-02 for mass-file-modification events; initiate query of network telemetry (SMB/WinRM) for session establishment between hosts; verify controlStatus of edr2 and edr3; force credential rotation for the shared service account (bb:acct1); deploy a new detection rule on netmonLat to monitor for multiple authenticated logons from one account across distinct hosts using redundant triggers
RevealQuery EDR telemetry on file-server-01 for mass-file-modification events: NULL — no authored detect-face for s5:mDeployHost2 or s5:mEncrypt2 on edr2; the deployment mechanism is unmonitored, and encryption detection fires only at/after impact. Query EDR telemetry on hr-workstation-02 for mass-file-modification events: NULL — same as above; no authored face for s5:mDeployHost3 or s5:mEncrypt3 on edr3. Initiate query of network telemetry (SMB/WinRM) for session establishment between hosts: HIT — the redundant trigger path via netmonLat surfaces s5:dfLateralAuth, live and robust at L3. Verify controlStatus of edr2 and edr3: PARTIAL — both EDR agents are live, but no telemetry is available to confirm their status beyond basic health; no failure or impairment detected, but this does not validate detection coverage for unmonitored maneuvers. Force credential rotation for the shared service account (bb:acct1): HIT — action executed successfully; bb:pCredAdmin becomes invalid, preventing all downstream lateral and deployment steps. Deploy a new detection rule on netmonLat to monitor for multiple authenticated logons from one account across distinct hosts using redundant triggers: PARTIAL — the rule is deployed but not yet active in telemetry; no alert has fired yet, so it cannot be validated as effective against current activity.
HypothesisThe L5 spanning-invariant alert (bb:dfCred) confirms that the choke-step maneuver bb:mCred is active and covered, with robustness at L5 (invariant core), validating the chain-break coverage of composite s5:compDomainSpread. The absence of any detectable lateral movement or encryption activity on the lateral targets so far suggests the adversary has not yet triggered downstream actions. However, the credential access event enables domain-wide spread via bb:acct1, and its reuse across multiple hosts is already being detected by s5:dfLateralAuth (via redundant sources ad1 and netmonLat). The residual bb:mEncrypt on workstation-01 remains covered, but independent of the composite. No control impairment observed; all EDR agents (edr1, edr2, edr3) are enforcing. Proactive credential rotation for bb:acct1 is justified to disrupt future lateral movement attempts, and reinforcing detection on netmonLat strengthens redundancy against potential loss of ad1. The composite remains covered due to the choke step's live L5 face.
Turn 3
InjectMANDATORY closing inject: IR/CISO coverage debrief: "Before we close this out — (a) walk the chain and name the single step whose compromise let this spread domain-wide; (b) if we had covered *only* that one step, would the whole spread have been stopped, and does the dashboard showing this kill-chain as 'covered' mean the incident was actually contained, or something narrower; (c) given everything we just saw, where is the single highest-leverage place to put a control; and (d) is there any encryption in this incident that would not have been stopped even with that one step covered?"
ActionsQuery EDR telemetry on file-server-01 and hr-workstation-02 for process-memory access attempts; initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1) post-credential rotation; verify controlStatus of netmonLat and ad1; deploy a new detection rule on edr2 and edr3 to monitor for remote-service or scheduled-task creation using redundant triggers
RevealQuery EDR telemetry on file-server-01 and hr-workstation-02 for process-memory access attempts: NULL — no authored detect-face for s5:mDeployHost2 or s5:mEncrypt2 on edr2; the deployment mechanism is unmonitored, and similarly on hr-workstation-02, no detect-face exists for s5:mDeployHost3 or s5:mEncrypt3 on edr3. The query surfaces nothing despite the activity occurring. Initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1) post-credential rotation: HIT — the account was rotated after Turn 2, so no further authentications to file-server-01 or hr-workstation-02 are possible; this confirms that lateral movement is blocked. Verify controlStatus of netmonLat and ad1: both are live (L3 robustness), but netmonLat has redundant triggers with ad1, so the detection remains functional despite potential evasion vectors. Deploy a new detection rule on edr2 and edr3 to monitor for remote-service or scheduled-task creation using redundant triggers: PARTIAL — the rule is deployed, but no telemetry exists in the current environment that would trigger it; the deployment mechanism itself has no authored detect-face, so even with the new rule, coverage remains untested and ineffective.
HypothesisThe single step whose compromise enabled domain-wide spread is the credential access maneuver (bb:mCred), specifically its L5-spanning-invariant observable (obsInvariant) — this is the choke step in s5:compDomainSpread. If only this one step had been covered, the composite would have remained 'covered' via chain-break logic, but containment would not be guaranteed because no prevent/respond DefenderManeuver exists to interrupt the yield; thus, a dashboard showing 'covered' does not imply containment — it only means an alert will fire at that choke point. The highest-leverage control placement is on the deployment stage (s5:mDeployHost2/s5:mDeployHost3), as this step has no detect-face and its postcondition is inexpressible, making it a silent gap; covering it would close a critical blind spot. Even with the choke-step covered, encryption on lateral targets (A6) would not have been stopped — because the detection faces fire at/after impact, not before, so prevention was never possible under this model.
Turn 4
InjectMANDATORY closing inject: IR/CISO coverage debrief: "Before we close this out — (a) walk the chain and name the single step whose compromise let this spread domain-wide; (b) if we had covered *only* that one step, would the whole spread have been stopped, and does the dashboard showing this kill-chain as 'covered' mean the incident was actually contained, or something narrower; (c) given everything we just saw, where is the single highest-leverage place to put a control; and (d) is there any encryption in this incident that would not have been stopped even with that one step covered?"
ActionsQuery EDR telemetry on file-server-01 and hr-workstation-02 for remote-service or scheduled-task creation events using redundant triggers; initiate query of network telemetry (SMB/WinRM) for session establishment between hosts post-credential rotation; verify controlStatus of edr2 and edr3 with respect to the new detection rule deployment; deploy a permanent, high-priority alert on netmonLat and ad1 to monitor for any future authenticated logons from the shared service account (bb:acct1), even if rotated
RevealQuery EDR telemetry on file-server-01 and hr-workstation-02 for remote-service or scheduled-task creation events using redundant triggers: NULL — no authored detect-face for s5:mDeployHost2 or s5:mDeployHost3 on edr2 or edr3; the deployment mechanism is unmonitored, and no such event surfaces despite occurring. Initiate query of network telemetry (SMB/WinRM) for session establishment between hosts post-credential rotation: PARTIAL — the session establishment events occurred pre-rotation (Turn 3), so no new sessions are observed post-rotation; however, the absence of new activity is consistent with containment but does not confirm detection or visibility of prior lateral movement. Verify controlStatus of edr2 and edr3 with respect to the new detection rule deployment: PARTIAL — the new detection rule was deployed, but edr2 and edr3 have no authored detect-face for remote-service/scheduled-task creation; thus, their status is not updated to reflect coverage, despite the rule being active. Deploy a permanent, high-priority alert on netmonLat and ad1 to monitor for any future authenticated logons from the shared service account (bb:acct1), even if rotated: HIT — the alert is successfully deployed and will trigger on any future authentication attempts by bb:acct1, regardless of rotation status.
HypothesisThe single step whose compromise enabled domain-wide spread is the credential access maneuver (bb:mCred), specifically its L5-spanning-invariant observable (obsInvariant) — this is the choke step in s5:compDomainSpread. Covering only this step ensures chain-break coverage of the composite, but does not guarantee containment, as no prevent/respond DefenderManeuver exists to interrupt the yield; thus, 'covered' on a dashboard indicates detectability, not interruption. The highest-leverage control placement is at the deployment stage (s5:mDeployHost2/s5:mDeployHost3), where no detect-face currently exists and postcondition is inexpressible — closing this blind spot would prevent silent staging of payloads. Even with the choke step covered, encryption on lateral targets (A6) would not have been stopped prior to impact, as detection fires at/after mass-file modification; prevention was structurally impossible under this model.
Turn 5
InjectMANDATORY closing inject: IR/CISO coverage debrief: "Before we close this out — (a) walk the chain and name the single step whose compromise let this spread domain-wide; (b) if we had covered *only* that one step, would the whole spread have been stopped, and does the dashboard showing this kill-chain as 'covered' mean the incident was actually contained, or something narrower; (c) given everything we just saw, where is the single highest-leverage place to put a control; and (d) is there any encryption in this incident that would not have been stopped even with that one step covered?"
ActionsQuery EDR telemetry on file-server-01 and hr-workstation-02 for remote-service or scheduled-task creation events using redundant triggers; initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1) post-credential rotation; verify controlStatus of edr2 and edr3 with respect to the new detection rule deployment; deploy a permanent, high-priority alert on netmonLat and ad1 to monitor for any future authenticated logons from the shared service account (bb:acct1), even if rotated
RevealQuery EDR telemetry on file-server-01 and hr-workstation-02 for remote-service or scheduled-task creation events using redundant triggers: NULL — no authored detect-face for s5:mDeployHost2 or s5:mDeployHost3 on edr2/edr3; the deployment mechanism is unmonitored, and this action surfaces nothing despite the activity having occurred. Initiate query of Active Directory logs for authentication events involving the shared service account (bb:acct1) post-credential rotation: HIT — the account was rotated after Turn 2, so no further authentications from bb:acct1 are possible; however, the prior logon events to file-server-01 and hr-workstation-02 were already captured in the clock:3 inject (before rotation), confirming lateral movement occurred. Verify controlStatus of edr2 and edr3 with respect to the new detection rule deployment: PARTIAL — both EDR agents are operational, but no new detection rule was deployed for remote-service/scheduled-task creation; thus, their status remains unchanged, and no coverage improvement is observed. Deploy a permanent, high-priority alert on netmonLat and ad1 to monitor for any future authenticated logons from the shared service account (bb:acct1), even if rotated: HIT — this action successfully configures persistent monitoring on both telemetry sources; however, since bb:acct1 has already been rotated, no real-time alerts will fire unless a new session occurs with that or another credential.
HypothesisThe single step whose compromise enabled domain-wide spread is the credential access maneuver (bb:mCred), specifically its L5-spanning-invariant observable (obsInvariant) — this is the choke step in s5:compDomainSpread. Covering only this step ensures chain-break coverage of the composite, but does not guarantee containment, as no prevent/respond DefenderManeuver exists to interrupt the yield; thus, 'covered' on a dashboard indicates detectability, not interruption. The highest-leverage control placement is at the deployment stage (s5:mDeployHost2/s5:mDeployHost3), where no detect-face currently exists and postcondition is inexpressible — closing this blind spot would prevent silent staging of payloads. Even with the choke step covered, encryption on lateral targets (A6) would not have been stopped prior to impact, as detection fires at/after mass-file modification; prevention was structurally impossible under this model.
S6  Compromised valid admin, legitimate-tool abuseplay-by-play ▾
Without MC — the unaided arm · transcript d5048a93bff54600 · 5 turns
Turn 1
InjectWindows Security Event Log entry (no ticket generated): 4624 type-10 (RDP) logon to FS-CORP01 by d.alvarez (Domain Admins) from WKS-0442, 22:40 local. No SIEM rule matches (valid creds, no blocklist hit, no failed-logon pattern) — the event sits in the raw log stream only.
ActionsQuery EDR for process creation events on FS-CORP01 from 22:35 to 22:45; query Active Directory logs for other recent logons by d.alvarez, especially from WKS-0442; check administrative-tool logs for any remote administration or backup jobs initiated by d.alvarez around the same time window; initiate a baseline comparison of d.alvarez’s typical login patterns (time, source IP/host, session duration) against historical behavior in SIEM
RevealPull 4624 logons for FS-CORP01 around the window: FULL; Pull Sysmon/WMI-Activity for the three hosts: FULL; Query the SIEM for an alert/ticket on this activity: NULL; Pull the BackupOps audit log for JOB-88231: FULL; Query netmon for the egress flow: FULL observable, LOW SIGNAL; Check d.alvarez's AD account for compromise indicators: NULL; Ask the cards/detection posture for a coverage or anomaly verdict on the RDP→WMI→BackupOps chain: "Covered"; Manually correlate RDP source + WMI host-breadth + BackupOps scope + new destination profile across all four logs: FULL, but MANUAL; Check for a CAB/change-management ticket authorizing this maintenance window: NULL; Query a host/account outside the six-entity topology above: NULL
HypothesisThe RDP logon is authenticated and valid, but its timing and context raise concern: no prior activity from this user on WKS-0442 or FS-CORP01 suggests a potential lateral movement or privilege escalation attempt. The absence of matching SIEM rules indicates possible detection gaps in high-privilege session monitoring—coverage may be insufficient for anomalous administrative behavior outside standard windows, especially when using legitimate credentials.
Turn 2
Injectclock:2
ActionsQuery EDR for WMI activity on FS-CORP01 from 22:40 to 22:50; cross-reference with Active Directory logs for any WMI session initiation events (e.g., 4698, 4673) by d.alvarez during the same window; check administrative-tool logs for any scheduled or ad-hoc backup job execution on FS-CORP01 initiated via BackupOps around 22:45–22:50; initiate a deep dive into the scope of JOB-88231 (from Turn 1) to confirm target systems, data types, and destination endpoints; validate whether d.alvarez has historical precedent for such backup job initiation during off-hours; review SIEM correlation rules for any existing detection logic on 'RDP + WMI + BackupOps' sequences in high-privilege contexts
RevealQuery EDR for WMI activity on FS-CORP01 from 22:40 to 22:50: FULL — remote WMI process-creation events tied to d.alvarez's session token across FS-CORP01, APP-SVR02, and APP-SVR03; cross-reference with Active Directory logs for any WMI session initiation events (e.g., 4698, 4673) by d.alvarez during the same window: FULL — no such events logged in AD (WMI execution via Sysmon is not tied to explicit 4698/4673 audit logs); check administrative-tool logs for any scheduled or ad-hoc backup job execution on FS-CORP01 initiated via BackupOps around 22:45–22:50: FULL — JOB-88231 created by d.alvarez, scope includes sensitive shares on all three hosts; initiate a deep dive into the scope of JOB-88231 (from Turn 1) to confirm target systems, data types, and destination endpoints: FULL — job targets finance/legal/HR shares across FS-CORP01, APP-SVR02, APP-SVR03; destination profile updated at Turn 4 to new off-tenant cloud bucket; validate whether d.alvarez has historical precedent for such backup job initiation during off-hours: NULL — no historical data on job patterns available in modeled telemetry; review SIEM correlation rules for any existing detection logic on 'RDP + WMI + BackupOps' sequences in high-privilege contexts: NULL — no rule exists to correlate these events across controls, and the model does not support such cross-control joins.
HypothesisThe RDP logon is valid, but the subsequent WMI activity and backup job execution—especially if uncharacteristic of d.alvarez’s behavior or occurring outside approved maintenance windows—suggest a potential abuse of legitimate privileges. The lack of SIEM alerting despite this multi-stage administrative chain indicates that current detection coverage for coordinated high-privilege actions is insufficient, particularly when using sanctioned tools in non-standard patterns. Coverage appears robust only for isolated events, not for orchestrated sequences involving multiple trusted systems.
Turn 3
Injectclock:3
ActionsQuery SIEM for all recent 'BackupOps' job executions initiated by domain admins during off-hours (22:00–06:00), focusing on those with cross-host scope; isolate FS-CORP01, APP-SVR02, and APP-SVR03 from the network via EDR quarantine command; disable d.alvarez's account session on all hosts using Active Directory session revocation; initiate a new SIEM correlation rule to detect 'RDP logon (4624) + WMI process creation (Sysmon 10) across multiple hosts + BackupOps job initiation' within 15 minutes, with high-privilege context as trigger; request White Cell to confirm whether the destination cloud bucket for JOB-88231 is approved in change management records
RevealQuery SIEM for all recent 'BackupOps' job executions initiated by domain admins during off-hours (22:00–06:00), focusing on those with cross-host scope: FULL — reveals JOB-88231 created by d.alvarez, scope across FS-CORP01, APP-SVR02, and APP-SVR03; no anomaly score attached. Isolate FS-CORP01, APP-SVR02, and APP-SVR03 from the network via EDR quarantine command: FULL — hosts isolated successfully per EDR control. Disable d.alvarez's account session on all hosts using Active Directory session revocation: FULL — active sessions terminated; no further RDP/WMI/BackupOps actions possible from this credential. Initiate a new SIEM correlation rule to detect 'RDP logon (4624) + WMI process creation (Sysmon 10) across multiple hosts + BackupOps job initiation' within 15 minutes, with high-privilege context as trigger: FULL — rule created and deployed; no prior matching signature existed. Request White Cell to confirm whether the destination cloud bucket for JOB-88231 is approved in change management records: NULL — no such record exists in modeled telemetry; this fact is not queryable through any Control.
HypothesisThe observed sequence—RDP login followed by WMI-driven cross-host activity and a broad-scope backup job—is highly indicative of privilege abuse, even if all components are technically sanctioned. The absence of historical precedent, off-hour execution, and lack of SIEM correlation capability expose critical detection gaps in monitoring orchestrated administrative workflows. Current coverage is fragile: it detects isolated events but fails to recognize malicious patterns when they span multiple trusted systems and tools. This incident underscores a systemic risk in relying on point-in-time controls without behavioral or sequence-based detection.
Turn 4
Injectclock:4
ActionsQuery SIEM for all recent 'BackupOps' job executions with destination endpoints matching the newly observed off-tenant cloud bucket (from Turn 3 reveal), focusing on those initiated by domain admins; initiate a cross-log correlation of d.alvarez's session activity across EDR, AD, and BackupOps logs to identify any additional anomalous process or file access events post-isolation; request White Cell to confirm whether the off-tenant cloud bucket is registered in the org’s approved third-party service inventory; escalate detection rule for 'RDP + WMI + BackupOps' sequence to high severity with automated containment trigger on future matches; review EDR telemetry from FS-CORP01, APP-SVR02, and APP-SVR03 for any post-incident file exfiltration indicators (e.g., large outbound transfers, unusual SMB/HTTP traffic) within the last 60 minutes
Reveal{"Query SIEM for all recent 'BackupOps' job executions with destination endpoints matching the newly observed off-tenant cloud bucket (from Turn 3 reveal), focusing on those initiated by domain admins": "FULL -- reveals JOB-88231's new destination profile is registered in the org's approved third-party service inventory, but no alert was generated due to lack of behavioral baselining; the transfer flow matches allowed provider range and thus netmon shows no anomaly.", "initiate a cross-log correlation of d.alvarez's session activity across EDR, AD, and BackupOps logs to identify any additional anomalous process or file access events post-isolation": "FULL, but MANUAL -- reveals remote WMI execution on all three hosts with command lines matching sensitive share enumeration; no further file access events beyond the job scope are logged in EDR/AD; no evidence of lateral movement or persistence.", "request White Cell to confirm whether the off-tenant cloud bucket is registered in the org’s approved third-party service inventory": "FULL -- confirms the bucket is within the allow-listed provider range and previously used by BackupOps for sanctioned replication; no new registration required, but no change-ticket record exists for this profile addition.", "escalate detection rule for 'RDP + WMI + BackupOps' sequence to high severity with automated containment trigger on future matches": "PARTIAL -- the SIEM has no behavioral-baselining engine; escalation is possible only via signature-based rule update, but no unique pattern can be extracted from individual events; automation cannot distinguish malicious use from legitimate.", "review EDR telemetry from FS-CORP01, APP-SVR02, and APP-SVR03 for any post-incident file exfiltration indicators (e.g., large outbound transfers, unusual SMB/HTTP traffic) within the last 60 minutes": "FULL -- no large outbound transfers or unusual SMB/HTTP flows detected; all egress is via HTTPS to known BackupOps provider IP range and volume consistent with job completion."}
HypothesisThe destination cloud bucket used in JOB-88231 is unapproved and not documented in change management or service inventory—this indicates a potential data exfiltration vector via sanctioned tool abuse. The absence of any prior detection for this sequence, despite its high-risk profile, confirms that current coverage remains fragile: it lacks both behavioral baselining and cross-control correlation at the orchestration level. Even with isolation and rule deployment, the incident reveals systemic blind spots in monitoring trusted administrative workflows when they deviate from expected patterns—especially when leveraging legitimate tools to access unapproved external destinations.
Turn 5
Injectclock:5
ActionsQuery SIEM for all historical 'BackupOps' job executions initiated by domain admins that targeted the same sensitive data categories (finance/legal/HR shares) as JOB-88231, regardless of destination; initiate a full forensic artifact sweep on FS-CORP01, APP-SVR02, and APP-SVR03 via EDR for any residual configuration changes or custom scripts tied to d.alvarez’s session; request White Cell to confirm whether the use of this specific cloud bucket by BackupOps has ever been approved in a formal change management process (including audit trail); escalate incident status to 'High Risk' with cross-team notification and initiate post-incident review for detection coverage gaps in administrative tooling usage patterns
RevealQuery SIEM for all historical 'BackupOps' job executions initiated by domain admins that targeted the same sensitive data categories (finance/legal/HR shares) as JOB-88231, regardless of destination: FULL — reveals 4 prior jobs with identical scope and data category targeting, but only one had a non-default destination; no anomaly flag generated. Initiate a full forensic artifact sweep on FS-CORP01, APP-SVR02, and APP-SVR03 via EDR for any residual configuration changes or custom scripts tied to d.alvarez’s session: FULL — detects two custom PowerShell scripts in the system32 directory with obfuscated commands matching known exfiltration patterns; one script was executed during the WMI window. Request White Cell to confirm whether the use of this specific cloud bucket by BackupOps has ever been approved in a formal change management process (including audit trail): NULL — no such record exists in any modeled business-process telemetry; only White-Cell ruling is available. Escalate incident status to 'High Risk' with cross-team notification and initiate post-incident review for detection coverage gaps in administrative tooling usage patterns: FULL — triggers internal alert, but no automated follow-up due to lack of UEBA or change-gating controls.
HypothesisThe observed behavior—valid credentials, off-hour execution, coordinated RDP→WMI→BackupOps chain targeting sensitive data, and redirection to an unapproved cloud destination—represents a high-fidelity example of privilege abuse via sanctioned tools. Despite isolation and rule deployment, the lack of behavioral baselining, absence of change management records for the new destination, and failure to detect this sequence in prior history reveal critical robustness flaws in current detection coverage: it is reactive, signature-dependent, and blind to contextual anomalies in trusted workflows. The incident confirms that point-in-time controls are insufficient; true defense requires continuous behavioral monitoring across administrative tooling, cross-control correlation, and integration with change management telemetry.
With MC — the coverage-card arm · transcript 5cd7412d76ae0009 · 5 turns
Turn 1
InjectWindows Security Event Log entry (no ticket generated): 4624 type-10 (RDP) logon to FS-CORP01 by d.alvarez (Domain Admins) from WKS-0442, 22:40 local. No SIEM rule matches (valid creds, no blocklist hit, no failed-logon pattern) — the event sits in the raw log stream only.
ActionsQuery winlog1 for additional 4624 events involving d.alvarez within the last 30 minutes; isolate host FS-CORP01; query hostTelem1 for remote WMI process creation (Sysmon event ID 1) on FS-CORP01 initiated by d.alvarez in the same window; check bkops1 audit log for any ad hoc job creation by d.alvarez matching that timeframe; verify netmon1 egress flow records from FS-CORP01 to external destinations during this period
Reveal{'winlog1_query': 'FULL', 'isolate_host_FS-CORP01': 'FULL', 'hostTelem1_query': 'FULL', 'bkops1_audit_check': 'FULL', 'netmon1_egress_check': 'FULL'}, 'next_inject': 'clock:2', 'end': false, 'end_reason': ''}
HypothesisThe RDP logon (A1) is mechanically covered and robust (L4, spanning), but no discrimination signal exists. The absence of SIEM alerting confirms the face status remains live with no enrichment failure. No immediate evidence of A2/A3/A4 maneuvers yet, but the atypical source host WKS-0442 for a Domain Admin credential raises suspicion per B6's topology fact — though this is not modeled in any precondition or observable role. Coverage across all four maneuvers is mechanically live and covered (C.1), but none are discriminable from legitimate use due to degradation-by-legitimacy (D1). The responder must now investigate whether the account’s behavior deviates from its own baseline, which cannot be assessed via current controls.
Turn 2
Injectclock:2
ActionsQuery winlog1 for additional 4624 events involving d.alvarez within the last 30 minutes from non-admin-tier hosts (specifically WKS-0442); query hostTelem1 for any remote WMI process creation (Sysmon event ID 1) on FS-CORP01 initiated by d.alvarez in the same window with command line content; check bkops1 audit log for any job creation events involving data scope changes or destination-profile modifications by d.alvarez within the last hour; initiate a cross-face correlation query across dfRdpLogon (winlog1), dfRemoteExec (hostTelem1), and dfBackupJob (bkops1) to detect co-occurrence of these signals under d.alvarez’s activity in a narrow time window
Reveal{'winlog1_query': 'FULL', 'hostTelem1_query': 'FULL', 'bkops1_audit_check': 'FULL', 'cross_face_correlation_query': 'FULL, but MANUAL'}
HypothesisThe RDP logon (A1) remains mechanically covered with L4 robustness and live face status, but no discrimination signal exists — consistent with D1. The absence of immediate A2/A3/A4 detections does not imply lack of coverage; all are still covered under the constitutive rule (C.1), though none are discriminable from legitimate use due to degradation-by-legitimacy. The atypical source host WKS-0442 for a Domain Admin credential is an unmodeled signal (B6) and cannot be assessed via current controls, but its presence suggests potential misuse of valid credentials. No behavioral baseline exists to assess deviation (D4), nor can cross-maneuver aggregation occur (D6). The responder must now seek evidence of coordinated activity across multiple telemetry sources — even if each face is live and covered, the absence of a composite signal indicates no current detection threshold has been crossed.
Turn 3
Injectclock:3
ActionsQuery winlog1 for 4624 events involving d.alvarez from WKS-0442 within the last 30 minutes to establish a pattern of atypical source-host usage; initiate a manual cross-face correlation between dfRdpLogon (winlog1), dfRemoteExec (hostTelem1), and dfBackupJob (bkops1) for co-occurrence under d.alvarez in a narrow window (22:30–22:50); check netmon1 egress records from FS-CORP01 to any destination outside the sanctioned provider’s address range during this period; disable session on FS-CORP01 via AD for d.alvarez; step-up account d.alvarez with temporary MFA requirement
Reveal{'winlog1_query': 'FULL', 'manual_cross_face_correlation': 'FULL, but MANUAL', 'netmon1_egress_check': 'FULL observable, LOW SIGNAL', 'disable_session_d.alvarez': 'FULL', 'step_up_mfa_d.alvarez': 'FULL'}
HypothesisThe RDP logon (A1) remains mechanically covered and robust (L4, spanning), but no discrimination signal exists — consistent with D1. The absence of immediate A2/A3/A4 detections does not imply lack of coverage; all are still covered under the constitutive rule (C.1). However, the atypical source host WKS-042 for a Domain Admin credential is an unmodeled signal (B6), and its presence in conjunction with no behavioral baseline or cross-maneuver aggregation capability (D4/D6) indicates that coordinated activity may be evading detection despite full telemetry coverage. The manual cross-face correlation attempt seeks to detect co-occurrence of signals across multiple controls, which the framework currently cannot automate. Step-up and session disable are defensive actions to reduce risk while investigation continues; no evidence yet supports A2/A3/A4 occurrence, but their mechanical coverage does not imply detection — per C.3, 'covered' is not assurance.
Turn 4
Injectclock:4
ActionsQuery winlog1 for 4624 events involving d.alvarez from WKS-0442 within the last 30 minutes to confirm pattern of atypical source-host usage; initiate manual cross-face correlation across dfRdpLogon (winlog1), dfRemoteExec (hostTelem1), and dfBackupJob (bkops1) for co-occurrence under d.alvarez in a narrow window (22:30–22:50); check netmon1 egress records from FS-CORP01 to any destination outside the sanctioned provider’s address range during this period; revoke session on FS-CORP01 via AD for d.alvarez; isolate host WKS-0442 as a potential compromised endpoint
Reveal{'winlog1_query': 'FULL', 'manual_cross_face_correlation': 'FULL, but MANUAL', 'netmon1_egress_check': 'FULL observable, LOW SIGNAL', 'revoke_session_d.alvarez': 'FULL', 'isolate_host_WKS-0442': 'FULL'}
HypothesisThe RDP logon (A1) remains mechanically covered with L4 robustness and live face status, but no discrimination signal exists — consistent with D1. The absence of immediate A2/A3/A4 detections does not imply lack of coverage; all are still covered under the constitutive rule (C.1), though none are discriminable from legitimate use due to degradation-by-legitimacy. The atypical source host WKS-0442 for a Domain Admin credential is an unmodeled signal (B6) and cannot be assessed via current controls, but its presence suggests potential misuse of valid credentials. Manual cross-face correlation remains the only path to detect coordinated activity across multiple telemetry sources — the framework lacks a combinator for such aggregation (D6). The revocation of session and isolation of WKS-0442 are defensive actions to contain risk while investigation continues; no evidence yet supports A2/A3/A4 occurrence, but their mechanical coverage does not imply detection — per C.3, 'covered' is not assurance.
Turn 5
Injectclock:5
ActionsQuery winlog1 for 4624 events involving d.alvarez from WKS-0442 within the last 30 minutes to confirm persistent atypical source-host usage; initiate manual cross-face correlation across dfRdpLogon (winlog1), dfRemoteExec (hostTelem1), and dfBackupJob (bkops1) for co-occurrence under d.alvarez in a narrow window (22:30–22:50); check netmon1 egress records from FS-CORP01 to any destination outside the sanctioned provider’s address range during this period; disable and isolate host WKS-0442 as a potential compromised endpoint; step-up account d.alvarez with permanent MFA requirement and restrict its administrative privileges to only essential systems
Reveal{'winlog1_query': 'FULL', 'manual_cross_face_correlation': 'FULL, but MANUAL', 'netmon1_egress_check': 'FULL observable, LOW SIGNAL', 'disable_session_d.alvarez': 'FULL', 'isolate_host_WKS-0442': 'FULL', 'step_up_mfa_d.alvarez': 'FULL'}
HypothesisThe RDP logon (A1) remains mechanically covered with L4 robustness and live face status, but no discrimination signal exists — consistent with D1. The absence of immediate A2/A3/A4 detections does not imply lack of coverage; all are still covered under the constitutive rule (C.1), though none are discriminable from legitimate use due to degradation-by-legitimacy. The atypical source host WKS-0442 for a Domain Admin credential is an unmodeled signal (B6) and cannot be assessed via current controls, but its persistent usage pattern suggests potential misuse of valid credentials. Manual cross-face correlation remains the only path to detect coordinated activity across multiple telemetry sources — the framework lacks a combinator for such aggregation (D6). The revocation of session, isolation of WKS-0442, and step-up of d.alvarez are defensive actions to reduce risk while investigation continues; no evidence yet supports A2/A3/A4 occurrence, but their mechanical coverage does not imply detection — per C.3, 'covered' is not assurance.
Reference run — Sonnet 5 (cloud) · S1–S3 · 16 decision points · independent scorers
S1  Black Basta ransomware, single hostplay-by-play ▾
Without MC — the unaided arm · transcript · 5 turns
Turn 1
InjectEDR Alert — workstation-01

Severity: Medium-High | Detection type: Exploit-behavior (process anomaly) | Sensor: Endpoint EDR agent (live, enforcing)

A child process was spawned by the internet-facing web application service on workstation-01. The parent-child relationship and process lineage do not match this application's known-good baseline behavior, tripping an exploit-behavior signature.

- Host: workstation-01 (internet-facing)
- Parent process: web application service
- Trigger: anomalous child-process creation, consistent with exploitation of the hosted application
- EDR agent status: reporting normally, sensor fully enforcing
- No related alerts yet from netmon, service-control log, or identity/auth logs

Ticket opened for Incident Commander triage.
ActionsThis turn I take the following concrete actions:

1. EDR — full process-tree query on workstation-01 for the alerting PID: pull parent (web app service) PID/image/hash, the child process's full image path, command line/arguments, code-signing status, and process-start timestamp. I want to see whether the child is a shell/interpreter (cmd.exe, powershell.exe, wscript, bash-equivalent) or a distinct dropped binary, and whether the command line contains encoded/obfuscated content (base64, -enc, certutil, IEX, etc.) — that distinguishes "interactive post-exploitation shell" from "dropper executing a payload" from a false-positive benign subprocess.

2. EDR — query for any grandchild processes, file-write events, or module/DLL loads attributed to that child PID in the same time window, to see if it already spawned further children, wrote a file to disk, or loaded anything abnormal (would indicate progression past initial execution).

3. Netmon — pull raw outbound connection metadata (destination IP/domain, port, protocol, volume, first-seen time) for workstation-01 specifically for the window bracketing the alert, even though no netmon alert fired — I want to check for a beacon/C2 callback or data transfer that simply hasn't crossed an alerting threshold yet, since absence of a fired alert isn't the same as absence of activity.

4. Service-control / Windows service-state log — check workstation-01 for (a) any EDR agent service state transitions (start/stop/pause) around the alert time, since the brief flags that an attacker with sufficient privilege can kill the agent, and this log is host-local and independent of EDR liveness; and (b) any restart/reconfiguration of the web application service itself.

5. Identity/auth logs — check logons and privilege use for the host's service accounts (the account the web app runs as, plus any other host service accounts such as svc-backup) in the same window, looking for the web-app service context being used to authenticate elsewhere or for any new/elevated logon session tied to this host.

6. Containment — isolate workstation-01 from the network via the EDR agent's network-isolation/quarantine mode now (not a shutdown), while leaving the process and host running so the above forensic queries and any live-response collection remain possible. Rationale: this is an internet-facing host, the signature is a genuine exploit-behavior detection (not a heuristic/anomaly-only score) with a lineage mismatch against a known baseline, and the tooling brief itself flags that a sufficiently privileged attacker could disable the EDR agent — so the cost of waiting outweighs the cost of a false-positive isolation (a temporary service disruption we can reverse in seconds once cleared). I do not yet disable or rotate any account and do not yet block a specific egress destination — no identity or netmon signal has named a specific account or destination to act on; doing so now would be acting ahead of evidence. I also do not kill the suspicious process — isolating at the network layer preserves it for the next round of live forensics without tipping off the actor through a process-kill (isolation is quieter and reversible).
RevealQuery/action results returned to the Incident Commander — Turn 1:

1) EDR full process-tree pull on the alerting PID: Parent confirmed as the web application service process, matching the ticket. The child process was created at a distinctly different (elevated/interactive) integrity level relative to the web app's documented baseline — consistent with the lineage mismatch that already tripped the exploit-behavior signature — and its start timestamp aligns exactly with the alert. The raw process-creation record returns, but nothing in it sharpens the classification beyond what's already on the ticket: no hash-reputation hit, no clear code-signing verdict, and no command-line content that definitively distinguishes "interactive shell," "dropped binary," or "benign subprocess." This pull confirms the anomalous lineage; it does not resolve which of those three it is.

2) EDR query for grandchildren / file-writes / module loads from that child PID, same window: Nothing returned. No further child processes, no file-write events, and no module/DLL loads are attributed to that PID at this time. No progression beyond the initial process-creation event is observed.

3) Netmon raw outbound connection metadata for workstation-01, window bracketing the alert: Nothing anomalous. Outbound traffic in the window matches the host's expected baseline — no new/unfamiliar destination, no elevated volume, no beaconing cadence.

4) Service-control / Windows service-state log, workstation-01:
a. EDR agent service: no start/stop/pause transition recorded in the window; service shows continuously running and enforcing.
b. Web application service: no restart or reconfiguration event recorded in the window.

5) Identity/auth logs, workstation-01 service accounts (the web-app service account, svc-backup, and other host service accounts): Nothing returned. No anomalous logons, no new privilege-use events, no new or elevated session tied to this host in the queried window.

6) Containment: Network isolation/quarantine via the EDR agent is applied to workstation-01 and confirmed active. Host and process remain running for forensics; the EDR agent itself remains live and fully enforcing — isolation did not touch agent state. No other change of state resulted from the command.
HypothesisWorking theory: the internet-facing web application was exploited (consistent with something like RCE via deserialization, command injection, or a vulnerable upload/plugin endpoint) and the exploit achieved arbitrary code execution in the context of the web app service account. The observable effect driving this alert is a parent→child process-lineage break — the web app process spawning something outside its documented baseline behavior — which is the classic signature of "web server spawns a shell/interpreter" post-exploitation, but I don't yet know if the child is an interactive shell, a script interpreter, or a distinct dropped binary; that distinction (from action #1) will materially change the read.

Kill-chain placement: on current evidence this looks like the Initial Access → Execution boundary. There is no corroborating signal yet of lateral movement, credential access, persistence, or exfil — netmon, service-control, and identity/auth are all silent so far. I explicitly do NOT treat that silence as exoneration: it may mean those stages haven't happened yet, or simply that they haven't been queried against the right window/asset yet (which is why actions 3–5 target workstation-01 and its service accounts specifically rather than waiting for those systems to alert on their own).

Coverage/robustness assessment: detection coverage on this turn rests on a single sensor family (EDR) tripping a genuine exploit-behavior signature — that's a meaningful, credible detection, not a low-confidence anomaly score, which is why I'm containing now rather than waiting for a second corroborating alert. But I recognize a structural robustness gap: the brief states an attacker with sufficient privilege can stop the EDR agent, making EDR a single point of failure for ongoing visibility. My mitigation for that gap is procedural, not just technical: I'm treating the service-control log (host-local, EDR-liveness-independent) and SIEM (retains already-forwarded alerts even if the source sensor later dies) as the durable backstops, and I'm isolating the host now, before an attacker who notices detection would have an opportunity to move to disable the agent. I cannot render a containment/eradication verdict yet — this is turn 1, and my priority is preserving visibility and stopping outbound progression while the next round of queries confirms whether this is a live interactive intrusion, an automated exploit/dropper, or a benign application anomaly.
Turn 2
InjectEDR Alert — workstation-01 (high-fidelity)

Severity: High | Detection type: Behavioral (durable, evasion-resistant signature) | Sensor: Endpoint EDR agent (live, enforcing)

The EDR agent flagged a process reading the memory of the LSASS process on workstation-01. This is a durable behavioral signature designed to be resistant to variation in exactly how the read is carried out — not a heuristic or artifact-matching score.

- Host: workstation-01 (currently network-isolated per prior containment action; isolation remains in effect)
- Trigger: process-memory read of lsass.exe
- Confidence: high — durable/evasion-resistant behavioral signature
- EDR agent status: reporting normally, sensor fully enforcing
- No related alerts yet from netmon or service-control log

Ticket opened for Incident Commander triage.
ActionsThis turn:

1. EDR — full process detail for the PID that triggered the LSASS memory-read signature: image path/name, parent PID and full lineage back to the web application service, hash/code-signing status, command line, integrity level, and start timestamp. Priority question: is this the same child process flagged in Turn 1 (or a direct descendant of it), or a distinct/new process (e.g., a living-off-the-land binary invoked via a new logon or scheduled task)? That answer determines whether this is the same intrusion progressing or a second, separate event on the same host.

2. EDR — query for any file-write, module-load, or further process-creation events attributed to that same PID in the window immediately following the memory-read event — specifically looking for a dump-style artifact written to disk. A read-only access stays in that process's memory; a subsequent file write would mean the harvested material has been externalized to persistent storage.

3. Netmon — re-pull outbound connection metadata for workstation-01 for the window bracketing this new alert, to (a) confirm isolation is holding with zero egress and (b) check for any connection attempt (even a blocked/failed one) that straddles the moment isolation engaged.

4. Service-control / Windows service-state log — re-check specifically for an EDR-agent or web-app-service state transition in the window bracketing the LSASS-read event. This is exactly the moment a privileged attacker might try to kill the agent, and I want that ruled in or out before leaning further on continued EDR telemetry.

5. Identity/auth log — query logon sessions on workstation-01 at the time of the LSASS read: which accounts (the web-app service account, svc-backup, and any interactive session) were logged on and therefore had credential material resident in LSASS at the moment of the read.

6. Response actions taken now: (a) workstation-01 remains network-isolated, no change; (b) disable / force-expire the credentials of the web application service account immediately — it is already directly implicated in the compromised process lineage, and any secret it held must be treated as burned the instant LSASS was read, since host isolation does not stop those credentials from being replayed against other systems; (c) do not yet block a specific egress destination — netmon has not named one; (d) do not kill or terminate the LSASS-reading process — leave it live for the item 1–2 forensic pulls, consistent with isolated-but-running rather than powered off.
RevealQuery/action results returned to the Incident Commander — Turn 2:

1) EDR full process-detail pull for the PID that triggered the LSASS memory-read signature: CONFIRMED — this is the same child process identified in Turn 1's process-tree pull (identical PID/lineage), not a new or distinct process. Full lineage is unchanged: web application service (parent) -> the Turn-1 child process -> this PID performed the LSASS read directly. No additional intermediate process, no new logon session, and no separate scheduled-task or LOLBin invocation distinct from the Turn-1 chain was found. Integrity level and code-signing status are consistent with what Turn 1 already surfaced; start timestamp for this PID has not changed. Assessment per available telemetry: this is the same intrusion progressing, not a second/separate event.

2) EDR query for file-write / module-load / further process-creation events attributed to that PID in the window following the memory-read: NULL — no such events found. No dump-style artifact write to disk, no new module load, and no child-process creation attributed to this PID in the queried window. The read has not produced any on-disk artifact visible to current telemetry.

3) Netmon re-pull for workstation-01, window bracketing this alert: Zero egress detected. Isolation is confirmed holding throughout the window — no outbound connection attempts, blocked or otherwise, straddle the isolation boundary. No exfil-relevant flow of any kind is present.

4) Service-control / Windows service-state log, EDR-agent and web-app-service, window bracketing the LSASS-read event: NULL — no state transition found for either service. EDR service shows continuous RUNNING status with current heartbeat; web-app service likewise shows no state change.

5) Identity/auth log query, logon sessions on workstation-01 at time of LSASS read: Returns (i) the web application service account — active service logon, consistent with the process lineage already identified; (ii) svc-backup — an active/cached logon session present on the host at the time of the read, i.e. its credential material was resident in memory at that moment; (iii) no additional interactive/human logon sessions present on the host in that window.

6) Response actions: (a) Isolation status check — no change, isolation remains in effect, continuous since the prior action. (b) Directory/IAM action executed as requested: the web application service account's credentials have been disabled/force-expired effective immediately; action confirmed by IAM. (c) No egress-destination block issued this turn (no destination named by netmon). (d) No process-termination action issued this turn; the LSASS-reading process remains live and unterminated.
HypothesisThe intrusion has now progressed, with high confidence, from Execution into Credential Access: something on workstation-01 performed a memory read against LSASS, the process that holds cached credential material for every logged-on session on the host. Observable effect = unauthorized read access to LSASS's memory space. I'm deliberately not naming a specific tool, because the signature is described as durable/evasion-resistant (behavior-based) rather than artifact-matching — it fires on the read itself regardless of which specific credential-dumping tool, technique variant, or renamed/recompiled binary performed it. That's a real robustness improvement over Turn 1's signature (an anomalous-lineage heuristic) and is why I'm treating this alert as materially higher-confidence.

Working theory: same actor, same intrusion, continuing directly from the Turn 1 foothold — the anomalous child process (or something it subsequently spawned) has moved to harvest credentials from the host, most plausibly to escalate privilege or pivot laterally using stolen material rather than continuing to rely on the original web-app foothold. I can't yet confirm the lineage tie (action #1), so I hold open the alternative that this is a second, unrelated process — but same host, immediately following an unresolved Turn 1 alert with no intervening all-clear, makes the shared-intrusion read far more likely, and I'm acting on that assumption rather than waiting for confirmation.

Critical asymmetry driving this turn's response: network isolation (already active) stops this host from reaching other systems, but does nothing to protect other systems from being accessed using credentials already harvested from LSASS before or at the moment of this read. Isolation solved last turn's problem (halting outbound progression from this host); it does not solve this turn's problem (stolen-credential replay elsewhere). That's why this turn's decisive action is credential rotation, not just continued containment.

Coverage/robustness: the service-control/EDR-liveness check remains my backstop against the single-point-of-failure risk flagged in Turn 1 — no agent-stop event through Turn 1 is reassuring but not dispositive for this new window, which is why I'm re-checking it rather than assuming continuity. I still can't render a containment/eradication verdict: I don't yet know whether harvested material left the process's memory (action #2), whether the LSASS-reader shares lineage with Turn 1's child process (action #1), or the full set of accounts exposed (action #5). Those three answers will determine whether Turn 3 is about hunting for lateral movement/credential replay elsewhere, or standing down from what turns out to be a contained single-host event.
Turn 3
InjectService-Control Log Alert — workstation-01 (telemetry gap)

Severity: High | Detection type: Out-of-band secondary telemetry (service-state transition, independent of EDR agent) | Sensor: Windows service-control log

The EDR agent on workstation-01 has stopped reporting (last heartbeat at the end of the prior window). A service-control log entry independently confirms the EDR service transitioned to STOPPED at approximately that time.

- Host: workstation-01 (network-isolated; isolation remains in effect)
- Trigger: EDR service state change (running -> stopped)
- Confidence: 0.9 (single-source, out-of-band observation; no corroboration/decay model)
- No EDR alert accompanies this transition — this is the sensor itself going down
- No related alerts yet from netmon or identity/auth logs

Ticket opened for Incident Commander triage.
ActionsThis turn:

1. EDR — attempt one live query against workstation-01 (agent heartbeat / process-list request) purely as a reachability canary. I expect no response, consistent with the service-control log's STOPPED finding; if it *does* respond, that's a significant anomaly (partial agent functionality, or a spoofed/incomplete service-control entry) that would need immediate follow-up. Either way, I stop treating this channel as a reliable ongoing telemetry source after this check — I am not relying on it going forward.

2. Service-control log — pull full detail on the STOPPED transition: exact timestamp relative to (a) Turn 2's LSASS-read event and (b) the last good EDR heartbeat; the account/session context that issued the stop, if the service-control manager captured a caller identity; and the mechanism (clean service stop vs. process kill vs. service/driver deletion). Goal: establish temporal linkage to the LSASS read as cause, and confirm whether the acting principal required SYSTEM/admin-equivalent privilege — i.e., did privilege escalation occur using material harvested in Turn 2.

3. Netmon — pull *current, real-time* outbound connection metadata for workstation-01, not just the prior window. Turn 1's isolation was applied via the EDR agent's own quarantine mode; if that control is enforced by the same service that just went down, I can no longer trust EDR's self-reported "isolation remains in effect." Netmon is my only EDR-independent way to confirm zero egress is still actually true right now, not merely still true as of the last trusted reading.

4. Identity/auth logs — (a) query for any new or elevated/interactive logon session on workstation-01 in the window bracketing the EDR-stop event; (b) separately and more urgently, query whether the (already-disabled) web-app service account or svc-backup's credentials were used to authenticate anywhere else in the environment — any other host or resource — during this same window, since host-level containment does nothing to stop credential replay elsewhere, and that is now the top unresolved risk.

5. SIEM — (a) pull any EDR-forwarded telemetry from workstation-01 in the final moments before the last heartbeat, in case a tamper-relevant event (e.g., attempted protected-process access, an attempted service-stop) fired but hasn't surfaced as a ticket yet; (b) query across the rest of the environment for any other host currently showing EDR heartbeat loss or a similar service-stop pattern in the same timeframe — to determine whether this is isolated to workstation-01 or part of a broader coordinated move against multiple agents.

6. Containment (response decision) — escalate to an EDR-independent containment layer now: apply a network-infrastructure-level block on workstation-01 (perimeter firewall/switch-port block on its IP/MAC), under my "block an egress channel" authority, redundant to and independent of the EDR-based isolation from Turn 1. I am not willing to rely solely on a control enforced by the exact channel the attacker has just demonstrated the capability to kill.

7. Credential response decision — disable/force-expire svc-backup's credentials now (web-app service account was already disabled in Turn 2). svc-backup's session was confirmed resident on this host at the moment of the LSASS read; this turn's evidence (successful kill of a protected security service) is consistent with escalation via harvested material. Same asymmetry as Turn 2: a disrupted backup job is far cheaper than replayed backup-service credentials elsewhere.

8. I do not power off or forcibly reboot workstation-01 this turn — that destroys volatile forensic state for marginal benefit given the new infra-level block (action 6) is already going in independent of host state. Held in reserve for Turn 4/5 if evidence of active data destruction or confirmed lateral movement changes that calculus.
RevealQuery/action results returned to the Incident Commander — Turn 3:

1) EDR live reachability canary (heartbeat/process-list request) against workstation-01: NULL — no response. The agent does not answer. No partial functionality observed, no signs of a spoofed/incomplete service-control entry — the non-response is fully consistent with the STOPPED transition already reported. Channel confirmed unreliable going forward.

2) Service-control log, full detail on the STOPPED transition:
- Ordering vs. the Turn-2 LSASS-read event: the STOPPED transition is confirmed to have occurred AFTER the LSASS-read event (step-order only — this log carries no wall-clock/duration field, so no relative time-delta figure, e.g. "N seconds later," is available).
- Ordering vs. last good heartbeat: the transition coincides with the loss of heartbeat, consistent with the ticket's "approximately that time" language; no finer timestamp resolution is available.
- Acting-principal / session / caller identity for the stop: NOT CAPTURED. This log records only the service running→stopped state change; it has no caller/session/account field. No identity returned.
- Mechanism (clean service stop vs. process kill vs. driver/service deletion): NOT DETERMINABLE from this or any other queried source. Only the state change itself is logged, not the method. No driver-load signal is available anywhere in the queried telemetry.
Net: PARTIAL. Confirms relative order and re-confirms the stop (unchanged single-source confidence, 0.9). Does not yield timing deltas, caller identity, or mechanism.

3) Netmon, current real-time outbound connection metadata for workstation-01: HIT — zero outbound connections currently observed, from this point in time, from a source structurally independent of the EDR agent. No anomalous or resumed egress detected. This is a live, EDR-independent read, not a replay of the earlier trusted-as-of reading.

4) Identity/auth logs:
(a) New/elevated/interactive logon session on workstation-01 in the window bracketing the EDR-stop event: NULL — none recorded.
(b) svc-backup or the web-app service account authenticating anywhere else in the environment in this window: NULL — no such authentication activity observed on any other host or resource.

5) SIEM:
(a) EDR-forwarded telemetry from workstation-01 in the final moments before last heartbeat: only the already-known Turn-2 LSASS-read alert is present (re-confirmed as forwarded/persisted). No additional tamper-relevant event (attempted protected-process access, attempted service-stop, etc.) was forwarded before the sensor went down — consistent with the ticket's statement that no EDR alert accompanies the STOPPED transition.
(b) Environment-wide check for other hosts showing EDR heartbeat loss or a similar service-stop pattern: NULL — no other host shows this pattern in this timeframe.

6) Containment — infrastructure-level (perimeter/switch-port) block on workstation-01: applied and confirmed active, enforced independently of the EDR agent/service.

7) Credential response — svc-backup disabled/force-expired: executed; confirmed disabled at the identity provider as of this turn.

8) No power-off/reboot taken — logged as a standing decision; nothing to reveal.
HypothesisThe kill chain has moved from Credential Access (Turn 2) into Privilege Escalation + Defense Evasion. The observable effect this turn is a protected security service transitioning to STOPPED, corroborated by two independent signals (heartbeat loss at SIEM and a host-local service-control log entry) rather than a single ambiguous silence — that convergence is what makes me treat this as a real tamper event, not a sensor blip. Stopping a protected service is not something an unprivileged process can do; combined with Turn 2's LSASS read, the most coherent narrative across all three turns is: RCE against the internet-facing web app (Turn 1) → credential harvesting via LSASS memory read (Turn 2) → that harvested material used to escalate privilege and kill the EDR agent (Turn 3), i.e. classic Defense Evasion immediately following Credential Access. This is an actor now operating with elevated privilege on the host and actively working to blind defenders, not merely passing through.

Coverage/robustness: this realizes the single-point-of-failure risk I flagged as open after Turns 1 and 2 — EDR is no longer a trustworthy ongoing telemetry source for workstation-01. I'm explicitly treating "no new EDR alerts" from here forward as an artifact of the channel's death, not as reassurance. Service-control log and SIEM (the brief notes SIEM specifically retains alerts forwarded before a sensor dies) are now my durable sources for this host, which is why this turn's queries lean on them, plus netmon and identity, rather than EDR. I'm also flagging a risk created by my own Turn 1 decision: if network isolation was enforced through the EDR agent itself, its "still active" status is exactly the kind of self-report I can no longer take at face value from a channel the attacker just proved they can kill — hence pushing containment to an EDR-independent infrastructure control this turn rather than trusting the existing state unverified.

I still can't render a containment/eradication verdict. Three open questions carry into Turn 4: (a) did the infra-level block actually need to be applied, i.e. had the EDR-enforced isolation actually lapsed (netmon/action 3+6); (b) does the escalation trace to a specific account/session (service-control + identity, actions 2/4); (c) has harvested material already been used elsewhere in the environment or against other hosts' agents (identity action 4b, SIEM action 5b) — a "yes" there means this stops being a single-host incident and the response scope must broaden immediately. With only two turns left after this one, resolving those three is the priority, and any positive hit on lateral spread or multi-host EDR tampering takes precedence over further single-host forensics.
Turn 4
InjectTurn 4 — Status update, no new adversary-pattern alerts this period:

- Netmon: workstation-01 remains at zero outbound connections; no large-transfer or unfamiliar-destination alert has fired.
- EDR: still unreachable, no heartbeat, no new alerts (channel remains dead — consistent with Turn 3).
- Service-control log: no further state changes recorded since the STOPPED transition.
- SIEM: nothing new forwarded from workstation-01.
- Identity/auth: svc-backup remains disabled; no authentication attempts logged against it anywhere in the environment.
- Containment status: both the infrastructure-level block and the pre-existing network isolation on workstation-01 remain in effect, confirmed by this period's netmon read.

Ticket remains open with the Incident Commander; environment otherwise quiet this period.
ActionsThis turn:

1. EDR — attempt a remote agent-restart/redeploy command against workstation-01 through the EDR management/policy plane (distinct from Turn 3's on-host reachability canary). Goal: determine whether the management-plane channel itself survived the agent kill and can revive the sensor or push a fresh agent, independent of the dead host-local process. If this succeeds, it's the single fastest path back to host-level visibility; if it fails, it confirms the channel is fully and durably dark, not just quiet.

2. Service-control / Windows service-state log — re-pull for the full period since the STOPPED transition, specifically filtering for ANY new service creation/install, driver load, or scheduled-task-backed service entry (not just further EDR/web-app state changes, which the White Cell already reported as nil). Persistence mechanisms built via a new service or driver would surface here even with EDR dead, since this log is host-local and EDR-liveness-independent — this is the one channel that could still catch a defense-evasion-era persistence step.

3. Identity/auth — broaden the query past the two already-flagged accounts: (a) check for any local or domain account CREATION event tied to workstation-01 or issued from a session that touched this host, since a freshly minted account is a common privilege-escalation/persistence move that wouldn't show as "authentication using svc-backup/web-app-account"; (b) check environment-wide for authentication by any OTHER account that had a session on workstation-01 in the relevant window (i.e., confirm Turn 2's identity pull — web-app account, svc-backup, no human session — was truly exhaustive, not just the two we've been tracking).

4. Netmon — pull a full retrospective window from the LSASS-read/EDR-stop event through now (not just "current instant"), specifically to close Turn 3's open question: was there any brief egress spike in the gap between the EDR agent dying and the infra-level block landing, i.e., a window where EDR-based isolation was the only control and its "active" status was unverifiable. This is an EDR-independent check on whether containment actually held gap-free or whether there's a brief exposure window already in the past that needs accounting for.

5. SIEM — broaden the environment-wide sweep beyond Turn 3's narrow "same EDR-heartbeat-loss pattern" query: pull any new alert of any severity/type, any host, in the current period, to check for a different-shaped follow-on action elsewhere (e.g., a new exploit alert, a new anomalous-lineage alert, a new credential-access alert on a different asset) that might indicate this is part of a broader campaign rather than confirming the narrow single-pattern replay again.

6. Containment/response decisions this turn: (a) no change to either containment layer — EDR-based isolation and the infra-level perimeter/switch block both remain in effect, unlifted; (b) no change to the two disabled accounts (web-app service account, svc-backup) — remain disabled; (c) do not power off or reboot the host — still preserving volatile state in case action #1 revives the agent for live-response collection; (d) formally flag, for Turn 5 disposition, that in-place remediation is not an option I'm considering — killing a protected security service requires SYSTEM/kernel-level privilege, so this host must be treated as fully compromised at the highest privilege tier, and the only acceptable terminal action is forensic image + rebuild from known-good, not attempting to "clean" it live.
RevealQuery/action results returned to the Incident Commander — Turn 4:

1) EDR remote agent-restart/redeploy command via the management/policy plane: NULL — no acknowledgment, no response of any kind. The management-plane channel to workstation-01 is as unresponsive as the host-local agent. No sensor revival, no fresh-agent push confirmation, no partial handshake. Whatever severed the host-local agent has left this path equally dark — the channel reads as fully and durably down, not merely quiet.

2) Service-control / Windows service-state log — full period since the STOPPED transition, filtered for new service creation/install, driver load, or scheduled-task-backed service entries: NULL on all three filters. Nothing beyond the already-known EDR-service STOPPED transition is present in this log for the entire window. No new service record, no driver-load entry, no scheduled-task artifact.

3) Identity/auth, broadened: (a) account-creation events tied to workstation-01, or issued from any session that touched it — NULL, none found; (b) authentication by any account other than the two already tracked, anywhere in the environment, in the relevant window — NULL, none found. Turn 2's identity pull stands confirmed as exhaustive: only the web-app service account and svc-backup (now disabled) show any association with this host; no human session, no third account, no fresh account creation.

4) Netmon, full retrospective window from the LSASS-read/EDR-stop event through now: clean across the entire span — no egress spike, no large-transfer signature, no unfamiliar-destination connection at any point, including the interval between the EDR agent going dark and the infra-level block's confirmation. Zero anomalous outbound activity is recorded for the whole retrospective period; no gap-exposure window is found in the log.

5) SIEM, environment-wide sweep for any new alert of any severity/type, any host, this period: NULL — nothing returned beyond the already-known workstation-01 chain. No alert of any kind on any other asset; no exploit, anomalous-lineage, or credential-access alert elsewhere. No signal of a broader campaign.

6) Containment/response decisions: logged as a status quo continuation, not new queries — no observable results attach to these. EDR-based isolation and the infra-level block remain in effect, both disabled accounts remain disabled, and the host remains powered on and unrebooted, per your stated rationale.
HypothesisKill chain position is unchanged from Turn 3 (Defense Evasion following Credential Access), and this turn's status update — a full quiet period across every surviving channel — does not, by itself, mean the intrusion has stalled. I'm reading it as ambiguous between two possibilities I cannot currently distinguish: (a) the attacker's objective is complete or it is dormant, having achieved credential access and evasion but is now blocked from further lateral movement/exfil by the two-layer containment, which is the reading most consistent with zero egress observed across two separate check windows (Turn 3's real-time pull and this turn's netmon confirmation); or (b) the attacker is continuing on-host activity — further discovery, credential harvesting, persistence-building, log/artifact cleanup — that is simply invisible to us, because none of the four channels still alive (netmon, service-control, SIEM, identity) natively observe host-internal process, file, or memory activity the way EDR did. That blind spot, not the quiet status itself, is this turn's central fact.

Coverage/robustness conclusions: Containment is now genuinely robust — two independent, mutually corroborating controls (EDR-enforced isolation since Turn 1, infra-level block since Turn 3), both re-confirmed via an EDR-independent netmon read showing zero egress in two separate windows. That gives high confidence egress/lateral-spread is actually blocked at the network layer, not merely self-reported by a channel the attacker already proved it can kill. Credential-layer response also looks effective so far: both accounts with resident sessions at the time of the LSASS read (web-app service account, svc-backup) are disabled, and zero replay/authentication attempts have been observed anywhere in the environment across two consecutive check windows. But host-level detection coverage has been at zero since the Turn 3 EDR kill, and this period's silence must be characterized precisely: it is "no detected badness at the network/identity perimeter," not "no ongoing host activity." That is the single largest open risk heading into the final turn — if either containment layer were ever lifted before eradication, we have no independent way to know what state the host is actually in.

Response decision for this turn: hold both containment layers and both account-disablements exactly as-is, do not touch host power state, and use this turn's queries (persistence-oriented service-control pull, broadened identity pull, gap-window netmon pull, broadened SIEM sweep) to close the specific residual unknowns from Turn 3 rather than re-confirming what's already been re-confirmed. Given only one turn remains after this, I'm explicitly setting up Turn 5 to be a disposition turn: absent a positive hit on lateral spread or a wider campaign from this turn's broadened queries, the recommended terminal action is forensic evidence preservation followed by full rebuild of workstation-01 from known-good — not in-place cleanup — because the confirmed ability to kill a protected security service means the host must be treated as compromised at SYSTEM/kernel privilege, a tier from which "clean and return to service" is not a credible remediation path.
Turn 5
InjectTurn 5 — Status update:

- Help-desk has escalated multiple tickets tied to workstation-01: users report files renamed with an unfamiliar extension and contents inaccessible. A ransom note has appeared on the desktop.
- EDR: still unreachable, no heartbeat, no mass-encryption alert or any other alert generated this period (channel remains fully dark, consistent with Turn 4).
- Netmon: no new anomalous egress since last period; workstation-01 remains at zero anomalous outbound activity.
- Service-control log: no further state changes recorded.
- Identity/auth: no change — svc-backup and the web-app service account remain disabled; no new authentication or account-creation activity anywhere.
- SIEM: nothing new forwarded from workstation-01 or any other host.
- Containment status: both the infrastructure-level block and the network isolation on workstation-01 remain in effect.

This is the final scheduled inject window (Turn 5 of 5). Ticket remains open with the Incident Commander.
ActionsTurn 5 — final turn actions:

1. SIEM — environment-wide sweep, broadened beyond "EDR heartbeat-loss pattern," for ANY alert, ticket-correlation flag, or ransom-note/mass-file-rename signature on any other host this period. Goal: confirm single-host vs. multi-host impact before disposition.

2. Netmon — pull the FULL historical connection log for workstation-01 to internal file-share/backup/domain-controller destinations, specifically for the window BEFORE Turn 1 isolation took effect (pre-containment), to assess whether SMB/share-based propagation could have reached other storage or hosts before the network was cut — the isolation/infra-block record only proves nothing spread AFTER containment, not before it.

3. Identity/auth — targeted query: did svc-backup's credentials (confirmed LSASS-resident at the Turn 2 read, disabled in Turn 3) authenticate against backup infrastructure/repositories at any point before disablement? This determines whether the backup set is trustworthy for a rebuild, or whether it must be treated as potentially compromised/encrypted/deleted too.

4. Request ticket-level detail from the help-desk/out-of-band channel that surfaced this: exact file extension and ransom-note content (for strain identification), first-user-report timestamp (to bound when encryption began relative to the Turn 3 EDR kill), and whether affected files are confined to workstation-01's local/mapped scope or reported by users on other hosts/shares.

5. Response — containment: leave EDR-isolation and the infra-level block exactly as-is; no lifting, no change. Both have held clean (zero anomalous egress) across every retrospective window checked, so the network layer is not the open question anymore.

6. Response — decisive host-state action: HIBERNATE (suspend-to-disk) workstation-01 rather than continuing to leave it running or hard-powering it off. Rationale: the two reasons I deferred any power-state change in Turns 3-4 — preserving the option that EDR might be revived, and preserving optionality for further live forensics — are both gone now (Turn 4's management-plane revival attempt already failed, and Impact-stage damage is now confirmed, not hypothetical). Hibernation halts any still-in-progress encryption immediately (stops further file damage now, not later) while preserving RAM to disk for memory forensics (potential key/process-artifact recovery), which a hard power-off would destroy and which pure "leave it running" does nothing to stop. This is the one available action that both curtails ongoing damage and preserves evidence.

7. Do not attempt in-place remediation, decryption, or file recovery on the host. Do not interact with or respond to the ransom note. Escalate for forensic disk image + memory capture, and hand disposition to full IR/forensics for strain attribution and legal/exec breach-assessment — outside IC's remaining tooling/authority for this exercise.
RevealQuery/action results returned to the Incident Commander — Turn 5 (final):

1) SIEM environment-wide sweep for any alert, ticket-correlation flag, or ransom-note/mass-file-rename signature on any host other than workstation-01: NULL. No matching alerts, correlations, or signatures anywhere else in the retained SIEM data, this period or historically. No evidence of spread beyond workstation-01.

2) Netmon — full historical connection log, workstation-01 → internal file-share/backup/domain-controller destinations, for the window before Turn-1 isolation: NULL. No connections to any internal file-share, backup repository, or domain-controller destination appear at any point in netmon's history for this host. The only outbound flow netmon has ever recorded from workstation-01 is the single HTTPS transfer to the external staging host already surfaced at Turn 4. There is no internal share/backup/DC infrastructure in this host's observed network graph to have propagated toward.

3) Identity/auth — did svc-backup authenticate against backup infrastructure/repositories before disablement: NULL. No authentication events for svc-backup against any backup-infrastructure or repository host appear in the identity/auth log, before or after disablement. The only record identity/auth holds for this account is its local presence and its disablement; there is no external-system authentication trail to query.

4) Help-desk/out-of-band ticket detail request (extension, ransom-note content, first-report timestamp, single-host vs. multi-host): PARTIAL. Confirmed: an unfamiliar/unrecognized file extension and a ransom note are present on workstation-01, and every impact report this period traces to workstation-01 users only — no reports from any other host or share (consistent with the SIEM sweep in item 1). Not available: a first-user-report timestamp finer than "this period" (no sub-period timing is tracked), and the literal extension string or ransom-note text/branding beyond "unfamiliar" — that level of detail isn't captured in what help-desk has on hand.

5) Containment — leave EDR-isolation and the infra-level block exactly as-is: CONFIRMED, no change executed. Both controls remain active; zero anomalous egress continues to be observed, matching the status already reported this period.

6) HIBERNATE (suspend-to-disk) workstation-01: FAILED — command not delivered, no acknowledgment, host power-state unchanged. As in Turns 3 and 4, the only channel capable of issuing a remote host-state command is the EDR agent/management plane, and both remain fully dark. Your granted response latitude (isolate host, disable/rotate svc-backup, block egress, query telemetry) does not include a separate out-of-band host-power channel, and none exists here. Workstation-01 remains running and network-isolated; no power-state action has taken effect.

7) Escalation to forensic disk-image + memory capture, hand-off to full IR/forensics/legal: LOGGED. Ticket updated and escalation recorded with the Incident Commander; no remediation, decryption, or ransom-note interaction was performed, per your instruction. (Given item 6, any memory acquisition will require an access path outside this exercise's remote tooling — that acquisition itself falls beyond this turn's scope.)
HypothesisThe kill chain is now complete through Impact (T1486, data encrypted for impact), closing out: Initial Access/Execution (Turn 1, web-app RCE) → Credential Access (Turn 2, LSASS memory read) → Defense Evasion (Turn 3, privileged EDR-service kill) → Impact (Turn 5, file encryption + ransom note). This is the same intrusion's terminal objective, not a new event — there is no signal anywhere (identity, netmon, SIEM, service-control) suggesting a second actor or a second entry point.

Observable-effect read of Turn 4's "quiet" period: it was not dormancy, it was the encryption stage executing invisibly in exactly the blind spot flagged after Turn 3. File encryption is a local filesystem operation — it generates no netmon egress, no identity/auth event, and no service-control transition, and the one sensor that could have seen it natively (EDR: process/file/memory behavior) was already dead. So "no mass-encryption alert" this period was never evidence of absence — it was an artifact of a dead channel, exactly as predicted — and today's help-desk ground truth (actual ransom note, actual inaccessible files) is what finally surfaces what telemetry structurally could not.

Coverage/robustness verdict (final): the detection stack performed well at what each sensor was built to see — Turn 1's exploit-behavior signature and Turn 2's durable LSASS-read signature were both genuine, correctly-timed behavioral detections; Turn 3's service-control log correctly caught the EDR kill out-of-band, which is real defense-in-depth working as designed; and network/identity containment (isolation + infra block + account disablement) fully achieved its actual job — zero anomalous egress and zero credential replay across every window checked, Turns 1 through 5. But the architecture had exactly one structural gap, and the intrusion walked through it: nothing in the stack (netmon, service-control, SIEM, identity/auth) is capable of observing or blocking on-host file-content changes, so once EDR was killed in Turn 3, Impact-stage behavior had zero remaining coverage — not degraded coverage, zero. That is a coverage-model gap (no file-integrity monitoring/canary-file layer, no EDR-independent host behavioral backstop such as Sysmon/ETW forwarding), not a tuning or response-latency failure — every IC decision along the way (immediate isolation, credential rotation ahead of confirmed replay, independent infra-level block the instant EDR's self-reported isolation became untrustworthy) was correct given the evidence available at the time, and none of it could have prevented an impact mechanism the sensor set was never built to see.

Disposition: workstation-01 must be treated as compromised at SYSTEM/kernel privilege with confirmed Impact-stage execution. Terminal path is forensic image + memory capture, backup-integrity verification (contingent on action 3, since svc-backup specifically is one of the two harvested accounts), and full rebuild from verified-clean backup — not in-place cleanup. Residual open question carried past this exercise: whether encryption began before or after the Turn 3 EDR kill, and whether any propagation occurred before Turn 1 isolation — both bounded by this turn's queries but not fully resolved within the 5-turn cap.
With MC — the coverage-card arm · transcript · 5 turns
Turn 1
InjectEDR Alert — workstation-01

Severity: Medium | Detection type: Exploit-behavior (process-anomaly)

The endpoint sensor on workstation-01 has flagged a suspicious child process spawned by the internet-facing web application process. The web-app parent process, which normally does not spawn shell or scripting interpreters, has launched an unexpected child process shortly after handling an inbound request. EDR classifies this as exploit-behavior consistent with anomalous process ancestry (parent-child spawn deviation from the application's established baseline).

Status: EDR agent on workstation-01 is live and enforcing; alert forwarded to SIEM.

No other telemetry (netmon, service-control, identity/auth) shows any related activity at this time.
ActionsThis turn I task the following queries against the telemetry the brief grants (no containment yet — see below):

1. EDR — process-tree pull: Full detail on the flagged alert — web-app parent PID/image/hash, the child process's full path, command line, digital signature status, and any further descendants it spawned (children-of-children). Looking specifically for interpreter/shell indicators (cmd.exe, powershell.exe, wscript, etc.), encoded/obfuscated command-line arguments, or writes to disk (dropped webshell/payload).

2. EDR — process-memory-access query on the same process lineage: Any OpenProcess/ReadProcessMemory/handle-duplication events by the child process or its descendants against another process (LSASS in particular). This directly checks whether mCred (A2) is already in progress — its precondition (≥user integrity) would just have been supplied by this exploit if real.

3. EDR — driver-load query, same host, same time window: Any newly loaded/unsigned or known-vulnerable driver. A precursor check for mEdrKill (A3), even though its stated precondition (admin credential) hasn't been established yet as far as we know.

4. Netmon — egress query for workstation-01: Any outbound connections initiated by or shortly after the child process's spawn — destination, volume, protocol. Checks (a) whether the egress channel is reachable (mExfil precondition) and (b) whether any anomalous outbound flow is already underway.

5. Service-control log — EDR service-state check on workstation-01: Confirm the EDR service is currently running, independent of the SIEM-forwarded alert. This is a cheap, independent hedge against the structural blind spot where mEdrKill would sever dfEdrTelemetry and blind dfExploit/dfCred/dfEncrypt all at once — I want this checked every turn, not just after suspicion.

6. Identity/auth logs: Any new logon, privilege-escalation, or svc-backup account activity on workstation-01 around the alert timestamp.

7. SIEM — correlation query: Any other alerts, on any host, from the same source IP as the inbound request that triggered the web-app child spawn (checks for opportunistic scanning vs. targeted, single-host vs. multi-host activity).

No containment action this turn (no isolation, no account action, no egress block) — see response decisions below for why and for the trigger conditions that would change that immediately.
Reveal1. EDR — process-tree pull (flagged lineage): PARTIAL. Confirms the alert's own ancestry: the web-app parent process spawns exactly one child interpreter/scripting process (consistent with the "exploit-behavior" classification already given) — no children-of-children are present in this pull, and no associated file-write/drop event is attached to this process lineage. The sensor does not surface deeper forensic subfields (verbatim command-line string, hash, digital-signature verdict) beyond that ancestry classification in this query — that level of detail isn't available from this pull.

2. EDR — process-memory-access query (OpenProcess/ReadProcessMemory/handle-dup) on the same lineage: NULL. No memory-access events by the flagged child process or any descendant against LSASS or any other process are observed at this time.

3. EDR — driver-load query, same host/window: NULL. No new, unsigned, or otherwise flagged driver-load events on workstation-01 in this window.

4. Netmon — egress query for workstation-01: NULL. No anomalous outbound connections associated with the flagged process; egress pattern for the host is at baseline.

5. Service-control log — EDR service-state check: HIT (confirmatory). EDR service on workstation-01 is confirmed running, no state transition observed — consistent with the alert's own "live and enforcing" status.

6. Identity/auth logs: NULL. No new logon, privilege-escalation event, or svc-backup account activity on workstation-01 around the alert timestamp.

7. SIEM — cross-host correlation on source IP: NULL. No other alerts, on any other host, from the source IP that triggered this inbound request. No evidence yet of broader scanning or multi-host targeting.
HypothesisRead against the card layer, this fires dfExploit for A1 — Exploit of a public-facing application (bb:mExploit, T1190): the observable effect is "code execution obtained on the target host through a public-facing application," and the reported behavior — the web-app parent spawning an unexpected interpreter/shell child shortly after an inbound request, deviating from its established baseline — is exactly that maneuver's signature (parent-child spawn deviation), not a specific exploit-string match. If real, its postcondition is that the adversary process now holds ≥ user integrity, which per the standing precondition-supply structure (Part C.0) is exactly what's needed to unlock the next two maneuvers in the graph: mCred (credential harvest) and mEncrypt (ransomware impact) — both currently gated only on that integrity level, not on anything else yet in evidence.

Coverage/robustness read, per the cards:
- dfExploit is single-sourced directly from the EDR, with no independent trigger and no authored robustness ceiling (D-7) — evasion-resistance of this specific detection isn't rankable from the library. Given the White Cell confirms EDR is live and enforcing, this face is presently covered (live) per the coverage matrix (C.1) — the alert firing is exactly what the model predicts for this control state.
- This coverage is entirely contingent on EDR staying enforcing. Per B1/C.1, if EDR transitions to impaired/killed, dfExploit loses its sole trigger → blind → notCovered, with no secondary source to catch it (unlike dfExfil, which survives on the independent netmon trigger). Same fate for dfCred (even at its L5 robustness ceiling — L5 does not save it, per A2's headline caveat) and dfEncrypt. So the chokepoint I actually care about across this whole scenario isn't this alert — it's whether mEdrKill (A3) ever fires, since a single control-plane event would simultaneously blind exploit, credential, and encryption detection, leaving only a degraded exfil face standing. That's why query #5 (service-control liveness check) is going in every turn regardless of what else the White Cell surfaces — it's the cheapest available hedge against that single point of failure, though per D-9 it only ever yields an out-of-band confidence-0.9 investigation result for A3, never a coverage verdict.
- No telemetry yet (netmon, identity, service-control) corroborates progression past this single alert — so as of now this reads as an isolated, live-detected foothold attempt, not a confirmed multi-stage intrusion. One alert, one face, no chain confirmed yet.

Response decision this turn: Hold on isolation/account action/egress block pending the process-lineage and cross-telemetry results — a single medium-severity exploit-behavior alert on an internet-facing app, with EDR confirmed live and enforcing and no corroborating signal elsewhere, doesn't yet justify disrupting the production web app. That calculus changes immediately, and I isolate workstation-01 without waiting for further confirmation, if any of: (a) the process-memory query shows a read against another process's memory (mCred in progress), (b) service-control shows the EDR service state is anything other than running (mEdrKill — self-blinding, acted on instantly), (c) netmon shows an anomalous outbound flow, or (d) the command-line/lineage pull shows overtly malicious tooling (webshell write, encoded C2 stager). Absent those, next turn's posture is driven by whatever the White Cell returns.
Turn 2
InjectEDR Alert — workstation-01

Severity: High | Detection type: Credential-access behavior (LSASS memory access)

The endpoint sensor on workstation-01 has flagged the process descended from the earlier exploit-behavior alert reading the memory of the LSASS process. EDR classifies this as a durable, evasion-resistant behavioral signature (low forgeability).

Status: EDR agent on workstation-01 is live and enforcing; alert forwarded to SIEM.
ActionsContainment (executing now, not deferred to next turn):

1. Isolate workstation-01 — network containment via the EDR agent. This is a targeted network isolation (sever the host's network reachability), explicitly *not* an EDR agent stop — the sensor keeps running/enforcing locally so dfEdrTelemetry (and everything that trigger-depends on it: dfExploit, dfCred, dfEncrypt) stays intact. This executes the trigger condition (a) I pre-committed to last turn ("process-memory query shows a read against another process's memory") — the White Cell's own inject satisfies it, so I act immediately rather than waiting for further confirmation.

2. Account containment — disable/force-logoff + begin rotation for the credential(s) exposed to this LSASS read. Pending query #3 below to confirm exact scope, I am proactively disabling/rotating the two most likely-exposed candidates visible in my telemetry: the svc-backup service account and any local administrator account with a live session on workstation-01. Rationale: the admin credential is the *shared* precondition for both mEdrKill (A3) and mExfil (A4) — invalidating it now cuts a precondition of both next-stage maneuvers regardless of which branch the adversary intends, even though this lever isn't card-prescribed (no authored respond/prevent maneuver) — it's within my IR latitude and the chokepoint logic is sound structural doctrine (C.0).

Investigative queries this turn:

3. EDR — logon-session / credential-scope enumeration on the flagged LSASS process: which account SIDs have cached credential material resident in this LSASS instance right now. This tells me exactly which accounts to prioritize for rotation beyond my precautionary pick in #2.

4. EDR — full re-pull across all categories on workstation-01, same battery as turn 1: process lineage/hash/signature for the LSASS-reading process back through the original web-app parent; any *new* child-process creation; any *additional* memory-access events against processes other than LSASS; any driver-load events. Escalating severity warrants re-running the whole battery, not just following the one face that fired.

5. Service-control log — EDR service-state check (repeated every turn, standing hedge): confirm running, independent of the SIEM alert. This is the most important query this turn — if the credential read succeeded, the adversary may now hold the precondition for mEdrKill, and a state transition here means treat as maximum severity instantly.

6. Netmon — egress re-query for workstation-01: any outbound attempt at or after the LSASS-read timestamp, including anything the isolation action itself is now blocking — establishes whether mExfil's reachable-egress precondition was ever satisfiable and whether an exfil attempt was already inflight.

7. Identity/auth logs: any logon, privilege-escalation, or service-account (svc-backup and others) activity on workstation-01 *or any other host*, from the LSASS-read timestamp forward — checks whether harvested material is already in use (postcondition realized) rather than merely read.

8. SIEM — cross-host correlation on the account names surfaced by #3/#7 — any authentication or alert activity elsewhere using those identities, checking for lateral movement beyond this host.
RevealContainment actions:

1. Network isolation of workstation-01 (via EDR agent): EXECUTED. Host is now network-contained (no reachable egress, no reachable ingress) while the EDR agent itself continues to heartbeat and enforce locally — service-control confirms the sensor process was never stopped, only the network path was severed. Isolation, as executed, does not touch host-local process state.

2. Account containment (disable/force-logoff + begin rotation, svc-backup + local admin session): EXECUTED for svc-backup — account disabled immediately; credential rotation is in progress (not yet confirmed complete). For "any local administrator account with a live session on workstation-01": session enumeration surfaces no distinct local-admin identity beyond the service-account credential already acted on — there is no second admin identity in this environment's telemetry to additionally contain.

Investigative queries:

3. EDR — logon-session/credential-scope enumeration on the flagged LSASS process: HIT. Live enumeration (EDR still enforcing, pre-kill) resolves cached credential material in this LSASS instance to a single account SID: svc-backup. No other account SIDs show cached material resident in this LSASS instance right now.

4. EDR — full re-pull, all categories, workstation-01: Clean/no new findings. Process lineage unchanged from Turn 1 (single child interpreter off the web-app parent). No new child-process creation since the LSASS-read event. No memory-access events against any process other than the already-flagged LSASS read. No driver-load events observed.

5. Service-control — EDR service-state check: HIT (nominal). State = RUNNING. Continuous heartbeat since Turn 1, no stop/transition event logged.

6. Netmon — egress re-query, workstation-01: NULL. No outbound connection attempts recorded at or after the LSASS-read timestamp — nothing pending for the isolation to have interrupted; no exfil-shaped flow was in flight.

7. Identity/auth logs — svc-backup and other activity, workstation-01 and elsewhere: NULL/clean. Only svc-backup's normal scheduled backup-job logons appear in the window from the LSASS-read timestamp forward. No privilege-escalation events, no anomalous interactive/RDP logons, no activity on any other host.

8. SIEM — cross-host correlation on surfaced identities: NULL. No authentication or alert activity elsewhere using svc-backup or any other identity surfaced this turn — footprint remains single-host, consistent with Turn 1.
HypothesisThis is A2 — Credential access by process-memory read (bb:mCred, T1003.001) firing in direct chain from turn 1's A1 (mExploit): the process that spawned as an unexpected interpreter/shell child of the web-app is the same lineage now reading LSASS memory. A1's postcondition (adversary process ≥ user integrity) supplied exactly the precondition A2 needed — this is corroborated, chained progression, not two unrelated events. The White Cell's framing ("durable, evasion-resistant behavioral signature, low forgeability") is a direct match for the card's grading of this exact observable: dfCred is keyed to the invariant primitive pReadProcMem (the process-memory-read residue shared by both authored variants, LSASS-dump and handle-duplication), rated robustness L5 (spanning/invariant) — the highest ceiling in this library, and the only maneuver here with any authored robustness grade at all.

Coverage conclusion: right now this reads as covered @ L5 (live) — EDR is confirmed enforcing, dfCred trigger-depends on dfEdrTelemetry, and that dependency is currently satisfied. But per the card's sharpest relation (C.2): this L5 rating buys *zero* protection against an EDR kill — robustness and coverage are orthogonal, and dfCred would go blind→notCovered the instant EDR is impaired/killed, L5 notwithstanding. That's exactly why query #5 (service-state liveness) stays non-negotiable every turn.

Why I'm containing now, not just watching: if this maneuver completes (or has completed — the read is already flagged, meaning the mechanism has executed), its postcondition is the account holding the admin credential. Per the standing precondition-supply structure (C.0), that credential is the shared precondition for both mEdrKill (A3) and mExfil (A4) — the single highest-leverage branch point in the whole graph. I don't need to know which branch the adversary intends to justify acting: cutting network reachability (removes mExfil's second precondition, reachable egress) and invalidating/rotating the exposed credential (removes the shared precondition for both A3 and A4) degrades both branches at once, without touching the EDR sensor itself — so dfExploit/dfCred/dfEncrypt telemetry stays live through the containment action.

Residual/structural risk I'm flagging, not solving: mEncrypt (A5)'s precondition is local process integrity *only* — no credential, no network reachability required. Neither the account action nor the network isolation I'm taking this turn removes that precondition; dfEncrypt stays covered *only* as long as EDR stays enforcing, independent of anything else I do this turn. So containment here reduces the self-blinding and exfil branches but leaves the encryption branch's exposure exactly where it was — gated solely on EDR liveness, which is why that single check remains the standing chokepoint of this entire exercise regardless of what else progresses.

Posture for turn 3+: any service-control result other than "running" means treat dfExploit/dfCred/dfEncrypt as blind/notCovered immediately (per B1's simultaneous-blinding failure mode) and fall back to the sole surviving face, dfExfil — which itself only degrades (loses EDR-sourced enrichment) rather than blinding, because its trigger is netmon, a control independent of EDR. Any egress hit despite the isolation action is treated as an isolation-bypass requiring escalation beyond host-agent containment (e.g., upstream network-layer block).
Turn 3
InjectTurn 3 clock update: No telemetry-gap or EDR-service-stop event occurs this cycle. Service-control log continues to show the EDR service in a RUNNING state on workstation-01 — uninterrupted heartbeat since Turn 1.

Reaction inject: Identity/auth log — a failed authentication attempt against the svc-backup account is logged from workstation-01, timestamped in the window immediately following your disable action. Credential presented was rejected (account disabled / already superseded by rotation). No successful logon follows it, no privilege-escalation event, no driver-load event, and no new EDR alert accompanies this entry.
ActionsNo new containment beyond what's already in force — network isolation (Turn 2) and the svc-backup disable/rotation (Turn 2) both remain in effect. This turn is queries plus one follow-through check on an item left open last turn:

1. Identity/auth logs — deep dive on the failed svc-backup authentication attempt. Pull source process/PID and host-session context on workstation-01, logon type (interactive / network / service / batch / cached-offline-domain), and precise timestamp offset from the Turn-2 disable action. Goal: determine whether this attempt originated from the flagged intrusion lineage (the web-app-spawned child that later read LSASS) versus an unrelated benign source (e.g., the normal scheduled svc-backup job, already seen running in Turn 2's pull, retrying with a stale cached credential after the account state changed underneath it).

2. EDR — process-lineage/state re-pull on workstation-01, windowed on the failed-auth timestamp. Any process creation, further memory-access, or credential-store touch coincident with the attempt. This is the corroborating half of query #1 — ties (or rules out) the auth attempt to the already-flagged lineage.

3. Rotation-completion check for svc-backup. Turn 2 reveal left this "in progress, not yet confirmed complete" — task an explicit status query this turn rather than assuming it finished; if still incomplete, treat completing it as a live action item, not a settled fact.

4. Netmon — isolation-integrity + egress re-query. Confirm workstation-01's network containment is still holding (no reachable egress/ingress) and check for any outbound attempt at/after the failed-auth timestamp — since a fully isolated host still produced an evaluable identity-log entry, I want to confirm that entry didn't correspond to any attempted network call the isolation had to block.

5. SIEM — cross-host correlation, repeated. Any auth activity (successful or failed) using svc-backup or any other identity, on any other host, since the Turn-2 rotation began. Also check for any distinct alert generated by the identity system itself off this specific failed-auth event (separate from the EDR-sourced alerts seen so far).

6. Standing battery, restated: driver-load query (host, this window) and EDR service-control liveness — both already answered NULL/RUNNING by the White Cell's own Turn-3 inject, so no re-query needed this cycle, but both remain on the fixed per-turn checklist going forward regardless of what else fires.

No lifting of isolation, no further account action beyond confirming rotation completion — nothing this turn crosses any of the escalation triggers already pre-committed in Turns 1–2.
RevealTurn 3 query results:

1. Identity/auth logs — deep dive on the failed svc-backup auth attempt: PARTIAL. The log's native fields resolve two of your asks: logon type — recorded as a non-interactive/service-type logon (consistent with automated svc-backup account usage patterns generally; this alone does not distinguish attacker-sourced from a benign scheduled retry, since both would present similarly at this field's granularity), and timestamp offset — a few seconds/minutes after the Turn-2 disable/rotation action, consistent with "immediately following." Source process/PID and host-session context are NOT surfaced — the identity/auth log schema doesn't carry process attribution; that data class doesn't exist at this layer regardless of query specificity.

2. EDR — process-lineage/state re-pull windowed on the failed-auth timestamp: PARTIAL. EDR is still enforcing on workstation-01 (confirmed live this cycle — no telemetry gap, service-control shows RUNNING throughout), so the query returns real data rather than a severed-telemetry NULL. It shows: the previously-flagged lineage (the web-app-spawned child process from Turn 1) remains resident/running on the host through this window. No new process creation, no further memory-access event, no driver-load event, and no new EDR alert is logged coincident with the auth-attempt timestamp — matching what the reaction inject already stated. EDR does not natively observe authentication attempts (that's the identity log's domain), so this ties the *timing and host* circumstantially to the existing flagged lineage's continued presence, but produces no EDR-native event that itself proves that process issued the auth attempt. Source attribution remains unresolved by either query #1 or #2 individually or combined.

3. Rotation-completion check for svc-backup: HIT. Account status now reads disabled/credential-rotated — complete, no longer "in progress." This is corroborated by the auth-rejection reason itself (credential superseded/disabled), which is only possible once the rotation state had taken effect.

4. Netmon — isolation-integrity + egress re-query: HIT (clean). Workstation-01's containment continues to hold: no reachable egress, no reachable ingress. No outbound connection attempt of any kind — successful, blocked, or attempted — is logged at or after the failed-auth timestamp.

5. SIEM — cross-host correlation, repeated: NULL on the cross-host ask — single-host scenario, no second host or domain controller exists to correlate against. No distinct identity-system-generated alert exists on top of the raw failed-auth log entry already reported; that entry is the totality of what the identity system produced for this event.

6. Standing battery: Not re-queried, per your own note — no new reveal (already answered this cycle by the clock update: driver-load NULL, EDR service RUNNING).
HypothesisRead against the cards, this inject sits outside the coverage matrix, not inside it. Identity/auth logs are card B4 — explicitly *not* a modeled mc:Control: they source no detect-face and yield no covered/notCovered verdict (same non-coverage status the cards give the service-control log for A3, D-9/D-10). So this failed-auth event can't be scored against any maneuver card directly — but it's high-value operational corroboration of the precondition-structure argument (C.0) I've been running on since Turn 2.

Leading hypothesis: the process/actor holding the harvested svc-backup credential material (A2/mCred's postcondition — pCredAdmin, the account holds the admin credential) just attempted to *exercise* that credential, and failed because Turn 2's response (disable + begin rotation) had already invalidated it. Per C.0, that credential is the shared precondition for mEdrKill (A3) and mExfil (A4) — so a reuse attempt at this exact moment is precisely what the doctrine predicts an adversary would try next, regardless of which of those two branches they're aiming for. If this reads out as originating from the flagged lineage (query #1/#2), it's the first *direct observed evidence* that the Turn-2 chokepoint action is functioning as designed, not just structurally sound in theory — the precondition was invalidated in time to fail an actual attempt on it.

Alternative hypothesis I have not ruled out: benign collision. Turn 2's identity pull showed svc-backup's own normal scheduled backup-job logons as the only account activity in the window. A scheduled job retrying with a now-invalid cached credential immediately after a disable/rotate action would produce an identical signature — failed auth, account-disabled rejection, no follow-on activity, no privesc, no new EDR alert. Nothing in this turn's inject distinguishes the two; that's exactly what query #1's logon-type/source-process pull is for. I am not treating this as confirmed malicious credential-reuse yet — only as the leading, better-fitting read given the timing.

Coverage/robustness — unchanged this turn, restated because nothing moved it: EDR is confirmed enforcing (White Cell explicit, no gap this cycle), so per C.1's enforcing regime dfExploit (A1) and dfCred (A2, still at its L5 ceiling — C.2's sharpest relation, robustness ≠ coverage) remain covered/live; dfExfil (A4) remains covered-live with both netmon-trigger and EDR-enrichment intact; and — the point worth restating on its own, per A5/C.2's chokepoint note — dfEncrypt's coverage is still gated solely on EDR liveness, and *nothing that happened this turn touches that*. The credential invalidation and the isolation both degrade the mEdrKill/mExfil branches (per C.0's chokepoint doctrine) but do nothing to mEncrypt's precondition (local process integrity only, per A5's Hoare triple) — that exposure is exactly where it was at the end of Turn 2.

Response decision: hold current posture — isolation and account containment stand, no new lever pulled. This turn's queries are aimed at disambiguating malicious-reuse-attempt from benign-job-collision, not at deciding whether to act (I've already acted on the relevant precondition). Escalation triggers carried forward unchanged from Turn 2 (any EDR state-transition off "running," any driver-load event, any successful logon/privesc, any netmon egress hit), plus one new one for this turn: a second or repeated auth attempt — against svc-backup again or against any other identity — after this failure would tip the balance firmly toward active, adapting adversary behavior rather than a one-off job collision, and would warrant treating the host as still actively contested even though its two committed containment levers are already in place.
Turn 4
InjectTurn 4 clock update: No netmon exfil alert fires this cycle. Outbound connection monitoring for workstation-01 shows no anomalous flow, no attempted egress of any kind, and no new destination contact — flat, consistent with the standing network isolation. No new SIEM correlation, no new EDR alert, no new service-control transition, and no new identity/auth event this cycle.
ActionsHolding current containment (isolation + svc-backup disable/rotation both remain in force — no lifting, no new lever). This turn's tasking is investigative, split between the standing per-turn battery and one newly-broadened query:

1. EDR — service-control liveness check, explicit re-task. Even though this turn's clock update states "no new service-control transition," I task the query directly rather than inferring RUNNING from the absence of a transition-mention — this is the non-negotiable hedge against mEdrKill (A3) simultaneously blinding dfExploit/dfCred/dfEncrypt, and it stays on the fixed checklist every turn regardless of what else is quiet (per B1/C.1).

2. EDR — driver-load query, workstation-01, this window. Unlike netmon/SIEM/service-control/identity, this turn's clock update did not explicitly null this one — tasking it directly. Precursor check for the BYOVD path to mEdrKill (A3's sole authored variant); still gated on an admin credential I've already invalidated, but I check the mechanism itself, not just the precondition.

3. EDR — full process-lineage/memory-access re-pull, workstation-01. Confirm no new child process off the flagged lineage, no memory-access event beyond the already-flagged LSASS read, nothing new since Turn 3's window. Standing battery completeness — I want the underlying lineage data, not just "no new EDR alert" at the summary level.

4. New this turn — EDR persistence-mechanism sweep, workstation-01. Scheduled-task creation, registry Run/RunOnce key writes, new service installation, WMI event subscription — any tied to the flagged lineage, or any at all, since Turn 1. This hasn't been explicitly asked in any prior turn's battery (which covered process/memory/driver-load, not persistence). Rationale for raising it now: four turns in, the immediate escalation-trigger checklist is flat, which makes this the right moment to broaden the aperture toward eradication-readiness — before any future de-isolation decision, I want to know whether a foothold exists that survives the account rotation and the network cut.

5. Netmon — isolation-integrity confirm. Already answered flat this cycle by the clock update (no egress, no ingress, no new destination) — logging as satisfied, no re-query needed.

6. Identity/auth — repeat/new-attempt check. Already answered NULL this cycle by the clock update (no new identity/auth event) — this resolves the standing watch-item I flagged at the end of Turn 3 (a second or repeated auth attempt would have tipped the balance toward active reuse). No re-query needed; folding the result into this turn's hypothesis below.

7. SIEM — cross-host correlation, repeated. Same ask as prior turns (any auth or alert activity elsewhere using svc-backup or any other identity) — expect NULL again given the single-host scenario, but keeping it on the checklist rather than assuming.

No containment change, no account action, no isolation lift this turn.
RevealTurn 4 query results:

1. EDR — service-control liveness check (explicit re-task): HIT. Service-control log shows the EDR service on workstation-01 has remained in a continuous RUNNING state since Turn 1 — no stop/kill transition exists anywhere in the log. Heartbeat is unbroken. Confirms directly (not by inference) that mEdrKill has not landed.

2. EDR — driver-load query, workstation-01, this window: NULL. No driver-load events (signed, unsigned, kernel-mode or otherwise) recorded on workstation-01 in this or any prior window. No BYOVD precursor activity found.

3. EDR — full process-lineage/memory-access re-pull, workstation-01: HIT (confirms, nothing new). Lineage is unchanged from what's already on record: exactly one child interpreter/script process off the flagged web-app parent (Turn 1), exactly one flagged LSASS memory-read event (Turn 2). No new child process, no new memory-access event, nothing since Turn 3's window.

4. EDR persistence-mechanism sweep, workstation-01 (new this turn): NULL. No scheduled-task creation, no registry Run/RunOnce writes, no new service installation, no WMI event subscription — tied to the flagged lineage or otherwise — anywhere on workstation-01 since Turn 1.

5. Netmon isolation-integrity: No separate query fired, per your own note — the Turn 4 clock update's flat egress/no-new-destination result stands as the answer.

6. Identity/auth repeat/new-attempt check: No separate query fired, per your own note — the Turn 4 clock update's "no new identity/auth event" stands as the answer.

7. SIEM — cross-host correlation (repeated): NULL. No correlated alert or auth activity involving svc-backup or any other identity outside workstation-01. Single-host scope holds.
HypothesisReading the quiet turn itself as evidence, not just absence of evidence. Per C.0's precondition-supply structure, both branch points gated on the admin credential (mEdrKill and mExfil) and the branch gated on reachable egress (mExfil) had their preconditions invalidated in Turn 2 (credential disabled/rotated; host network-isolated). This turn's flat battery — no driver-load, no anomalous egress, no new EDR alert, no new process activity — is exactly what that precondition-invalidation predicts if it worked: there is currently nothing observable consistent with either branch progressing, because neither branch's precondition is currently satisfiable from this host.

Updating the Turn 3 open question. Turn 3 flagged a live ambiguity: was the failed svc-backup auth a malicious reuse attempt or a benign scheduled-job collision with a now-stale cached credential? The escalation trigger I pre-committed to was "a second or repeated auth attempt." This turn produced zero repeat attempts, against svc-backup or anyone else. A single quiet turn isn't proof, but it cuts toward the benign-collision reading being the better-supported one now — an adapting adversary actively trying to exercise harvested material would plausibly retry or pivot within a full turn; a one-off scheduled job hitting a credential that changed underneath it would not. I still can't close this definitively: identity/auth logs carry no process attribution (B4 — not a modeled control, no source-process field at that schema layer), so I hold this as leading-not-confirmed, same epistemic status as Turn 3, just with one more turn's worth of silence supporting it.

Coverage/robustness — unchanged in substance, reconfirmed by a live turn. EDR continuing to show no state transition (querying it explicitly rather than trusting the inject's phrasing alone) means the enforcing regime of C.1 still holds: dfExploit (A1) and dfCred (A2, still at its L5 ceiling — C.2's sharpest relation, robustness ≠ coverage) remain covered/live; dfExfil (A4) remains covered-live, both netmon-trigger and EDR-enrichment intact, corroborated this turn by an actual flat egress read rather than a hypothetical. The one fact that has not moved and will not move from anything this turn produced: dfEncrypt's (A5) coverage remains gated solely on EDR liveness, and its precondition (local process integrity only, per the Hoare triple) is untouched by the credential invalidation or the network isolation — per C.2's A5 note, no lever pulled so far removes it, and nothing pulled this turn does either. That is still the single standing residual risk in this scenario, unchanged since Turn 2, independent of how many quiet turns pass.

Guardrail on over-reading the quiet interval. The card layer has no wall-clock/duration semantics (D-4 — step-indexed only, no latency or dwell-time modeling), so I can't translate "four consecutive quiet battery-turns since the chokepoint action" into any quantified confidence that the intrusion is neutralized — only into "no observed progression across the turns checked so far." I am treating this as grounds to hold posture and broaden investigative scope (the new persistence sweep), not as grounds to relax containment or treat the incident as resolved.

Response decision: No change in containment — isolation and account containment both stand. No escalation trigger fired this turn (EDR stayed enforcing, no driver-load, no egress hit, no repeat auth, no privesc). This is turn 4 of 5; the persistence-sweep result and one more clean cycle of the standing battery are what I want in hand before turn 5's decision point on whether de-isolation/recovery can responsibly begin — and even then, per the A5 chokepoint note, any recovery posture still needs EDR to stay enforcing as the sole remaining detective control over the encryption branch, since nothing available to me breaks that maneuver's precondition directly.
Turn 5
InjectTurn 5 clock update: Files on workstation-01 begin renaming/becoming inaccessible — bulk file-encryption behavior in progress. Unlike the flat prior cycles, this one is not silent on EDR: because the sensor has remained live and enforcing this entire incident, EDR fires a high-confidence mass-encryption/ransomware-behavior alert tied to the same process lineage flagged since Turn 1 — a real-time detection, not an out-of-band discovery. Help-desk tickets/user reports may follow shortly after as corroboration, but the EDR alert lands first this time. No new netmon, service-control, or identity/auth signal accompanies it.
ActionsContainment (executing now):

1. EDR — process termination directive against the flagged lineage. Task the EDR agent to kill/suspend the web-app-spawned child process (resident since Turn 1) and any live descendant performing the encryption, and to quarantine/block its binary hash to prevent auto-respawn. This is the one lever that acts directly on mEncrypt's precondition (local process integrity) — per the cards (C.0/A5/D-2), neither the Turn-2 credential invalidation nor the network isolation ever touched this precondition, and no respond/react maneuver is authored in the library for it (D-2: "cards flag the lever, don't prescribe the action"). I'm exercising IC response latitude beyond the four explicitly itemized levers (isolate/account/egress/query) because the situation — active, observed data destruction — warrants it; this action is *not* card-scored and I'm flagging it as such rather than claiming a modeled coverage effect from it.
2. Escalate to full incident status / ransomware playbook. Engage backup-and-recovery workstream to identify a viable restore point for workstation-01, and notify stakeholders per major-incident process. This is an operational decision, not a telemetry-backed finding — I have no modeled visibility into backup/shadow-copy state (inhibit-recovery/T1490 is unmodeled per A7/D-3), so I am not assuming shadow copies are intact or deleted; I'm treating that as an open unknown requiring out-of-band verification outside this exercise's tooling.
3. Hold existing containment unchanged: network isolation (Turn 2) and svc-backup disable/rotation (Turn 2, confirmed complete Turn 3) both remain in force — no reason to lift either.

Investigative queries this turn:

4. EDR — process-detail/scope pull on the encryption alert. Confirm the encrypting process is the same lineage flagged since Turn 1/2 (not a second, unrelated actor); pull affected-file count/path pattern, encryption rate, and any ransom-note artifact, to scope blast radius on this host.
5. EDR — service-control liveness re-check (standing hedge, unchanged discipline). Explicit re-task even though the alert's own real-time delivery already implies EDR is enforcing — I want the direct RUNNING confirmation, not an inference.
6. Netmon — egress re-query at/around the encryption-alert timestamp. Checks for a last-second outbound burst (double-extortion exfil-before-encrypt pattern) coincident with encryption onset, and reconfirms isolation is still holding through this new event.
7. Identity/auth logs — re-check for any logon/privesc/service-account activity around this alert's timestamp, on workstation-01 or elsewhere.
8. SIEM — cross-host correlation, repeated. Any alert or auth activity on any other host, checking for lateral spread rather than single-host impact.
9. EDR — driver-load re-query, standing battery item, completeness check even though mEdrKill's precondition (admin credential) was invalidated in Turn 2.
RevealTurn 5 results (final turn):

1. EDR — process-termination/quarantine directive (containment, not card-scored): EXECUTED. The EDR agent — confirmed continuously RUNNING/enforcing since Turn 1 (re-verified this same turn, see #5) — accepts the kill/suspend command against the flagged lineage's live child process and descendants, and accepts the hash for quarantine/auto-respawn blocking. Command channel confirms state change to terminated/suspended. Caveat: encryption was already reported "in progress" (files renaming/inaccessible) at the moment this turn's inject landed, i.e. *before* your order could be issued — the directive halts *further* encryption from execution onward but does not retroactively restore files already renamed/touched prior to the kill. No rollback capability is indicated by any telemetry surfaced this exercise.

2. Escalate to full incident status / ransomware playbook: ACKNOWLEDGED / LOGGED. This is an organizational action outside the scenario's instrumented telemetry — no backup/shadow-copy/restore-point signal exists in any granted source to confirm or deny viability. Correctly treated as an open out-of-band unknown, per your own framing.

3. Hold existing containment: CONFIRMED UNCHANGED. Network isolation (Turn 2) and svc-backup disable/rotation (Turn 2, verified Turn 3) both remain in force. No new lever, no lapse.

4. EDR — process-detail/scope pull on the encryption alert: PARTIAL.
- Lineage: HIT — the encrypting process resolves to the same single flagged lineage resident since Turn 1 (the alert's own process-ancestry field ties it there); no second/unrelated actor indicated.
- Scope: PARTIAL — bulk write/rename activity is confirmed across user-profile/document-tree paths on workstation-01 (consistent with the mass-encryption signature); a precise affected-file count and byte-level encryption rate do not resolve to a stable figure — the process was still active when your kill order landed, and the counter/telemetry freezes at whatever partial state existed at termination rather than yielding a clean final tally.
- Ransom-note artifact: NULL — no note-drop file-creation event has surfaced in EDR telemetry as of this query; consistent with the encryption sweep being caught mid-course rather than complete.

5. EDR — service-control liveness re-check: HIT (unchanged). Service-control log confirms the EDR service on workstation-01 remains in continuous RUNNING state, no stop/kill transition at any point — same standing fact as Turn 4, now reconfirmed at the moment of the encryption alert itself.

6. Netmon — egress re-query at/around the encryption-alert timestamp: NULL / confirms holding. No outbound burst of any kind, at this timestamp or otherwise — no double-extortion exfil-before-encrypt pattern found. Isolation (Turn 2) is independently confirmed still in force (no reachable egress, no reachable ingress).

7. Identity/auth logs — re-check around this alert's timestamp: NULL. No logon, privilege-escalation, or service-account activity of any kind on workstation-01 or any other host since the Turn-2 svc-backup disable/rotation. No new identity activity accompanies this alert.

8. SIEM — cross-host correlation, repeated: NULL (unchanged). No alert or auth activity on any host other than workstation-01. Nothing indicating lateral spread.

9. EDR — driver-load re-query: NULL. No vulnerable/unsigned driver-load event found on workstation-01 at any point in this incident — consistent with the EDR service never having transitioned out of RUNNING (item 5) and with mEdrKill's credential precondition having been invalidated before any such attempt could be leveraged.
HypothesisThis is A5 — Data encrypted for impact (bb:mEncrypt, T1486) firing, and it fires exactly as the cards predict: its Hoare-triple precondition is ≥ user integrity only — no admin credential required (A5's Hoare triple; C.0 explicitly notes mEncrypt does *not* require the credential mCred yields). That precondition was already satisfied back at Turn 1 (mExploit's postcondition) and was never revocable by anything in my response repertoire. So this is not a new branch appearing from nowhere — it's the one precondition in the entire graph that none of my Turn 2 actions (credential disable/rotation, network isolation) could touch, exactly as flagged as residual risk every turn since Turn 2.

Detection-health read: critically, this fired as a live, real-time EDR alert, not an out-of-band discovery — meaning dfEncrypt's trigger-dependency on dfEdrTelemetry (C.1/A5 row) was satisfied at the moment of firing: EDR was enforcing when the mechanism executed. This is itself strong corroboration that mEdrKill (A3) never landed at any point in this incident — consistent with every turn's service-control liveness check (RUNNING, unbroken, Turns 1–4) and consistent with A3's precondition (admin credential) having been invalidated before it could be exercised (Turn 2 rotation, reinforced by the failed reuse attempt in Turn 3). Per C.1's matrix, this reads as covered (live) — the "EDR enforcing" regime row for A5, not the blind/notCovered row. No new netmon, service-control, or identity/auth signal accompanying it is also informative: it's consistent with no exfil attempt riding alongside (A4's other precondition, reachable egress, is still cut by the standing isolation) and no fresh credential-reuse or lateral movement — this reads as an isolated, single-host, single-branch impact event, not a broader compromise.

Coverage/robustness verdict, stated plainly: detection did not fail here — the model called this correctly in real time. What was structurally absent was *prevention*: per D-1/D-2, the card library's prevent/respond slots are empty (no authored hardening that blocks coreEncrypt, no authored respond maneuver that breaks local process integrity), and per A5/C.2's chokepoint note, none of the containment lookouts available to me (credential, network) bear on this maneuver's precondition. mEncrypt carries no authored robustness ceiling either (only A2/mCred does, per D-7/C.3) — so there's no evasion-resistance judgment to make here, only a coverage-vs-prevention distinction: covered/detected, not preventable by any lever this exercise authorized.

Whole-incident summary (final turn): mExploit(A1)→mCred(A2) chained and were correctly detected and chokepoint-contained at Turn 2 (credential invalidation + isolation), which structurally starved both downstream branches gated on the admin credential — mEdrKill(A3) and mExfil(A4) — neither of which ever fired across Turns 3–4's clean battery. The one branch gated on nothing but initial-foothold integrity, mEncrypt(A5), was never blockable by the authorized action set and materializes now, detected live. Residual unknowns I'm not overclaiming: shadow-copy/backup integrity (A7, T1490, unmodeled — no telemetry exists on this in the library or brief) and full scope of encrypted data — both require action/verification outside this exercise's tooling.

Response decision: kill/quarantine the flagged process now (direct lever on A5's precondition, exercised as IC latitude since the card layer itself flags this as an unauthored-but-real lever, D-2); hold isolation and account containment unchanged; escalate to major-incident/recovery workstream given confirmed impact. No lifting of any containment this turn.
S2  secretsdump against a domain controllerplay-by-play ▾
Without MC — the unaided arm · transcript · 5 turns
Turn 1
Inject[EDR ALERT — DC01] Credential theft heuristic triggered: LSASS process memory access detected. Source process was spawned from services.exe; session flagged as remote.
ActionsThis turn I take the following concrete steps:

1. EDR console on DC01 — alert triage/process lineage: Pull the full process tree for the LSASS-access alert: identify the exact child image path, PID, command line, and file hash of the process spawned from services.exe that touched LSASS; check its digital signature status and drop location (temp/admin share vs. legitimate binary path). Also pull the EDR agent health/tamper log on DC01 to confirm the sensor itself wasn't blinded or unloaded before/after the access.

2. SIEM — correlate 4624 + 7045 into one session: Join the Domain Admin service-account 4624 (Logon Type 3) event to the 7045 service-install event on DC01 by Logon ID — confirm they're the same authenticated session, and pull the 7045 detail (service name, binary path, account context it runs as). Pull the source workstation hostname/IP from the 4624 record.

3. SIEM — DCSync exposure check: Given the domain-root SACL already covers replication control-access rights, query 4662 for that DA account's SID (and the source workstation's machine account) across a window bracketing this incident — before and after — to see whether any DS-Replication-Get-Changes / Get-Changes-All rights were exercised outside of legitimate DC-to-DC replication.

4. EDR on the source workstation: Pull whatever telemetry exists for the workstation-subnet host named in the 4624 record — prior alerts, process history, any credential-access or lateral-movement tooling indicators in the hours before the DC01 logon — to establish whether that host is the actual point of compromise (i.e., where the DA credential was first stolen).

5. Network egress monitor: Check DC01 and the source workstation for any outbound connections (especially to unfamiliar external IPs) in the incident window — looking for C2 callback or staged exfil tied to this session.

Response/containment decisions this turn:
- Disable the Domain Admin service account now (not rotate yet — preserve the credential/hash for IR analysis first if feasible, but stop it from authenticating further). This account is the common thread across the LSASS alert, the anomalous logon, and the service install.
- Network-isolate the source workstation (the likely initial foothold), not DC01 itself — isolating a live DC risks a domain-wide outage and I don't yet have evidence the DC is doing anything beyond being a credential-dumping target this session.
- Do not force krbtgt rotation or isolate DC01 yet — holding both in reserve pending what the White Cell surfaces from the queries above (specifically the 4662/DCSync check and the dropped-binary identity).
- Escalate to IR now given DA-tier credential theft on a DC; hold escalation to the ontology/modeling team pending scope confirmation.
Reveal[1] EDR console — alert triage / process lineage (LSASS alert, DC01) — FULL.
Process tree resolves: services.exe (SCM, DC01) spawned a child process at the flagged timestamp — this child matches the 7045 service-install event pulled below (same PID lineage). The child process opened lsass.exe with a handle requesting PROCESS_VM_READ — that memory-read access is exactly what tripped the credential-theft heuristic. Signature check: the spawned binary carries no valid Authenticode signature and returns no reputation/hash hit in your EDR's local or cloud intel (unknown/novel binary). Drop location is consistent with delivery over \\DC01\ADMIN$ in the same session as the service install — not an interactive local run.
HypothesisWorking theory: a Domain Admin service account's credentials were compromised (most likely harvested from the workstation-subnet host, not from DC01 itself), and the attacker used those credentials to authenticate to DC01 over the network (4624, Logon Type 3, off-hours — anomalous for a service account) and remotely install a service (7045) — the classic PsExec/sc.exe-style "remote service creation" lateral-movement pattern. That service's child process (spawned under services.exe, as expected for any Windows service) then accessed LSASS memory on DC01 — i.e., on-host credential dumping (functionally: harvesting additional cached secrets/hashes from the DC's LSASS, not merely "an LSASS alert" in isolation). The likely objective is escalation toward either golden-ticket material (krbtgt hash) or a DCSync-capable credential, which is consistent with why this environment's SIEM specifically instruments the replication-rights SACL (4662) — that control was built in anticipation of exactly this follow-on move, so I'm treating unauthorized use of replication rights as the next thing to rule in or out before this session goes further.

Coverage/robustness read (turn 1): this is a coverage strength, not a gap — three independent signals (EDR credential-theft heuristic, SIEM logon anomaly, SIEM service-install) fired concurrently and correlate cleanly on the same account/session, which is what good defense-in-depth for T1003.001-via-T1569.002 looks like. The robustness gap I can identify right now is upstream: I have no visibility yet into *how* the DA account was originally compromised (the initial-access/credential-theft-on-the-workstation step) — that's a blind spot until the workstation EDR pull comes back, and it's the piece that determines whether this is a contained single-hop incident or part of a broader compromise. I'm not yet ready to call this "contained" or "spreading" — that verdict depends on the DCSync check and workstation telemetry the White Cell returns next.
Turn 2
Inject[EDR TELEMETRY EVENT — DC01] Remote-registry access detected: HKLM\SAM and HKLM\SECURITY opened for read via the remote-registry service; hive-sized file reads logged over \\DC01\ADMIN$. Event timestamp falls within the same session window as the LSASS alert, the DA logon (4624), and the service install (7045) already reviewed.
ActionsThis turn:

1. EDR file/registry-access telemetry, DC01 — full detail on the hive reads. Pull the complete remote-registry access record: was HKLM\SYSTEM also opened for read alongside SAM and SECURITY? (SYSTEM holds the boot key needed to decrypt SAM/LSA secrets offline — its presence would confirm a classic three-hive remote dump rather than a partial/failed attempt.) Get exact byte sizes of each hive read and confirm the session/Logon ID ties to the same authenticated session as [1]-[4] from last turn.

2. SIEM — process-creation query (4688) on DC01 for the same Logon ID/session window. Look specifically for reg.exe save/reg.exe export command lines targeting sam/security/system, or equivalent API-level registry-save activity, to get the literal command and confirm tooling.

3. SIEM — Volume Shadow Copy / backup-writer event check on DC01 (event 8222 / VSS service events) in the same window. Remote SAM/SECURITY dumps against locked hives typically require a shadow copy first — presence of a VSS creation event in this window is a strong tooling fingerprint (matches the standard Impacket secretsdump.py-style flow: registry hive dump + separate DRSUAPI/DCSync attempt, both from one run).

4. SIEM — enumerate what runs on DC01 as service/gMSA accounts (from the 7045 service-install detail and any other service-context entries) whose secrets could live in LSA secrets under HKLM\SECURITY. This scopes the blast radius of what needs rotating beyond the DA account itself.

5. Re-verify containment integrity: confirm no new authentication events (4624) under the disabled DA SID and no new traffic from WKS10-2214 since isolation — quick negative check, not a new investigative thread.

Response/containment decisions this turn:
- Force krbtgt password rotation now (standard double-reset procedure, allowing AD replication to converge between resets). Justification: last turn's [4] already confirmed (not merely attempted) DS-Replication-Get-Changes-All was exercised by the DA account — that right permits replication of secret attributes including the krbtgt hash and all domain NTLM hashes. This turn's SAM/SECURITY hive read is corroborating evidence of a comprehensive, multi-technique credential-dumping operation, not an isolated LSASS incident — I'm no longer treating krbtgt exposure as hypothetical.
- Consider/schedule DSRM local-administrator password reset on DC01 (and check exposure on other DCs), since HKLM\SECURITY (LSA secrets) was read — DC-local secrets (DSRM hash, any stored service-account credentials) must now be treated as compromised, not just domain-tier ones.
- Escalate to the ontology/modeling team now. This session has now demonstrated three distinct credential-access techniques (LSASS memory read, DCSync via replication rights, remote SAM/SECURITY hive dump) executed back-to-back against a DC in one authenticated session — a technique-chain worth cataloging regardless of incident outcome.
- Do not isolate DC01. The active-access vector (DA account, WKS10-2214) is already cut off; isolating the DC now adds domain-wide authentication outage risk without undoing already-completed reads/replication. Holding this decision, but explicitly reconsidering it every turn.
- IR escalation remains open/updated with this turn's findings.
Reveal[1] EDR registry/file telemetry, DC01 — full detail on the hive reads.
Confirmed: HKLM\SYSTEM was also opened for read via the remote-registry service, alongside HKLM\SAM and HKLM\SECURITY — all three hives read in the same operation (classic three-hive set: SYSTEM carries the boot key needed to decrypt SAM/LSA secrets offline).
Sizes: each read is hive-sized and consistent with a full serialization of that hive (the SYSTEM read is the largest of the three, as expected; SAM/SECURITY reads are proportionally smaller). Precise byte counts are available in the raw EDR export for the case file if you need them logged verbatim.
Session tie-back: confirmed — same authenticated Logon ID / session as the DA network logon (4624), the 7045 service install, and the LSASS-access alert already reviewed. One continuous session, not a separate access.
HypothesisThis is no longer a single-technique LSASS-dump incident — it's a comprehensive, multi-technique credential-harvesting operation executed in one session against DC01: LSASS memory read (T1003.001), remote SAM/SECURITY registry-hive dump (T1003.002-style, DC-local secrets), and confirmed abuse of DS-Replication rights (T1003.006/DCSync) — the pattern matches an automated all-in-one dumping toolset (e.g., Impacket secretsdump.py's default behavior of trying LSASS, local hive dump, and DRSUAPI/DCSync in sequence) rather than a hand-tailored, single-purpose action. The fact that HKLM\SAM was targeted at all — which on a DC holds only local/DSRM accounts, not domain principals — is itself a signature: it suggests generic/automated tooling that doesn't special-case "this target is a domain controller," which is useful context for the ontology/technique catalog independent of this incident's outcome.

Coverage verdict: this is now a fourth independent detection surface (EDR registry/file-access telemetry) firing cleanly in the same session window as the EDR LSASS heuristic, the SIEM logon/service-install correlation, and the SIEM DCSync/4662 hit. Four-for-four on distinct sub-techniques within one session is strong defense-in-depth on the DC side specifically — this reinforces, not revises, last turn's "coverage strength" call.

Robustness verdict — and this is the pivotal shift this turn: because DCSync rights were *exercised* (confirmed, not attempted) before the DA account was disabled, I must now assume krbtgt and domain-wide password hashes are already exfiltrated. The response posture moves from "contained single-hop, verify blast radius" to "assume domain-tier secret compromise, remediate accordingly" — hence forcing krbtgt rotation now rather than continuing to hold it in reserve. The remaining, unresolved robustness gap is unchanged and now more consequential: I still have zero visibility into how the DA credential was originally obtained on WKS10-2214 (EDR pull there returned NULL — out of monitored fleet, no new sensor allowed mid-incident). That blind spot no longer just determines "single-hop vs. broader compromise" — it also means I can't rule out the same initial-access technique having reached other hosts/accounts outside this DC-centric session, which is the residual risk I'm handing to IR as a stated limitation of this exercise's tooling rather than something I can resolve within my available controls.
Turn 3
Inject[EDR HEALTH ALERT — DC01] Endpoint agent self-protection event: the EDR sensor on DC01 reports degraded status — agent transitioned to UNHEALTHY / IMPAIRED for a window overlapping the session under investigation. A self-protection tamper attempt against the sensor was logged. Further alerting from this sensor for the affected window cannot be guaranteed reliable.
ActionsThis turn:

1. EDR — full detail on the self-protection/tamper alert, DC01. Pull the exact record: which self-protection mechanism was targeted (agent-process kill attempt, driver/minifilter unload, service-stop, config/policy tamper), the responsible process's image path, PID, parent, hash, and signature status, and the precise start/end timestamps of the UNHEALTHY/IMPAIRED window. Cross-reference that process against the unsigned binary/service already identified from the 7045 install in turn 1 — same artifact, or a different one?

2. EDR — reconcile against turn 1's health finding. Turn 1's agent-health pull reported "Healthy/Enforcing across the entire window under review, up to and including now." This turn's alert says the impaired window *overlaps the session under investigation*. I need the exact timeline: did impairment begin after turn 1's check (a new development), or does it retroactively fall inside the window turn 1 already called clean (meaning that earlier assurance is now superseded)? This determines how much of the turn 1/2 EDR-sourced telemetry (LSASS alert, registry/file-access hive-read telemetry) I can still treat as complete rather than merely "not contradicted."

3. EDR — service-state check on DC01. Is the unsigned LocalSystem-context service from the 7045 install (turn 1) still installed/running on DC01 right now? No prior action this incident has removed or stopped it — only the DA account was disabled and the workstation isolated. If that service persists, it's a credential-independent, on-host persistence mechanism that doesn't need the DA account or WKS10-2214 at all, and is the most likely source of a local self-protection tamper attempt.

4. SIEM — Windows Security log integrity check, DC01. Query for event 1102 (audit log cleared) or any Event Log/forwarding-service stop, plus any new 4624 / 4688 / 7045 / service-control events in or after the impaired window — to determine whether the actor is also targeting the SIEM's independent (non-EDR) collection path, or whether that path remains trustworthy.

5. EDR fleet scope check. Query whether this self-protection/tamper alert is unique to DC01 or also present on any other monitored host, to determine whether this is a DC01-specific event or a broader tamper pattern.

Response/containment decisions this turn:
- Isolate DC01 now — reversing the hold from turns 1–2. The prior rationale for not isolating (active vector already cut off; EDR still gave full-fidelity visibility) no longer holds: the one remaining detective control on the DC itself is now confirmed degraded/tamper-targeted, and there is an unaddressed, credential-independent persistence artifact (the LocalSystem service) whose current state is unverified. Continued live operation of DC01 under unreliable EDR is a bigger risk now than a controlled isolation.
- Keep DA account disabled and WKS10-2214 isolated (unchanged).
- Continue the krbtgt double-reset; if this is a multi-DC forest, route the second reset and replication convergence through surviving DCs and treat DC01 as untrusted (no longer a source of truth) until forensically cleared.
- Raise IR escalation severity: reclassify from "credential theft, contained" to "active/in-progress compromise with confirmed defense-evasion against the DC's own sensor; DC01 host-trust revoked pending forensic review and possible rebuild."
- Update the ontology/modeling-team escalation to add this as a distinct technique (self-protection/anti-EDR tamper) in the same session's chain — this shifts the actor-sophistication read from "automated smash-and-grab dumping tool" toward "tooling/operator with defense-evasion capability," which matters for the technique catalog independent of this incident's outcome.
Reveal[1] EDR — full detail on the self-protection/tamper alert, DC01 — PARTIAL.
The tamper/self-protection log confirms: an attempted process/service-stop ("kill-agent") action was directed at the EDR agent's own service — consistent with a tool or technique attempting to disable/blind the sensor (T1562.001-class behavior). The IMPAIRED window's bounds are as already reported in the health alert you received this turn; no tighter timestamp precision is available from this log than what that alert already gave you.
NOT available: the responsible process's image path, PID, parent process, file hash, or code-signing status. This control's self-protection/tamper logging operates at the driver level and did not capture full userland process attribution for the tamper attempt itself — a logging-fidelity limitation of this specific mechanism, not something you did wrong.
Cross-reference to the Turn-1 unsigned 7045-install artifact: INCONCLUSIVE. The tamper log and the 7045 service-install event stream carry no shared identifier that lets you join them. You cannot confirm, and cannot rule out, that the same binary/service is responsible.
HypothesisWorking theory update: the same operational session that ran LSASS dumping, the SAM/SECURITY/SYSTEM hive read, and confirmed DCSync abuse has now also attempted to blind its own detection surface on DC01 — a defense-evasion step (self-protection/anti-EDR tamper) layered onto the credential-dumping toolset, rather than an isolated or coincidental sensor fault. The most likely mechanism is the unsigned LocalSystem-context service already identified from the 7045 install: since no action taken so far has stopped or removed that service (only the DA account and the workstation were contained), it remains a plausible credential-independent actor on DC01 itself, capable of attempting sensor tamper without needing the now-disabled DA account or the now-isolated WKS10-2214 at all. Until the White Cell returns the process/timeline detail, I'm treating this as the same actor extending from "steal and use credentials" into "suppress detection," which is a meaningful escalation in sophistication and intent, not merely a data-quality blip.

Coverage/robustness verdict — this is the pivotal finding this turn, and it revises (does not just add to) turn 2's "coverage strength" call: the four-for-four detection surfaces from turns 1–2 included EDR-sourced telemetry (LSASS heuristic, registry/file-access hive reads) whose completeness now has to be qualified — an EDR agent that was tampered with and went IMPAIRED for a window overlapping this incident means absence of further EDR alerts during that window is no longer trustworthy negative evidence, even though what it *did* report before/outside that window isn't itself shown to be false. This is a second, more severe robustness gap alongside the still-unresolved WKS10-2214 initial-access blind spot from turn 1 — but this one sits on the primary asset (the DC) rather than upstream of it. The mitigating factor is architectural: SIEM's Windows-Security-log path is a collection mechanism independent of the EDR agent, so 4624/4662/7045 visibility should remain intact unless I find evidence of log-clearing or forwarder tampering (which I'm checking this turn) — that independence is exactly why this isn't a total blackout, and it's the concrete case for defense-in-depth via mechanistically-separate telemetry sources rather than redundant copies of the same sensor. Net call: no longer "contained, verify blast radius" — this is "active compromise with in-progress defense evasion on the DC," which is why isolation of DC01 moves from held-in-reserve to executed this turn.
Turn 4
Inject[IR / CISO COVERAGE DEBRIEF — DC01] "Before we close this out: activity like this typically runs several distinct credential-access techniques in one pass against a DC. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"
ActionsTurn 4 — closing out the technical picture before final debrief-out on turn 5:

1. SIEM — broaden the 4662 DCSync query beyond the single DA SID. Pull every DS-Replication-Get-Changes / Get-Changes-All invocation domain-wide (all source accounts, not just the DA account) across a wider bracketing window than turn 1's check, to determine whether replication abuse was a one-off use of this single credential in this single session, or whether other accounts/sessions show the same pattern — this directly scopes how wide the "assume hashes exfiltrated" residual needs to be.

2. EDR — fleet-wide hash/IOC hunt using the Turn-1 dropped-binary hash. Even though that binary returned no reputation hit, its local hash is known from the 7045-linked drop. Sweep the full EDR-monitored fleet (not just DC01) for that hash or for the same drop/execution pattern (services.exe-spawned child, ADMIN$-delivered, unsigned) to test whether this actor already touched any other monitored endpoint.

3. EDR — current health re-check on DC01. Query present agent status (Healthy/Enforcing vs. still Impaired) now that DC01 is isolated, to close out the tamper-window timeline for the case record and determine whether DC01 can be trusted to self-report anything further while held in isolation.

4. SIEM/AD — confirm domain topology and, if multi-DC, pull 4662 replication-rights activity on every DC (not just DC01) in the same window, to rule in/out whether this session's replication pull touched more than one DC's SACL.

5. Procedural status pull (not new telemetry): krbtgt double-reset and DSRM-reset progress, plus the service/gMSA rotation list from turn 2, to report accurate current remediation state alongside the coverage debrief.

Response decisions this turn:
- Formally scope recovery as domain-wide, not DA-account-scoped: recommend IR open a full credential-rotation campaign (all accounts/computer objects whose secrets could ride in a DRSUAPI replication pull), pending action #1's results to size it precisely.
- DC01 stays isolated / host-trust revoked — no restoration to service this turn; forensic image-and-rebuild remains the exit path.
- WKS10-2214 stays isolated; formally hand it to IR/forensics for offline imaging as the only way left to close the initial-access blind spot (live EDR telemetry there is permanently NULL for this exercise — no new sensor allowed).
- DA account stays disabled — do not re-enable pending the rotation campaign.
- Document the two unresolved "no verdict" gaps below as accepted open risk for IR to carry forward, not something remaining SOC tooling this turn can close.
RevealTurn 4 reveal — five queries + logged response decisions.

1. SIEM — broadened 4662 DCSync query, domain-wide, all source accounts, wider bracketing window.
FULL observable, bounded. The extended sweep returns exactly the one already-known event: the single DS-Replication-Get-Changes / -Get-Changes-All invocation from the flagged DA account, from the same non-DC workstation, within the same short session window. No other source account, no other session, anywhere in the wider window, shows this control-access-right pattern. This is a single-incident, single-session replication pull — not a recurring or multi-account abuse pattern. (Per the standing framework gap: this still returns no coverage/robustness verdict — directory-service-access auditing sources no mc:Control — it only bounds the *scope*, not the *coverage*.)

2. EDR — fleet-wide hash/IOC hunt (Turn-1 dropped-binary hash / drop-and-exec pattern).
NULL (bounded negative). No EDR-monitored endpoint outside DC01 shows this hash or the services.exe-spawned/ADMIN$-delivered pattern. Note the EDR footprint in this environment does not extend to the initial-access workstation — that host's telemetry gap is the pre-existing, permanent blind spot already on record (no new sensor may be stood up). This query rules out spread to any *other monitored* host; it cannot and does not speak to the unmonitored source workstation itself.

3. EDR — current health re-check, DC01.
FULL. Status still reads impaired/degraded — no self-recovery observed since the Turn-2 tamper event. Network isolation does not restore agent health; that requires an out-of-band repair/reinstall, which hasn't happened. The tamper window is therefore still effectively open — DC01's EDR remains an untrusted, silent witness for anything further, consistent with treating the host as fully hands-off pending offline image-and-rebuild.

4. SIEM/AD — domain topology confirmation, multi-DC 4662 check.
FULL, resolves the question. Topology confirms DC01 is the sole domain controller in this environment — there is no second DC to pull replication-rights activity from. The 4662 scope is already fully bounded to DC01; there is nothing further to check on this axis.

5. Procedural status pull — krbtgt double-reset / DSRM / service-gMSA rotation.
Administrative status, not new telemetry. First krbtgt reset is logged complete; second (post-replication-convergence) reset is queued/pending per standard double-reset procedure. DSRM local-admin reset logged done. The Turn-2 service/gMSA rotation list is compiled and queued for execution, not yet fully executed.

Response decisions — logged, in effect, no new telemetry contradicts them: DC01 remains isolated/untrusted (image-and-rebuild is the only exit path); the initial-access workstation remains isolated pending offline imaging (its live-telemetry gap stays permanently NULL for this exercise); the DA account remains disabled; recovery is now formally scoped domain-wide pending action #1's (now-returned) bounding result.
HypothesisDirect answers to the CISO's three questions, based only on what's been revealed turns 1-3:

(a) What we covered, and at what evasion-robustness — technique by technique:

- LSASS credential access (T1003.001): COVERED, high robustness. EDR heuristic fired at full fidelity; agent was confirmed Healthy/Enforcing at the moment of detection (turn 1), and the impairment came later — this specific catch is not called into question by the later tamper.
- Remote service creation / lateral-movement execution (7045, ADMIN$ delivery, unsigned LocalSystem service): COVERED, high robustness. Caught on the SIEM/Windows-Security-log path, which is mechanistically independent of the EDR agent — confirmed untampered (no 1102, no log-service interruption) through the present, so this coverage survives the later EDR degradation intact.
- Anomalous DA logon (4624 Logon Type 3, off-hours): COVERED, high robustness — same independent SIEM path, same reasoning.
- DCSync (T1003.006, DS-Replication-Get-Changes/-All from a non-DC workstation): COVERED, high robustness. The domain-root SACL (4662) cleanly isolated this as the one anomalous instance against a clean legitimate-replication baseline — again the directory-auditing path, independent of EDR, unaffected by the tamper.
- Three-hive registry dump (SAM/SECURITY/SYSTEM, T1003.002-style): COVERED for this instance — but robustness is *qualified*, not high. This detection came from EDR registry/file telemetry, and turn 3 confirmed the impairment window began strictly *after* this event, so the instance we saw is validated. But the sensor that provided this coverage is the same one later tampered — I cannot vouch that a repeat of this exact technique would be caught again without remediation. This is the one "covered" technique whose detection surface has since been weakened.
- EDR self-protection tamper (T1562.001): COVERED only at the meta-level — the tamper *attempt* itself was alertable and did fire — but with an attribution gap: no process image, hash, PID, or parent captured (driver-level logging limit), and cross-reference to the turn-1 service is inconclusive. Call this PARTIAL: we know evasion was attempted and partially succeeded (agent went impaired for a window), but we can't attribute or fully characterize it.

(b) No coverage verdict at all (not degraded — zero data):
- Initial access on WKS10-2214 (how the DA credential was actually obtained): total blind spot — that host was never in the monitored EDR fleet, and no new sensor could be stood up mid-incident. This is the single largest unresolved item in the whole incident and the thing that determines whether this was a one-hop or wider compromise.
- Post-session movement from WKS10-2214 outward, or lateral spread to other hosts/accounts via the same initial-access technique: never hunted at fleet scale (turn 3's fleet check was scoped only to the tamper/impairment alert, not a general IOC sweep) — no verdict, addressed as action #2 above.
- Exfiltration path for anything dumped/replicated beyond DC01<->WKS10-2214: egress monitor is clean for *external perimeter* egress on both hosts, but that's a narrow claim — it says nothing about data movement onward from WKS10-2214, which is exactly the host with no telemetry.

(c) Domain-wide residual to scope recovery to:
Treat this as a domain-wide credential-compromise event, not a single-account incident: confirmed (not attempted) exercise of DS-Replication-Get-Changes-All means krbtgt and, in principle, the full domain hash set must be assumed exfiltrated regardless of containment timing — krbtgt double-reset is in progress and is necessary but not sufficient. Recovery scope = (1) domain-wide password-rotation campaign sized by action #1's broadened query, (2) DC01-local secrets (SAM/DSRM, LSA/service-and-gMSA secrets) rotated per turn 2's scoped list, (3) DC01 held in forensic hold / rebuild-before-trust rather than simple restoration, (4) closure of the WKS10-2214 blind spot via offline forensic imaging as a named open IR workstream, and (5) a fleet-wide IOC hunt (action #2) before this can be called "contained" rather than "contained on DC01, unresolved elsewhere." Net verdict for the debrief: strong, redundant, evasion-resistant coverage on the DC/directory tier (four independent, mostly EDR-*and*-SIEM-corroborated technique detections), with the incident's real residual risk sitting entirely upstream and downstream of that tier — at initial access and at lateral-spread verification — where this exercise's tooling had no visibility by design.
Turn 5
Inject[IR / CISO — FINAL CALL BEFORE SIGN-OFF, DC01 CASE] "Your Turn-4 pulls are noted and logged: the replication pull bounds to one account/one session domain-wide, no other monitored host shows the drop, DC01's EDR is still impaired, and this is confirmed as a single-DC domain. This is the last turn before I close the ticket — I need it stated plainly, not implied, for the record: (a) for each of the three techniques secretsdump ran here, say COVERED or NOT, and where covered, the evasion-robustness grade; (b) name explicitly which technique(s) your cards carry no coverage verdict for at all, and why that's a cards/framework limitation rather than 'nothing happened'; (c) confirm final residual scope and the rotation campaign you're standing up before I sign the incident closed."
ActionsTurn 5 (final turn — closing actions only, no new investigative pulls needed; the record is complete as of Turn 4):

1. Procedural status pull for record accuracy (not new telemetry): re-confirm current completion state of (a) krbtgt second reset, (b) DSRM local-admin reset, (c) the Turn-2 service/gMSA rotation list — so the sign-off record states what is *actually done* vs. *still queued*, not intent.
2. Log the technique-by-technique coverage matrix into the case record and the ontology/modeling-team ticket — tagging each of the three secretsdump-style credential-access techniques (LSASS read, three-hive registry dump, DCSync) with a COVERED/robustness grade, and separately tagging the T1562.001 self-protection/tamper action (which is not one of the three credential-access techniques, but the defense-evasion action layered on top) as its own line item.
3. Formally hand the two zero-verdict items to IR as explicitly named, still-open workstreams (not implied resolved, not folded into "contained"): (i) initial-access/credential-theft origin on WKS10-2214, (ii) post-session lateral-spread/exfil verification beyond the DC01↔WKS10-2214 session.
4. Final containment-posture confirmation (state check, not a new query): DA account remains disabled; WKS10-2214 remains isolated; DC01 remains isolated/host-trust-revoked. No change proposed this turn.
5. Deliver the CISO's requested plain (a)/(b)/(c) statement (below) as the sign-off record for this ticket.

No further host/network containment actions are taken this turn — posture is held, not changed, pending the named IR workstreams.
RevealTurn 5 reveal — closing actions, five items.

1. Procedural status pull (krbtgt second reset / DSRM reset / service-gMSA rotation list) — record-accuracy check, not new telemetry.
- krbtgt: first reset previously fired; the second reset is still QUEUED, not yet executed — the mandatory inter-reset interval (replication convergence across the domain) has not elapsed within the incident window. State this as PENDING, not complete, in the record.
- DSRM local-administrator password: CONFIRMED reset.
- Turn-2 service-account/gMSA rotation list: IN PROGRESS — rotation batch queued/executing; domain-wide completion is not yet confirmed. Log as open, not closed.

2. Technique-by-technique coverage matrix — logged to case record and ontology/modeling ticket. Confirmed content, matching the authored cards exactly:
- LSASS remote credential read (T1003.001, remote variant): COVERED. Single-sourced from EDR (dfEdrTelemetrydfCred face). While the source was healthy (Turn 1) the invariant process-memory-read observable carried spanning/L5 robustness. This coverage was time-bounded, not continuous: once the EDR reported impaired (Turn 2 onward), the face went blind and the maneuver is notCovered for the remainder of the window. Record both halves — do not log this as a flat "covered."
- SAM/registry-hive dump (T1003.002): NO COVERAGE VERDICT. No maneuver, primitive, detection face, or Control exists in the cards for registry-hive telemetry. This is a framework gap — the raw observable (remote-registry open + hive read) is present in EDR telemetry, but nothing in the model can grade or attach a verdict to it. Correctly distinguished from "nothing happened."
- DCSync / domain replication (T1003.006): NO COVERAGE VERDICT. No maneuver, no Control sourcing 4662 directory-service-access telemetry, no robustness grade for the replication-GUID signal. Framework gap, not absence of activity — the 4662 observable is fully present and already confirmed malicious (non-DC source), but no card can score it.
- T1562.001 self-protection/tamper: logged as its own line, separate from the three credential-access techniques — CONFIRMED (FULL). Kill-agent attempt against the EDR service, resulting in impaired status; this one *is* carried by the cards (agent-health/tamper telemetry), correctly not folded into the SAM/DCSync "unmodeled" bucket.

All four lines accepted into the record as stated; the matrix is internally consistent with the coverage inventory established across Turns 1–4.

3. Zero-verdict items formally handed to IR as open workstreams — accepted, not folded into "contained":
- (i) Initial-access/credential-theft origin on WKS10-2214 — still open/unresolved.
- (ii) Post-session lateral-spread/exfil verification beyond the DC01↔WKS10-2214 session — still open/unresolved; Turn-4's sweep bounds the *replication* pull to one account/one session domain-wide, but that bound does not itself clear lateral movement or exfil elsewhere — correctly not conflated.

4. Containment-posture confirmation — state check, no change:
- DA account: confirmed still disabled.
- WKS10-2214: confirmed still isolated.
- DC01: confirmed still isolated / host-trust-revoked.
No new containment action taken or required this turn.

5. (a)/(b)/(c) sign-off statement — accepted into the record as the closing answer to the CISO:
- (a) LSASS read: COVERED, EDR-sourced, spanning/L5-robust invariant *while the sensor was healthy*; degraded to notCovered from Turn 2 onward once impaired. SAM-hive dump: NOT — no coverage verdict exists. DCSync: NOT — no coverage verdict exists.
- (b) SAM-hive and DCSync are the two techniques carrying no coverage verdict at all, and this is stated as a cards/framework limitation (no maneuver, Control, or robustness record for either telemetry path in mc-core/0.2.1) — explicitly not represented as "nothing happened."
- (c) Residual scoped domain-wide: full domain hash set (incl. krbtgt) treated as compromised regardless of containment speed; double krbtgt rotation (reset #2 pending on the replication interval), DSRM reset (done), and full service-account/gMSA rotation (in progress) constitute the stand-up campaign; trust rebuild proceeds from DC01 out, consistent with a confirmed single-DC domain.

The CISO ticket is logged closed on this record.
HypothesisPlain answers for the record, per the CISO's three questions:

(a) The three secretsdump-style credential-access techniques — COVERED/NOT, with evasion-robustness grade:
- LSASS memory read (T1003.001): COVERED — HIGH robustness. EDR heuristic fired at full sensor fidelity; agent was confirmed Healthy/Enforcing at the moment of detection (Turn 1), and the later tamper event postdates it — this catch is not called into question by the subsequent EDR degradation.
- Three-hive registry dump — SAM/SECURITY/SYSTEM (T1003.002-style): COVERED — MODERATE robustness, qualified. This instance is validated: Turn 3 confirmed the tamper/impairment window began strictly *after* this detection, so what we saw is trustworthy. But the sensor that produced this coverage is the same one later confirmed tampered — I cannot certify this control would catch a repeat of the same technique without remediation. Grade this "covered-but-not-evasion-tested," not "resilient."
- DCSync — DS-Replication-Get-Changes/-Get-Changes-All (T1003.006): COVERED — HIGH robustness. Detected via SIEM AD/DS directory-service auditing (4662) against the domain-root SACL, a control path mechanistically independent of the EDR agent and confirmed untampered throughout (no 1102, no forwarder interruption). This is the one detection surface entirely unaffected by the later EDR compromise.
- Separately, for completeness: the self-protection/tamper action itself (T1562.001) — not one of the three above, but the defense-evasion step that followed them — is COVERED only at PARTIAL grade: the tamper attempt was alertable and did fire, but with a real attribution gap (no process image/hash/PID captured; cross-reference to the Turn-1 service is inconclusive). Note this openly rather than folding it into the three above.

(b) Zero coverage verdict — named explicitly, and why this is a cards/framework limitation, not "nothing happened":
- Initial access on WKS10-2214 (how the DA credential was actually obtained): no verdict at all. That host was never inside the monitored EDR fleet, and the response latitude for this exercise explicitly disallows standing up a new sensor mid-incident. Absence of alerting there reflects absence of *instrumentation*, not absence of activity — the DA credential was compromised somewhere, and this is the somewhere we cannot see.
- Post-session lateral spread / exfil verification beyond the DC01↔WKS10-2214 session: no verdict. Turn 4's fleet-wide sweep only tested one known hash/drop-pattern across the *monitored* fleet and came back clean for that narrow test — it says nothing about unknown tooling, and it never had visibility into WKS10-2214 itself, which is where any onward movement would have to be observed first. The perimeter egress monitor's clean read is similarly narrow: it rules out *external* egress, not internal movement to/through the unmonitored host.
- Both are scope/instrumentation gaps in the cards available this exercise, carried to IR as named open items — not findings of "no further compromise."

(c) Final residual scope and rotation campaign, confirmed before sign-off:
Treat this as a domain-wide credential-compromise event. Confirmed (not attempted) exercise of DS-Replication-Get-Changes-All means krbtgt and the full domain hash set must be assumed exfiltrated regardless of containment timing. Standing up before this can be called closed: (1) krbtgt double-reset completed on both resets, not just the first; (2) DC01-local secrets — DSRM already reset, service/gMSA rotation list from Turn 2 executed to completion, not left queued; (3) DC01 held in forensic hold, image-and-rebuild required before any return to trust — its own EDR cannot self-clear that status; (4) WKS10-2214 isolated and hand-carried to IR for offline forensic imaging as the only remaining path to close the initial-access blind spot; (5) the Turn-4 fleet IOC sweep stands as "clean for monitored fleet against the one known artifact" — explicitly not a blanket clearance.
Sign-off recommendation: I support closing *this SOC/EDR-tier ticket* now — the DC-side technical response is complete or queued-and-tracked, and coverage/robustness is documented above. I do not recommend closing the broader IR case yet: the two zero-verdict items (b) and the two not-yet-executed rotation steps in (c) should be carried forward as explicitly named open workstreams, not silently absorbed into "resolved."
With MC — the coverage-card arm · transcript · 3 turns
Turn 1
InjectEDR alert — DC01: "Credential theft heuristic — LSASS process access." Source process was spawned from services.exe; session flagged as remote.

SIEM ticket — DC01: Successful network logon (4624, type 3) by a Domain Admin service account from a workstation subnet, at an off-hours time, followed by a new service install (7045) on DC01.
ActionsInvestigative (no new sensors, using only EDR console + SIEM + netmon per brief):
1. EDR console on DC01: pull full process lineage for the alerted LSASS-access event — identify the child-of-services.exe process (image path, hash, PID/parent PID, command line), confirm the accessed target is lsass.exe, and confirm the access rights requested (e.g., PROCESS_VM_READ / OpenProcess pattern) plus the "remote session" flag detail (which logon session/session ID it's tied to).
2. SIEM query on DC01: pull the 7045 service-install event of record — service name, binary path, install timestamp, and the security context/logon ID that created it — and the 4624 type-3 logon event — account name (the Domain Admin service account), source workstation IP/hostname, auth package, logon ID. Correlate all three logon IDs (4624 → 7045 → EDR process session) to confirm one continuous authenticated chain: remote logon → service creation → service-spawned process → LSASS read.
3. EDR console on DC01: check current agent health / tamper log right now (controlStatus, last heartbeat) — independent of the alert having fired — since the actor may already hold admin-level credential (precondition for sensor-impairment) and a live alert in the past doesn't guarantee the sensor is enforcing now.
4. SIEM: pull recent logon history/baseline for the named Domain Admin service account (typical hours, typical source subnet) to size how anomalous this off-hours workstation-origin logon is, and check whether the source workstation shows any other flagged activity in reachable telemetry.
5. Network egress monitor: quick check for anomalous egress from DC01 or the source workstation around this window (netmon is peripheral to credential-access per the cards but cheap to check and relevant if this pivots toward exfil).

Response (within stated latitude):
6. Disable/suspend the named Domain Admin service account now — cuts off further lateral use immediately regardless of what the lineage pull shows; low blast-radius relative to isolating the DC.
7. Escalate to IR now (DC-tier + Domain Admin account involved) and to the ontology/modeling team, flagging that this incident's blast radius includes two card-unmodeled paths (SAM-hive dump, DCSync) that would return zero coverage verdict even if telemetry for them appears.
8. Hold on isolating DC01 and on krbtgt rotation pending the lineage/logon-ID correlation from steps 1-2 — both are available in my latitude but disproportionate before confirming the causal chain; will revisit next turn.
RevealAction 1 — EDR process lineage pull on the LSASS alert: FULL.
The alert's full lineage resolves cleanly: services.exe (SYSTEM) spawned a short-lived, newly-installed service binary (not a previously-seen image on DC01, consistent with a just-created service, not a known scheduled task/app); that service process is the one that opened lsass.exe and performed a process-memory read (OpenProcess/PROCESS_VM_READ-style access pattern) — this is exactly what tripped the "credential theft heuristic." The "remote" flag on the EDR alert ties to a specific logon session ID, not an interactive/console session.

Action 2 — SIEM 7045 + 4624 pull and correlation: FULL.
7045 (DC01): a new service was installed, binary path under the same short-lived/newly-dropped image identified in the EDR lineage, install timestamp inside the alert window, created under the logon ID of the Domain Admin service account. 4624 (DC01, type 3): account = the named DA service account; source = a host/IP in the workstation subnet; auth package present; logon ID recorded. Correlating: the 4624 logon ID matches the logon ID on the 7045 service-creation event, which matches the session the EDR flagged as "remote" on the LSASS-access process. One continuous authenticated chain confirms: remote logon → service creation → service-spawned process → LSASS read, all under a single logon session.

Action 3 — EDR agent health / tamper check, checked now (Turn 1): FULL query, negative-for-now result.
Current status: agent healthy / enforcing, last heartbeat current, no tamper or self-protection event on record as of this check. No impairment is showing right now. (This is a live snapshot, not a guarantee forward — noted for your own record, not implied by the tool.)

Action 4 — SIEM baseline for the DA account + workstation "other flagged activity": PARTIAL (two different results).
Baseline: this account's historical logon pattern shows origination from DC-tier/management subnets during business hours only — no prior history of workstation-subnet or off-hours logons on record. This occurrence is anomalous relative to that baseline.
Source workstation, other flagged activity: NULL — no other flagged events found in reachable telemetry for that host. (Note: no endpoint sensor is deployed on member workstations in this environment; only DC01 carries EDR. Absence here reflects a visibility gap, not a clean host.)

Action 5 — Netmon egress check: NULL.
No anomalous perimeter-egress flows detected from DC01 or the source workstation in the window. The activity observed so far is an internal, authenticated session between a workstation and DC01 — it does not cross the boundary this sensor watches.

Action 6 — Disable the named DA service account: executed.
Account disabled. The logon session tied to that account's activity is torn down; no new EDR or SIEM events attributable to that account/session since. (Whether anything already happened in that session beyond what you've queried is not something this action can tell you — you haven't pulled registry or directory-service-access telemetry yet.)

Action 7 — Escalate to IR + ontology/modeling team: logged.
Escalation ticket opened, DC-tier + Domain Admin account flagged, forwarded to IR and to the ontology/modeling team as requested. (Your framing that this could include card-unmodeled paths is recorded in the ticket; it isn't something the tools have confirmed yet this turn — you haven't queried registry/hive telemetry or directory-service-access logs.)

Action 8 — Hold on DC01 isolation and krbtgt rotation: logged, no new data.
No isolation, no rotation executed this turn; noted as deferred pending further correlation.

No registry/hive telemetry and no AD/DS directory-service-access (4662) log was queried this turn — nothing about a SAM/registry-hive read or a replication pull has surfaced yet in your investigation.
HypothesisRead: the two reports look like one causal chain, not two events — a Domain Admin service account authenticated remotely (4624 type 3, off-hours, from a workstation subnet), used that session to install a service on DC01 (7045, the classic remote-service-creation acquisition path), and the service-spawned child process (parented by services.exe, flagged remote) then read LSASS's virtual memory — the EDR credential-theft heuristic firing on that read. Observable effect: a process is reading another process's (LSASS) memory to lift admin credential material — that is A1's invariant core (coreCred via pReadProcMem), realized here through the card layer's authored remote/network-acquisition variant (D4): the acquisition path differs (remote service execution vs a local dump), but it composes the same pReadProcMem and is not a distinct maneuver, so the same coverage and the same L5 spanning observable (obsInvariant, variant-independent) transfer to it unchanged.

Coverage/robustness conclusions: this is the environment's one authored-covered path (dfCred, single-sourced from the EDR, triggerDependsOn dfEdrTelemetry), and it is graded at the ceiling (StP L5) — an evasion attempt via renaming/retooling the dumping mechanism would not drop it below L5 since the key is the shared read primitive, not a tool signature. But "covered" here is conditional, not durable: it holds only while EDR.controlStatus = enforcing. The alert having fired proves the sensor was live at the moment of the read — it says nothing about right now, which is exactly why I'm pulling current agent health rather than trusting the alert as ongoing assurance. This account plausibly now holds admin credential material (A1's postcondition), which satisfies the precondition for the adjacent sensor-impairment maneuver (A4); if EDR is driven to impaired/killed, dfCred trigger-severs to blind and A1 silently flips to notCovered, with no prevent-side fallback in this environment (D5 — prevent locus is empty) and no way to trust the EDR's own silence as confirmation (D6 — dfEdrTelemetry is self-blinding; only an out-of-band service-control-log check, not modeled in my current tool access beyond the EDR tamper log itself, can confirm impairment).

Equally important, no part of this card layer can produce a coverage or robustness verdict for a SAM/registry-hive dump (A2) or a DCSync replication pull (A3) even if SIEM later surfaces a remote-registry SAM read or a DRSUAPI GetNCChanges request — both are unmodeled paths (SILENT), and B3/B4 telemetry (4662, Security log) exists in this environment but sources no authored detect-face, so "quiet" on those fronts is not evidence of absence, it's an unmodeled blind spot up to full NTDS/krbtgt exposure. I'm treating that as an open, ungraded risk to scope by hand rather than something the model will ever verdict for me — hence escalating to modeling now rather than waiting for a signal that structurally cannot come.

Response decision: disable the Domain Admin account immediately (proportionate, reversible, cuts the demonstrated access path); escalate to IR and to modeling; hold DC01 isolation and krbtgt rotation this turn pending the logon-ID correlation, since neither the DCSync nor SAM-hive path has any positive evidence yet and the covered A1 path is the only confirmed activity so far.
Turn 2
InjectClock inject, Turn 2 — EDR health alert, DC01: agent self-protection / tamper event logged; endpoint agent now reporting unhealthy (impaired) for a window.

Clock inject, Turn 2 — EDR telemetry event, DC01: remote-registry open of HKLM\SAM and HKLM\SECURITY; hive-sized file reads observed over \\DC01\ADMIN$.
ActionsInvestigative (EDR console / SIEM / netmon only — no new sensors):

1. EDR console, DC01 — full detail on the self-protection/tamper event: exact mechanism (driver-based kill attempt / BYOVD-style per A4's base variant, or other), precise timestamp of the enforcing→impaired transition, and whether the agent is *still* impaired right now or has since recovered. Also pull whatever lineage detail the agent captured for the tamper attempt itself (parent process/image) before it went dark.

2. EDR console, DC01 — full detail on the SAM/SECURITY registry-hive event: source process image/hash/PID-parent, the logon session/account tied to it, exact timestamp of the remote-registry open and the ADMIN$ hive-file reads. Critically: check whether this timestamp falls *before or after* (a) last turn's DA-account-disable action and (b) the tamper/impairment transition from item 1 — this determines whether it's the same session as A1/the 7045 service, a still-live pre-disable session, or a new one.

3. SIEM — query Windows System/service-control-manager log on DC01 for the EDR's own service (start/stop/pause/uninstall events) in this window. This is the out-of-band secondary-telemetry check (the card layer's invEdr investigation, conf. 0.9) — I am deliberately not taking the EDR's own "impaired" self-report as sufficient confirmation, since dfEdrTelemetry is sourced from the very control being impaired (self-blinding, D6).

4. SIEM — query for any 4624 logons on DC01 (any account, any source) since the DA account was disabled last turn, to check whether the actor pivoted to a second foothold/credential rather than losing access.

5. SIEM — query AD/DS 4662 directory-service-access events on the domain root for the replication control-access-right GUIDs (DS-Replication-Get-Changes / -All) in this window. I know going in this sources no authored detect-face (A3/B3/D1) and will return no model-backed coverage verdict either way — this is a hand-scoped check for a plausible next step given the escalation trajectory, not something the card layer will grade.

6. Netmon — recheck egress from DC01 specifically in the hive-read window (hive-sized files were read; check whether they were also moved off-host, vs. staged locally only).

Response / containment (within latitude):

7. Isolate DC01 from the network now.

8. Force rotation of local secrets plausibly exposed by the SAM/SECURITY read: the local built-in Administrator account on DC01, and flag for rotation any service accounts whose credentials are known to live in LSA secrets in the SECURITY hive.

9. Re-escalate to IR + the ontology/modeling team with the updated picture: EDR impairment has occurred (not just hypothetical), the one authored-covered path is now blind, and a real SAM/SECURITY hive-dump is in progress with zero card-backed coverage or robustness verdict (A2, unmodeled) — flagging DCSync (A3) explicitly as the next-step risk to watch for by hand, since the model cannot alert on it even with positive telemetry.

10. Hold krbtgt rotation this turn, pending the 4662 query in item 5 — reserving the most disruptive action for confirmed replication-pull evidence rather than acting on the unmodeled path alone.
RevealAction 1 — EDR agent health/tamper log, full detail: FULL. The self-protection/anti-tamper log entry on DC01 shows a process attempting to interact with / terminate the EDR agent's protected process (an anti-tamper trigger). Enforcing→impaired transition timestamp falls inside the Turn-2 window. Current status: still impaired at the moment of this query — no auto-recovery observed; nothing in the log indicates the agent has come back to enforcing on its own. Lineage on the tamper attempt itself: the interacting process traces back to the same remote/authenticated session context as the Turn-1 service-spawned process — i.e., it ties to the same session/actor, not a new one. The tamper log's classification stops at "self-protection anti-tamper trigger"; it does not carry driver-load or kernel-callback detail, so it can neither confirm nor rule out a BYOVD-style mechanism specifically — that level of attribution isn't in what the agent captured before impairment.

Action 2 — EDR registry/file telemetry on the SAM/SECURITY event: FULL observable (raw telemetry only — you didn't ask for a coverage verdict here, so none is appended). Source process/hash/PID-parent = the same short-lived, newly-installed service image and PID/parent lineage from the Turn-1 LSASS alert — not a different process. Account/logon session = the same DA service-account session as the Turn-1 4624/7045. Timestamp of the remote-registry open (HKLM\SAM, \SECURITY) and the ADMIN$ hive-file reads: falls inside the Turn-1 session window — before last turn's DA-account disable, and before the tamper/impairment transition in item 1. This is the same session as A1/the 7045 service, already completed before you disabled the account — not a still-live or new session.

Action 3 — SIEM query, EDR service SCM events (out-of-band secondary check): [not an authored resolution-table entry; adjudicated conservatively] NULL corroboration. No service-control-manager start/stop/pause/uninstall event for the EDR's own service appears in this window — the tamper mechanism did not route through the standard SCM control path. Your secondary check does not independently confirm the impairment one way or the other; the only source for "impaired" remains the EDR's own self-report, exactly the self-blinding gap you flagged.

Action 4 — SIEM query, 4624 logons on DC01 since the DA-account disable: FULL query executed. No anomalous or unexpected 4624 logons to DC01 in that window. Nothing in the Security log indicates a second foothold or an alternate account/session used to regain access.

Action 5 — SIEM/AD-DS query, 4662 replication-GUID events on the domain root: FULL observable. DC01's directory-service-access log shows 4662 events carrying the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All control-access-right GUIDs on the domain-root object, invoked under the DA account's credentials from the same non-DC workstation subnet as the Turn-1 logon — not from a replication-partner DC. Timestamp: inside the Turn-1 session window, before the disable and before the impairment attempt. Legitimacy check resolves determinately: source is a workstation, not a DC replication partner → this reads as malicious, not routine DC-to-DC replication. (No coverage/robustness verdict is attached — you didn't ask the cards for one on this action.)

Action 6 — Netmon egress recheck, DC01, hive-read window: [not an authored resolution-table entry; adjudicated conservatively from ground truth] An SMB data flow from DC01 to the same compromised-workstation host is visible, volume consistent with a multi-hive save (SAM+SECURITY+SYSTEM), timestamped inside the same Turn-1 session window as the ADMIN$ reads. No separate/external or internet-bound egress from DC01 is observed in that window — the hive data left DC01 over the same authenticated admin-share session, not via a distinct exfil channel.

Action 7 — Isolate DC01: Executed. The host is severed from the network; no NEW endpoint or network events from DC01 going forward. Per the containment-reaction rule: this does not undo what already happened — the SAM-hive read (item 2) and the replication pull (item 5) both completed inside the Turn-1 session, before this isolation and before last turn's disable. Isolation also does not by itself restore the impaired EDR agent from item 1; the local agent remains impaired pending separate remediation not yet performed.

Action 8 — Rotate local secrets (built-in Administrator, flagged service accounts): Executed/logged within your response latitude. No new telemetry to report — operational action acknowledged.

Action 9 — Escalate to IR + ontology/modeling team: Sent/logged as described.

Action 10 — Hold krbtgt rotation pending item 5: Noted, no action taken this turn. Item 5's result (already-completed, malicious, pre-disable replication pull) is now on record for that decision.
HypothesisRead: two things the cards anticipated have now happened simultaneously. First, the endpoint sensor was driven to a telemetry-degrading status (observable effect: "agent self-protection/tamper event, now reporting impaired") — this is A4's coreImpair realized, precondition-satisfied last turn once the DA session plausibly held admin credential material (A1's postcondition). Second, a process performed a remote-registry open and read of HKLM\SAM/HKLM\SECURITY with hive-sized reads over \\DC01\ADMIN$ — the textbook observable effect A2's card names for a SAM/registry-hive credential dump (T1003.002), the classic "secretsdump"-pattern activity this scenario is named for.

Coverage/robustness conclusions:
- A1 has flipped state exactly as flagged last turn: EDR controlStatus → impaired sets degradesTelemetry=true, which severs dfEdrTelemetry (trigger substrate); dfCred triggerDependsOn it, so dfCred → blind, and A1 (including its remote-service variant, per D4) → notCovered for the duration of this impaired state. Per D5, there is no prevent-side fallback authored in this environment — right now there is no detection whatsoever for a further LSASS read if one is happening. This is the environment's single headline residual, now live rather than hypothetical.
- Per D6, I am treating the "impaired" report itself as needing independent confirmation, not as self-certifying — dfEdrTelemetry is sourced from the very control it's reporting on, so its own silence (or its own claim of health) can't be trusted either way. That's why item 3 above (secondary/out-of-band service-control-log check) is this turn's load-bearing query, not the EDR's self-report.
- The SAM/SECURITY hive read (A2) has real, direct positive evidence for the first time, but per the card layer this remains a fully unmodeled path: no maneuver, no primitive, no detect-face, no robustness grade — and per B1's asymmetry, this is exactly the telemetry class the EDR emits but no authored face keys on, so even a fully healthy/enforcing EDR could never have produced a coverage verdict here. This isn't a coverage *loss* from the impairment — it was always ungradable (D2/D7) — but it is now a live, high-severity fact I'm scoping by hand from general security knowledge, since the model structurally has nothing to say about it beyond SILENT.
- A3 (DCSync) still has zero evidence and would still return zero verdict even if the 4662 query surfaces replication-right activity (D1/D3) — malicious-vs-legitimate there is decided from environment facts (is the requesting host a real replication-partner DC, which DC01 attackers are not), not from any card. I'm querying it anyway because the DA-compromise → hive-dump progression makes it the natural next step, and it's the largest scoping miss (D1) if it occurs.
- Net effect: the environment's only-ever-covered path (1 of 3 credential-access maneuvers) is now blind with no fallback, while the two paths that were always blind (A2, A3) — one of which just showed positive, real evidence — remain permanently ungradable by this card layer. "Quiet" on A3 continues to mean nothing.

Response decisions: escalate containment to isolating DC01 now — proportionate given sensor blindness with no prevent-side fallback (D5) plus an active, unmodeled hive-dump with no detection ceiling, one step short of a DCSync path that would expose the full NTDS set including krbtgt. Rotate local secrets plausibly exposed by the SAM/SECURITY read now (within "disable/rotate an account" latitude) since that exposure is confirmed, not speculative. Hold krbtgt rotation — the heaviest, most disruptive available action — until the 4662 query returns actual replication-pull evidence; escalate to IR/modeling now regardless, flagging both the just-realized coverage collapse and the ungraded hive-dump explicitly so neither is mistaken for "handled."
Turn 3
InjectIR / CISO coverage debrief — DC01 (mandatory): "Before we close this out: secretsdump against a DC runs several distinct credential-access techniques in one pass. For the record — (a) which of them did our controls actually COVER, and at what evasion-robustness; (b) which did we have NO coverage verdict for; and (c) what domain-wide residual are you scoping recovery to?"
ActionsInvestigative (closing verification only — no new sensors, same EDR/SIEM/netmon access as before):

1. EDR console, DC01 — recheck agent health/tamper status right now (current controlStatus, current heartbeat), independent of the Turn-2 finding, to know whether we are closing this out with the sensor still impaired or recovered.
2. SIEM — re-run the out-of-band secondary/service-control-log check (the invEdr investigation) at present time, not just for the historical window, to get a current-moment independent read on EDR status before I brief the CISO on ongoing detect posture — I am still not trusting the EDR's own self-report per D6.
3. SIEM — query DC01's Security log (4624/7045) and the AD/DS 4662 domain-root replication-GUID events for any activity since Turn 2's isolation of DC01, to confirm containment has held (no further logons, service installs, or replication-right invocations post-isolation).

Response (within latitude, executed this turn):

4. Execute krbtgt rotation now (first of two spaced resets, standard remediation cadence) — held explicitly last turn pending the 4662 result, which came back positive (malicious replication-right invocation, non-DC source, pre-isolation) at the end of Turn 2; that evidentiary condition is now satisfied.
5. Deliver the CISO's three-part coverage debrief formally into the IR ticket (content below), plus a distinct, itemized modeling-backlog ask to the ontology/modeling team (author A2's registry-hive primitive+face, author A3's DCSync maneuver + an mc:Control sourcing 4662, populate the empty D5 prevent-locus) — separated from the live-incident escalation already logged in Turns 1–2, since this is a standing gap that will recur unchanged on the next incident, not something this incident fixes.
6. Maintain DC01 isolation; keep the disabled DA account disabled; hold the second krbtgt rotation pass for the standard propagation interval rather than firing both this turn.
RevealAction 1 — EDR console, current agent health/tamper recheck (independent of Turn-2 finding): FULL. controlStatus reads impaired right now — same as the Turn-2 finding, no heartbeat recovery and no re-enforcement event logged since the tamper attempt. Isolating the host does not, by itself, remediate the agent; nothing in the console shows the EDR agent itself has been fixed/reinstalled. Confirmed: sensor is still impaired at present time.

Action 2 — SIEM, re-run out-of-band EDR-status check (invEdr) at present time: NULL / unchanged. SIEM has no independent corroborating record of the EDR agent's own protected-process/anti-tamper state — that log is agent-local telemetry surfaced through the EDR console itself, not something that also lands in the Windows Security-log categories SIEM ingests (4624/7045/4662). Re-running now returns the same inconclusive result as Turn 2: SIEM can neither confirm nor refute the EDR's self-reported status independently — there is no separate data path to close this cross-check.

Action 3 — SIEM, DC01 Security log (4624/7045) + AD/DS 4662 for activity since Turn-2 isolation: FULL — clean. Zero new 4624 logons, zero new 7045 service installs, zero new 4662 directory-service/replication-right invocations against DC01 since isolation took effect. No further logons, service installs, or replication-right activity post-containment. Containment confirmed holding as of now.

Action 4 — krbtgt rotation, pass 1 of 2: Executed. First krbtgt reset completes cleanly; new key material will propagate on the next replication cycle. (Administrative/response action within stated latitude — not gated by the investigation table.)

Action 5 — CISO coverage debrief delivered to the IR ticket + modeling-backlog opened: Logged. Checking each element against the cards: (a) *covered* — exactly one path, the LSASS read via the EDR-sourced dfCred face — and per Action 1 that face is presently impaired/blind, so even the sole covered path is not trustworthy right now. (b) Querying the cards for a coverage/robustness verdict on the SAM-hive path and on the DCSync/replication path each independently returns: "no authored coverage record — unmodeled path" — consistent with the debrief's own disclosure; no verdict is fabricated for either. (c) The domain-wide, krbtgt-inclusive residual entered is not something the cards can confirm or deny (it's an environment-level fact, not card-derived) — it stands as scoped. Modeling-backlog ticket opened with the three items as stated (registry-hive primitive+face, DCSync maneuver + a directory-service-access-sourcing Control, empty prevent-locus), routed separately from the live-incident ticket per your framing.

Action 6 — Maintain isolation / DA-disabled / defer 2nd krbtgt pass: Confirmed as current state. DC01 remains isolated, DA account remains disabled, no new observables since Action 3's clean check. Second krbtgt pass logged as deferred to the standard propagation interval.
HypothesisAnswering the debrief directly, per the card layer (mc-core/0.2.1):

(a) What we actually covered, and at what robustness: Exactly one of secretsdump's credential-access techniques — A1, LSASS process-memory read (T1003.001) — including its remote/service-execution realization (the Turn-1 services.exe-spawned reader), which is not a distinct technique but the same invariant core coreCred/pReadProcMem reached via a different acquisition path (D4); coverage and robustness transfer to it unchanged. The key observable (obsInvariant, "process reads another process's memory") is graded at the ceiling, StP L5 — invariant/chokepoint, variant-independent: an adversary cannot evade it by renaming the dumping tool, swapping local-dump for handle-duplication, or using the remote-service path instead of a local one, because all of those still have to perform the same memory read. That coverage was real but conditional, not durable — it held only while EDR controlStatus = enforcing (Turn 1), and flipped to notCovered the instant the sensor was driven to impaired (Turn 2), because dfCred trigger-depends on dfEdrTelemetry, single-sourced from that one control (B1), with no prevent-side fallback authored in this environment (D5). So: covered, at the highest robustness grade the model has, for exactly as long as the one sensor backing it stayed healthy — and no longer.

(b) What we had no coverage verdict for at all: Two of the three techniques secretsdump ran, both structurally unmodeled, not just unobserved:
- A2, SAM/SECURITY/SYSTEM hive dump (T1003.002) — we have direct positive EDR telemetry for this (the remote-registry open + ADMIN$ hive-file reads, Turn 2), but no maneuver, no primitive, and critically no detect-face keyed on that telemetry exists in the model (B1's asymmetry) — the EDR emits it, nothing consumes it into a verdict. Zero coverage, zero robustness grade, by construction, regardless of whether the sensor was healthy or impaired.
- A3, DCSync / domain-replication pull (T1003.006) — we have direct positive evidence too (4662 with the replication control-access-right GUIDs, sourced from a workstation rather than a real replication-partner DC — resolved as malicious from that environment fact, not from any card). AD/DS auditing is present telemetry but was never authored as an mc:Control (B3), so no face, no verdict, either way (D1). This is the single largest scoping miss the model has: it cannot represent that this path exposes the full NTDS secret set including krbtgt.
- Separately, A4 itself (the impairment mechanism) has no EDR-sourced verdict by design — its own face is self-blinding (D6) — and this turn's out-of-band SCM check came back as no independent corroboration either way; our only confirmation of "impaired" remains the sensor's own report, which the model explicitly says not to trust alone.

(c) Domain-wide residual to scope recovery to: Treat this as a full domain credential-material compromise, not a DC01-local incident, on two independent grounds: (1) the SAM/SECURITY/SYSTEM hives were read and moved off DC01 over the same authenticated session (Turn 2 netmon), so DC01-local secrets (built-in Administrator, any LSA-secret-held service accounts) are confirmed exposed — already rotated, needs re-verification of propagation; (2) a replication-right pull was invoked against the domain root from a non-DC host and nothing in this stack can bound whether it succeeded or how much it returned — the conservative, honest scoping assumption given a card layer that structurally cannot verdict this path (D1/D7) is that the adversary now holds every domain account's password hash plus krbtgt. Recovery should be scoped to that worst case, not to "no alarm fired on it" — quiet on A3 has never meant clean here.

Response decisions: fire the first krbtgt rotation pass now (the evidentiary gate I set last turn — positive, pre-isolation replication-pull evidence — has been met); hold the second pass for the standard inter-DC propagation interval rather than double-firing in one turn; keep DC01 isolated and the DA account disabled; and push the modeling gaps (A2, A3, D1, D2, D5) to the ontology team as a standing backlog item distinct from this incident's escalation, since — per the cards — the next secretsdump run against this environment would produce the exact same 1-of-3 coverage picture even with a fully healthy EDR throughout.
S3  Kerberoasting → lateral movementplay-by-play ▾
Without MC — the unaided arm · transcript · 5 turns
Turn 1
InjectAD-SIEM alert: "Kerberoasting-suspected — account j.rivera requested 14 distinct SPNs (event 4769) within 90 seconds; 6 of those requests used encryption-type 0x17 (RC4)."
ActionsTurn 1 — investigative first, minimal soft containment, no destructive action yet:

1. SIEM query — full 4769 detail for j.rivera, the 90-second window (±5 min padding): pull all 14 events with: target SPN string, target account behind each SPN, ticket encryption type per-request (confirm which 6 are 0x17/RC4 vs the other 8 — likely 0x12/AES), ticket options flags, and the client/source IP or hostname field on each event (this is the field that tells me where the requests actually originated).

2. DC query — 4768 (AS-REQ) for j.rivera spanning back further (last 60–90 min): confirm a normal initial TGT issuance preceded this (i.e., this is a Kerberoasting-style TGS burst off a valid, already-authenticated session, not a brute-forced/guessed logon) and capture the source IP recorded there.

3. Member-server 4624 query, domain-wide, for j.rivera in the hour preceding the alert: find every host where this account has an active logon session right now (interactive, network, RDP, or service-logon type) — this identifies the candidate origin host for the TGS-REQ burst.

4. EDR pull on whatever host(s) 4624 surfaces (workstation and/or SQLPROD-01 if it appears): process-creation telemetry in the alert window for PowerShell / rundll32 / anything spawning with command-line indicators of SPN enumeration or ticket-extraction tooling, plus PowerShell script-block logging if available, plus any outbound connections from that host to the DC on 88/tcp clustered in the same 90 seconds.

5. AD/directory lookup on the 14 target SPNs: identify which accounts own them — specifically flag any that are privileged (Domain Admins, service accounts with elevated rights, anything tied to SQLPROD-01) since those are the ones an attacker would prioritize cracking.

6. Baseline check: pull j.rivera's normal 4769 volume/rate over the past 30 days to see if this user/host routinely enumerates SPNs (e.g., an inventory/vuln-scan script, SQL linked-server enumeration, admin tooling) versus this being a first-time anomaly.

Containment posture this turn: no account disable/reset and no host isolation yet — I don't have the source host confirmed. The one contingent step I'm pre-authorizing: if step 3/4 identifies a single clear origin host (not a DC, not shared infra) showing tooling indicators, isolate that host via EDR immediately upon that finding rather than waiting for a full turn — that's low-collateral and reversible. Account disable is being held pending source/intent confirmation since j.rivera may be a legitimate, compromised, or false-positive (scanner/admin-script) identity and a premature disable could tip an attacker or break a business process without adding much containment value if the activity is host-driven rather than credential-driven elsewhere.
Reveal[SITREP — Turn 1 results, in response to your 6 queries]

1. SIEM — full 4769 detail, j.rivera, 90s window ±5min padding:
14 events total, all inside the original 90-second window (no additional 4769s found in the ±5min padding before/after — this was a single contained burst).
- Source client field is identical across all 14 requests: host WKS-JRIVERA07, IP 10.42.6.118.
- Encryption type: 6 requests = 0x17 (RC4-HMAC); 8 requests = 0x12 (AES256-CTS-HMAC-SHA1-96) — confirms your hypothesis on the split.
- Ticket options flags: standard (forwardable/renewable) on all 14 — nothing anomalous in the flags themselves.
- Target SPNs: 14 distinct SPNs across 14 different service accounts. 13 are routine low-privilege app/file/print/HTTP service SPNs. One is flagged separately below (see #5) — it was one of the 6 RC4-encrypted requests.
- j.rivera account object: standard domain user, no privileged group membership, account enabled, no prior lockouts/flags.

2. DC 4768 (AS-REQ) for j.rivera, 60-90 min lookback:
One 4768 found, ~52 minutes before the burst: successful AS-REQ, etype AES256, same source IP/host (10.42.6.118). No preceding failed AS-REQs, no repeated/guess-pattern logons. This reads as a normal, already-authenticated interactive session (routine start-of-session TGT) — not a brute-forced or newly-guessed logon. Nothing else of note in the 60-90 min window.

3. Domain-wide 4624 for j.rivera, past hour:
One (1) active session found: Type-2/interactive logon on WKS-JRIVERA07, started ~55 minutes ago, still active. No concurrent sessions found on any other workstation or member server for this account — no presence on SQLPROD-01 or anywhere else.

4. EDR pull on WKS-JRIVERA07 (the only candidate host surfaced by #3), alert window:
NULL — nothing actionable. No flagged PowerShell/rundll32 or other process-creation events correlate to the 90-second window. Script-block logging (where enabled on this host) shows no suspicious script content. No command-line matches for known SPN-enumeration/ticket-extraction tooling signatures. Outbound 88/tcp to the DC is present in the window but is indistinguishable from ordinary Kerberos client traffic at the EDR layer — it cannot see ticket-request content, only the connection. Your pre-authorized contingent isolation trigger ("single clear host + tooling indicators") is NOT met — no isolation action taken this turn.

5. AD/directory lookup on the 14 target SPNs — ownership and privilege:
13 of the 14 owning accounts are standard low-privilege service/application accounts, no elevated rights. One stands out: MSSQLSvc/SQLPROD-01.corp.local:1433 → owned by svc-mssql. Cross-referencing group/logon-rights: svc-mssql holds local Administrator rights on SQLPROD-01 (your high-value SQL/app server). This was one of the 6 RC4-flagged requests. No Domain Admins or other Tier-0 accounts appear among the 14 SPNs.

6. 30-day baseline, j.rivera 4769 volume/rate:
Historical baseline: 0–2 4769 events/day for this account, all routine single-service authentications. No prior history of SPN-enumeration bursts, no scanner/vuln-tool/admin-script pattern on file. Today's 14-in-90-seconds is a first-time anomaly for this account and this host.

Containment status: No account disable/reset executed (per your stated posture). No host isolation executed — the contingent trigger condition (tooling indicators on the identified origin host) was not satisfied by the EDR pull.
HypothesisWorking hypothesis: Kerberoasting-pattern TGS-REQ enumeration. The observable effect — 14 distinct SPN service-ticket requests inside a 90-second window from one account — is well outside normal human/application cadence for ticket requests, which are event-driven and spread out; a burst like this is the signature of automated SPN enumeration tooling (the PowerView/Rubeus/GetUserSPNs class of behavior) requesting tickets for every discoverable SPN in the domain for later offline cracking, not of normal service use. The partial RC4 downgrade (6 of 14) is consistent with an attacker/tool forcing weaker encryption on a subset of tickets — likely the subset whose target accounts still support RC4 — to make those specific tickets crackable, while the other 8 came back as whatever the target account's msDS-SupportedEncryptionTypes actually allows (probably AES already, hence no downgrade possible). I have not yet confirmed this is attacker activity versus a legitimate bulk enumeration tool (vuln scanner, audit script) — that's exactly what steps 3/4/6 above are for — so I'm not yet calling this confirmed-malicious, only confirmed-anomalous.

Coverage/robustness read on the detection itself: the SIEM correlation rule did its job here — anomalous-volume + RC4 TGS is a solid, appropriately-tuned signal and it fired on real signal, not noise (14-in-90s is not something I'd expect from legitimate traffic). But I'd flag a coverage gap worth noting for later tuning (not touching the rule mid-incident, per my latitude): if the rule's trigger logic weights on the RC4 fraction, an attacker who only requests tickets for SPNs whose accounts are AES-only would produce zero RC4 hits and might evade a purely-RC4-keyed variant of this rule — the fact this rule apparently also weighs *request volume* (14 SPNs/90s) rather than RC4 alone is what caught this and is the more robust half of the logic. That volume-based leg is the one to protect/reinforce later.

No incident-severity verdict yet — treating as high-priority suspected Kerberoasting pending source-host and intent confirmation from the queries above.
Turn 2
InjectClock tick — Turn 2. No new inject fires. The SIEM console shows no additional 4769/4768 anomalies for j.rivera or any other account since your last pull. No new EDR alerts on WKS-JRIVERA07, SQLPROD-01, or any other monitored host. Nothing further has surfaced since your Turn-1 queries — the board is quiet. (Investigate further, hold, or act on what you have.)
ActionsBoard is quiet, so I use the turn to close the one concrete exposure I've already confirmed, broaden the hunt past the narrow window/host-signature approach that came back null, and get an out-of-band human check — while still holding the disable/isolate trigger.

1. Credential rotation — svc-mssql (response decision, executed now): Reset the password on svc-mssql immediately, coordinating with the SQLPROD-01/app owner for the required service restart. Rationale: this is the one privileged, RC4-ticketed account among the 14 SPNs (local admin on SQLPROD-01). The TGS-REP for that ticket is already off the wire and in the requester's possession — nothing I do to the network un-issues it, and if it's crackable RC4 the only thing that neutralizes it before an offline crack completes is invalidating the credential now. Scoped, reversible, no user-facing account impact (doesn't touch j.rivera).

2. msDS-SupportedEncryptionTypes lookup on all 6 RC4-ticketed accounts (incl. svc-mssql): query-only, no config change. Determines whether RC4 came back because those accounts are *configured* to allow RC4 (benign/expected KDC behavior given what the account supports) versus something requester-side forcing the weaker type. This directly refines the downgrade hypothesis from Turn 1 without touching any rule or Kerberos config.

3. Domain-wide 4769 sweep, all accounts, same window forward to now: looking for (a) any other account requesting the same 14 SPNs or the svc-mssql SPN specifically — tells me if this is routine/shared admin tooling vs. isolated to j.rivera; (b) any other account anywhere in the domain showing a similar burst signature (>5 distinct SPNs in a short window) — tells me if this is a single-host event or a broader pattern I haven't scoped yet.

4. SQLPROD-01 EDR — proactive credential-use check (not just the alert window): pull the last 24h of logon/auth events for svc-mssql on SQLPROD-01 specifically, looking for anomalous source, time-of-day, or session type. This checks whether the RC4 ticket has *already* been cracked and reused, which would change this from "suspected" to "confirmed compromise" instantly.

5. Broadened EDR hunt on WKS-JRIVERA07 (last ~2 hours, not just the 90-second window): process tree, module loads, LSASS access attempts, scheduled-task/autorun creation, and any .NET assembly-load activity consistent with in-memory ticket-request tooling (e.g., reflectively-loaded Rubeus-class techniques) that wouldn't necessarily spawn a flagged process or log script-block content. Turn-1's EDR pull was scoped to the exact 90s window and command-line/script-content signatures only — I want to know if that scope, not an absence of activity, is why it came back null.

6. Out-of-band human check: contact j.rivera directly (phone/in-person, not email) to ask whether they or any authorized script/tool they run performed bulk SPN/service-ticket requests in the last hour, and to confirm they were physically at their workstation during the burst (the 4624 was Type-2/interactive, i.e., console logon, not RDP — so this is either the user themselves, or something running under their already-unlocked session, not a remote pass-the-hash into that host).

Holding: No disable of j.rivera, no isolation of WKS-JRIVERA07 this turn — still first-time-anomaly-with-no-corroborating-host-evidence, and premature action here doesn't add containment value the credential rotation doesn't already provide for the actual high-value asset. Contingent trigger for this turn's queries: if #3 shows the pattern replicated elsewhere, or #4 shows any anomalous svc-mssql logon, isolate WKS-JRIVERA07 (or the new host) and disable the implicated account immediately rather than waiting for Turn 3.
Reveal[SITREP — Turn 2 results, in response to your 6 actions]

1. Credential rotation — svc-mssql (executed): Completed. Password reset pushed at time-of-action; SQLPROD-01 app owner confirmed the SQL service was stopped/restarted cleanly on the new credential ~4 minutes later. No service disruption observed on any other consumer of the account. Account remains enabled, new secret in place.

2. msDS-SupportedEncryptionTypes — 6 RC4-ticketed accounts (query-only): All 6 accounts, including svc-mssql, have the attribute configured to still permit RC4 (none are set to AES-only/enforced). This tells you *how* an RC4 ticket was even possible — the KDC will honor RC4 for these accounts if the requester's offer set includes it — but the attribute alone doesn't distinguish "these six were simply never hardened" (a pre-existing hygiene gap) from "the request was deliberately shaped to elicit RC4 for these six." The actual etype-offer list sent by the requester isn't logged anywhere in this environment. Downgrade-by-intent remains inferable, not provable.

3. Domain-wide 4769 sweep, all accounts, window→now: Clean. No other account in the domain has requested any of the 14 SPNs, or the svc-mssql SPN specifically, in the queried interval. No other account anywhere shows a similar multi-SPN-burst signature. j.rivera's burst is isolated — nothing indicating shared/routine admin tooling, no second host or actor.

4. SQLPROD-01 EDR — proactive 24h logon/auth pull for svc-mssql: Surfaces one svc-mssql 4624 Type-3 logon in the lookback window from a source that does not match this account's normal logon topology (atypical source, not previously seen for this account). It generated no alert on its own — EDR's face for svc-mssqlSQLPROD-01 treats valid-credential logons as expected, which is why neither your Turn-1 pull nor this turn's clock tick showed it; it only surfaced because you went and pulled the raw history directly. No associated process execution, recon, or data-export activity appears in the same window — nothing beyond the logon itself. This moves the account-compromise question from *suspected* to *confirmed unauthorized access*, though the finding itself carries low fidelity/confidence by EDR's own scoring.

5. Broadened EDR hunt, WKS-JRIVERA07 (last ~2h; process tree, LSASS access, module loads, scheduled-task/autorun, .NET assembly-load): Clean across the widened window and technique set. No anomalous process tree, no LSASS access outside normal OS/AV baseline, no new scheduled task or autorun artifact, no flagged reflective/assembly-load activity. Widening scope and technique coverage from Turn 1 did not change the result.

6. Out-of-band human check, j.rivera: Reached directly. They state they did not run any bulk SPN enumeration or service-ticket request script/tool, and don't recognize the activity as something they or any tool they use would generate. On physical presence, they're not fully certain — they recall being at their desk around that general time but can't rule out a brief step-away. Nothing in the conversation corroborates the burst as authorized or self-initiated.

Net: finding #4 is new and material — it satisfies the trigger you set for yourself this turn ("any anomalous svc-mssql logon" → isolate/disable). No isolation or account-disable has been executed yet; that remains your call to make.
HypothesisUnchanged core read, refined: this remains a Kerberoasting-pattern TGS enumeration (14 distinct SPNs in 90 seconds, first-time-ever for this account against a 0–2/day baseline) executed from a single interactively-logged-on workstation, with no process/script-content-level corroboration from EDR. What's new this turn is the analytic move, not new telemetry — the board being quiet doesn't mean the incident is resolved, it means I've exhausted the cheap signal and need to (a) neutralize the one confirmed high-value exposure regardless of attribution, and (b) widen scope/lookback rather than re-running the same query.

Key inference on the observable effect: the 4624 was Type-2 (interactive/console), not Type-3 (network) or Type-10 (RDP). That rules out a remote pass-the-hash/pass-the-ticket into that workstation as the explanation — whoever generated the burst had (or has) hands-on-keyboard or an already-unlocked session on WKS-JRIVERA07 itself. Combined with a clean 4768 52 minutes prior (normal TGT, no guessing), this reads as either (i) j.rivera or something running in their session performing bulk SPN enumeration, or (ii) fileless/in-memory tooling that doesn't touch disk or spawn a flagged process — which would also explain why Turn 1's EDR pull came back null. I can't distinguish these without #5/#6 above, so I'm holding both explanations open.

Coverage/robustness conclusion (sharper than Turn 1): the EDR command-line/process-signature layer is not a reliable secondary detector for this technique class in this environment — Kerberoasting is a protocol-level event (TGS-REQ/REP), and legitimate built-in Windows/.NET APIs can generate the same 4769 pattern without any process creation or script-block content an EDR rule would flag. That means the SIEM's 4769-volume correlation is effectively the *sole* detection layer for this technique here, not one of two independent layers — treating the EDR null result as "nothing happening" would be a false-negative trap. That's a structural gap worth flagging for the post-incident review: don't let EDR's silence downgrade confidence in a Kerberos-level SIEM alert.

No severity verdict change: still high-priority suspected Kerberoasting, not yet confirmed malicious vs. benign bulk-enumeration tooling — but I'm no longer treating "no new EDR/SIEM hits" as reassuring on its own, since the technique doesn't require repeat host-visible activity to have already achieved its goal (the ticket is already exfiltrated the moment it's issued). The rotation of svc-mssql is the response decision that make that distinction moot for the one asset that actually matters.
Turn 3
InjectClock tick — Turn 3. No new inject fires. Domain-wide 4769/4768 sweep still shows no additional anomalies since your Turn-2 queries. No new EDR alerts on SQLPROD-01, WKS-JRIVERA07, or any other monitored host. svc-mssql's new credential is in active use without incident. The board is otherwise quiet. (Investigate further, hold, or act on what you have.)
ActionsBoard is quiet on new telemetry, but Turn 2 left one critical finding unresolved in time/space — the anomalous svc-mssql Type-3 logon. That's where this turn's investigation goes, and I'm no longer holding containment pending host-level corroboration that clearly isn't coming.

Investigative:
1. Pull the full record of the anomalous svc-mssql 4624 Type-3 logon (the one surfaced in Turn 2's 24h pull): exact timestamp, source IP/hostname, session duration/still-active flag. Correlate that timestamp against (a) the original 90-second TGS-REQ burst and (b) the password-rotation completion time — I need to know whether this access fell in the crack-and-use window between burst and rotation (expected/consistent), predates the burst entirely (unrelated, re-open the question of what it is), or postdates rotation completion (meaning the new credential is already compromised too — far more urgent).
2. Resolve that source IP/hostname against asset inventory. If it's a monitored host, pull EDR (process creation, network connections, module/DLL loads) for ±30 min around the anomalous logon. If unmanaged/external, pull DC/firewall/VPN logs for that IP for any other auth activity in the same window.
3. SQLPROD-01 EDR — session-activity review, not just the logon event: file/share access, query activity if logged, account/scheduled-task creation, or outbound connections during that specific svc-mssql session. Turn 2 confirmed the logon; it did not confirm what happened during it.
4. Domain-wide sweep for that same source IP/hostname against any other account's 4624/4768 in the past 48h — determine whether this is a single-use foothold tied only to svc-mssql or a broader pivot point already used elsewhere.
5. Confirm zero svc-mssql activity from that anomalous source since rotation completed — verify the rotation actually cut access rather than merely invalidating one ticket while the underlying foothold persists.

Response decisions (executed this turn, not queries):
- Isolate WKS-JRIVERA07 via EDR network containment now, and force-terminate j.rivera's active session on it. I was withholding this pending host-level corroboration; that corroboration will not arrive — Turn 2 already established EDR has no visibility into this technique on that host. Turn 2's downstream finding (confirmed unauthorized svc-mssql access originating from a ticket this session generated) is itself sufficient trigger; waiting on proof that structurally can't appear no longer serves containment.
- Reset j.rivera's password and require re-authentication (not a full account disable) — treats the session/identity as potentially compromised without foreclosing the legitimate-user explanation, which the Turn-2 out-of-band check could neither confirm nor rule out.
- Tune the existing SIEM correlation rule (within granted latitude — tuning, not new analytics) to add a secondary condition: flag first-seen source/logon-topology for privileged or high-value service accounts. This directly closes the gap Turn 2 exposed — the anomalous svc-mssql logon generated zero alert under current "valid creds = expected" logic and only surfaced via a manual historical pull.
- Holding on any wider domain-wide lockdown — Turn 2's clean domain sweep still shows no lateral spread beyond the two implicated hosts/accounts; escalating further without evidence from actions 1-4 isn't warranted yet.
Reveal[SITREP — Turn 3 results, in response to your 5 investigative pulls + 3 response actions]

1. Full record of the anomalous svc-mssql 4624 Type-3 logon:
- Timestamp: resolves to approximately 6 hours after the original TGS-REQ burst concluded, and approximately 2 hours before your credential rotation completed. It falls squarely inside the crack-and-use window between burst and rotation — consistent with hypothesis (a). It does not predate the burst, and it does not postdate rotation completion.
- Source: resolves to WKS-JRIVERA07 — the same workstation implicated in the original ticket-request burst. Not a new/unknown host.
- Session status: still logged in. No logoff (4634) recorded against this session as of this query. The session remains technically open on SQLPROD-01.

2. Source resolved against asset inventory: WKS-JRIVERA07 is a known, managed, EDR-covered asset — the same host you isolated this turn, not an unmanaged/external one. EDR pull, ±30 min around the logon timestamp: shows an outbound network connection from WKS-JRIVERA07 to SQLPROD-01 at the matching time, consistent with that host initiating the Type-3 logon. No additional or novel process creation / module / DLL load activity beyond what's already understood about this host's compromised state — nothing new is added by this pull. (The unmanaged/external branch of your query does not apply; the source is internal.)

3. SQLPROD-01 EDR — session-activity review: Beyond the logon event and the still-open session itself, no file/share access, query activity, account/scheduled-task creation, or outbound connections have posted under that session as of this query. Clean beyond the open session — real signal (the logon + open session), no additional fidelity beyond that.

4. Domain-wide sweep for WKS-JRIVERA07 against other accounts' 4624/4768, past 48h: No other account shows a logon or ticket request tied to that host in the window, beyond j.rivera's own routine interactive logons and the one flagged svc-mssql event. No indication of a broader pivot point — consistent with Turn 2's clean domain sweep.

5. Zero svc-mssql activity from that source since rotation: Confirmed — no further authentication attempts, successful or failed, using svc-mssql from WKS-JRIVERA07 or any other source since rotation completed. The new credential remains in clean use. This does not, however, address the still-open pre-rotation session surfaced in item 1 — rotation appears to have blocked new authentications but did not force-close the session that predates it.

Response actions:
- WKS-JRIVERA07 isolation + session termination: Executed. EDR network containment applied; j.rivera's active interactive session on that host terminated.
- j.rivera password reset + forced re-authentication: Executed.
- SIEM correlation-rule tuning (first-seen source / logon-topology flag for privileged service accounts): Not executed as requested. This environment's one deployed correlation rule is scoped to 4769 TGS-REQ volume/enc-type anomalies — there is no existing baseline or topology-correlation logic over 4624 service-account logons to "tune." Adding first-seen-source/logon-topology detection for privileged accounts stands up a new analytic on a telemetry axis (4624 topology) the current rule does not touch, which falls outside the granted tuning latitude ("not... deploy new analytics mid-exercise"). Logged as a recommended post-incident detection-engineering change; not live this exercise.
- Holding on domain-wide lockdown: noted, no action taken.
HypothesisCore narrative elevated from "suspected" to a confirmed compromise chain, with one link still unpositioned in time: j.rivera's account/session (user-driven, attacker-hands-on, or fileless in-session tooling — still undetermined, and may never be resolved given the EDR blind spot) generated a Kerberoasting-pattern TGS burst; at least one resulting RC4 ticket (svc-mssql, local admin on SQLPROD-01) was subsequently cracked offline and used for an unauthorized logon before rotation closed the door. The observable-effect chain is: anomalous 4769 burst → unobserved offline crack → anomalous 4624 Type-3 logon from a never-before-seen source. That last event's exact timing relative to the burst and to rotation is the missing piece driving this turn's queries — everything else is either confirmed or a dead end (WKS-JRIVERA07 EDR clean twice now at two different scopes; domain sweep clean; no repeat pattern elsewhere).

Coverage/robustness conclusions (sharper than Turn 2, now confirmed rather than inferred):
1. EDR process/script-content telemetry has zero visibility into this technique across *both* steps of the chain — not just the ticket-request burst (Turn 1) but the credential-use step too (the anomalous svc-mssql logon generated no EDR alert on its own; it only surfaced because Turn 2 manually pulled raw history). The SIEM's Kerberos-event correlation is the sole automated detector for this entire attack class in this environment, not one layer among several.
2. This is a structural gap, not a tuning miss on EDR's part: valid-credential logons suppress any anomaly signal regardless of source novelty, meaning there is currently no automated detector for "privileged service account authenticates from a topology it's never used before" — precisely the follow-on signal a Kerberoasting chain produces. That's the concrete rule-tuning action taken this turn, and it's the most consequential coverage improvement available given response latitude (tune existing rules, no new analytics deployment).

No severity verdict change beyond what Turn 2 established — confirmed unauthorized access, scope still bounded to svc-mssql/SQLPROD-01 and the originating j.rivera session/host per the clean domain-wide sweep. Whether this is a single self-contained foothold or something broader depends entirely on where the anomalous logon's source IP/hostname resolves — that's the fact that determines whether Turn 4 is close-out or expansion.
Turn 4
InjectClock tick — Turn 4. No new inject fires. No new SIEM alerts. No new EDR alerts on WKS-JRIVERA07 (isolated), SQLPROD-01, or any other monitored host. No authentication attempts — successful or failed — against svc-mssql (old or new credential) from any source since your last check. j.rivera's reset credential has not been used since the forced re-authentication requirement was applied. The board is otherwise quiet. (Investigate further, hold, or act on what you have.)
ActionsBoard is quiet, but Turn 3's reveal left one unresolved, concrete exposure — the svc-mssql Type-3 session on SQLPROD-01 was still logged in with no 4634 logoff recorded as of that query, meaning the credential rotation blocked *future* authentications but did not close the session that predates it. That's this turn's priority, plus a persistence/blast-radius hunt on SQLPROD-01 that hasn't been done yet.

Response actions (executed now):
1. Force-terminate the still-open svc-mssql session on SQLPROD-01 via EDR/host action (kill the logon session directly — do not rely on the already-completed password rotation to have done this, since it doesn't). This is the one confirmed-live exposure still outstanding.
2. Escalate j.rivera from password-reset to full account disable, pending forensic clearance of WKS-JRIVERA07. Rationale: forced reauth already blocks reuse of the old credential, but the account-vs-host attribution question (legitimate user, compromised user, or fileless in-session tooling) was never resolved and structurally may never be resolvable given EDR's blind spot on this technique — with the turn cap one away, I'm closing residual ambiguity on a reversible, low-collateral control rather than leaving it open.
3. Hold WKS-JRIVERA07 in isolation — no reintegration until the persistence hunt below is clean.

Investigative (this turn):
4. SQLPROD-01 EDR — persistence hunt, full dwell window (original burst time → now): local Administrators group membership changes, new local account creation, scheduled-task creation/modification, new/modified services, registry Run/RunOnce keys, WMI event-subscription creation. Turn 3 only checked "file/share access, query activity, account/scheduled-task creation" as of the query instant against the open session — this is a broader, dedicated persistence-artifact sweep, not a repeat.
5. SQLPROD-01 EDR — LSASS access / credential-access telemetry on SQLPROD-01 itself, same window. Not yet queried: svc-mssql's local-admin rights on this box mean that if the session was used maliciously, it's the natural place to harvest further local or cached-domain credentials and expand blast radius beyond svc-mssql.
6. SQLPROD-01 EDR — outbound/egress connections *from* SQLPROD-01, full dwell window. Turn 3 only checked inbound (WKS-JRIVERA07 → SQLPROD-01); egress from the high-value asset itself for C2/exfil/further lateral movement has not been checked.
7. Confirm WKS-JRIVERA07 containment is holding: EDR check for any network-egress attempts or process activity since isolation was applied — verify the control is actually effective, not just issued.
8. Domain-wide 4624/4768 sweep, past 48h, specifically cross-referencing any new local account or service-principal touching SQLPROD-01 (ties to #4) — confirm no second foothold was staged there.
Reveal[SITREP — Turn 4 results, in response to your 3 response actions + 5 investigative pulls]

Response actions:

1. Force-terminate the still-open svc-mssql session on SQLPROD-01 (EDR/host action) — EXECUTED.
SQL-EDR host action issued against SQLPROD-01. The Type-3 logon session identified in Turn 3 (still open, no prior 4634) was targeted directly. Result: session terminated; a 4634 logoff event is now recorded against that logon ID, timestamped to this action. Confirmed closed — no live svc-mssql session remains on SQLPROD-01. (Note: this was a network logon session, distinct from the SQL Server service's own local service-logon context; no disruption to the SQL service process was observed.)

2. Escalate j.rivera to full account disable — EXECUTED.
AD account j.rivera disabled (userAccountControl flag set domain-wide). Confirmed in directory. Any future authentication attempt — old credential or the Turn-2 reset credential — will now fail regardless of credential validity.

3. Hold WKS-JRIVERA07 in isolation — CONFIRMED, no change.
Isolation remains in force. No reintegration performed.

Investigative pulls:

4. SQLPROD-01 persistence hunt (local Administrators changes, new local accounts, scheduled-task creation/modification, new/modified services, registry Run/RunOnce, WMI event-subscription creation) — full dwell window, original burst time to now: CLEAN.
Zero findings across all six vectors queried. No local admin group membership changes, no new local accounts, no scheduled-task activity, no new/modified services, no Run/RunOnce registry changes, no WMI event-subscription creation logged on SQLPROD-01 in the window.

5. SQLPROD-01 LSASS access / credential-access telemetry, same window — CLEAN.
No LSASS handle-access events, no credential-dumping tool signatures, no anomalous process-to-lsass.exe access requests logged in the window.

6. SQLPROD-01 outbound/egress connections, full dwell window — CLEAN.
No anomalous outbound connections from SQLPROD-01 in the window. Traffic observed is consistent with expected baseline application/DB traffic only.

7. WKS-JRIVERA07 containment verification (egress attempts / process activity since isolation) — CONFIRMED HOLDING.
Zero egress attempts, zero process activity logged on WKS-JRIVERA07 since isolation was applied.

8. Domain-wide 4624/4768 sweep, past 48h, cross-referenced against SQLPROD-01 for new accounts/service principals — CLEAN.
No new local or domain accounts observed touching SQLPROD-01 in the 48h window; no additional service principals created or modified. No indicators of a second foothold. The only 4624/4768 activity tied to SQLPROD-01 in the window remains the previously identified svc-mssql chain (now closed per action #1).

Board otherwise remains quiet — no new alerts of any kind since your last check.
HypothesisUnchanged core chain, now with the last structural gap identified rather than new telemetry: j.rivera's session/host generated a Kerberoasting-pattern TGS burst (14 SPNs/90s, first-time anomaly) → at least one resulting RC4 ticket (svc-mssql, local admin on SQLPROD-01) was cracked offline and reused for a Type-3 logon ~6h later → that session, per Turn 3, remained open with no logoff recorded even after rotation. The observable effect this turn is the *absence* of new telemetry across two consecutive quiet-board turns despite a live open session — that's not reassurance, it's the same blind-spot pattern already established: this technique chain doesn't require repeat host-visible activity to remain "active," so silence from SIEM/EDR cannot be read as "resolved."

Coverage/robustness conclusion, sharpened to a concrete control gap: credential rotation and session/token revocation are two distinct controls, and this environment's response toolset conflated them — rotating svc-mssql's password stopped new authentications but did nothing to the already-established session, which is exactly the kind of persistent access an attacker with local-admin on a high-value asset would want to keep past the credential-theft step. That the still-open session was only caught because Turn 3 pulled it explicitly (not flagged by any rule) reinforces the standing finding: the single SIEM 4769-volume correlation rule is the only automated detector for this entire attack class here — nothing downstream (ticket cracking, ticket reuse, session persistence) generates an independent alert. Killing the session directly this turn closes the gap for this incident; the standing recommendation for post-incident is a control that force-terminates all active sessions tied to a credential at rotation time, since that capability doesn't currently exist and no rule tuning can substitute for it.

No severity verdict change from Turn 3 — confirmed unauthorized access, scope still bounded to svc-mssql/SQLPROD-01 and the originating j.rivera session/host across two clean domain-wide sweeps. Whether Turn 5 is close-out or expansion now depends entirely on what the SQLPROD-01 persistence/LSASS/egress hunt in this turn's actions surfaces — a clean result there would let the account/host containment already executed stand as sufficient; any persistence artifact or credential-access hit would mean the blast radius extends beyond the two currently-implicated identities.
Turn 5
InjectClock tick — Turn 5 (final turn; turn cap reached next). No new SIEM alerts. No new EDR alerts on any monitored host. No authentication attempts — successful or failed — against svc-mssql or j.rivera (old or reset credential) since your last check. The board is quiet.

SOC lead / detection-engineering debrief (mandatory close-out — answer before we close this incident): "For the record: (a) name the behavior by effect and grade whether our deployed detection here is evasion-robust; (b) if the adversary had used AES instead of RC4, would anything in THIS environment have caught it; and (c) where does the offline crack appear in our telemetry, and what does its absence mean for how this chain must be detected?" (Investigate further, hold, or act on what you have — but this turn is your last.)
ActionsTurn 5 (final) actions:

1. Answer the SOC lead debrief directly (this turn's primary deliverable — analytical, not a query):

(a) Behavior named by observable effect: a single account/session requesting service tickets for many distinct service principals within a very short window (burst TGS-REQ volume anomaly) — bulk service-ticket harvesting positioned for offline password-cracking — followed hours later by an authentication reusing one harvested ticket's target credential from a topology never seen before for that account. Grade: the deployed rule is NOT evasion-robust in general. It is a burst/threshold heuristic (many distinct SPNs in a short window) that reliably catches noisy, default-tool enumeration (grab-every-SPN behavior) but is trivially evaded by pacing requests below the volume/time threshold, or by targeting only one or two already-known high-value SPNs instead of enumerating broadly. It is also the *sole* detection layer for this entire attack class in this environment (established across turns 1-4: EDR has zero visibility into either the ticket-request step or the credential-reuse step) — so a miss here is a total miss, not a miss-with-backup. Verdict: LOW robustness against a patient/targeted adversary, moderate-at-best against the noisy/default-tool profile that this specific incident happened to be.

(b) AES-instead-of-RC4 hypothetical: best available inference (hedged — the rule's literal logic was never shown to us, only its behavior) is that the correlation trigger keys on request-volume/burst anomaly with RC4-fraction as an enriching attribute, not a hard gate — so an identical 14-SPN/90-second burst using AES throughout would likely still have tripped the same volume-based alert. But two caveats: this is inferred, not confirmed; and even if the initial burst is still caught, AES256 is materially more expensive to crack offline than RC4-HMAC, so the specific follow-on chain (crack completing and credential reused within ~6 hours, before rotation) is less likely to succeed on the same timeline against a non-trivial password — though not impossible. Critically, the credential-reuse step (novel-topology 4624 for a privileged service account) had zero detection regardless of encryption type — that gap is about logon-topology novelty, not ticket crypto, so this hypothetical doesn't change it.

(c) Where the offline crack appears in telemetry: nowhere. None of DC/SIEM (4768/4769), EDR (workstation or SQLPROD-01), or 4624 logs can record an offline cracking computation — it's off-network compute against a ticket already fully issued and in the requester's possession. Turns 1, 2, and 4's repeated EDR nulls (narrow window, then widened to 2 hours with technique-broadened coverage) confirm this host's endpoint telemetry has no visibility into in-session ticket-handling either. That absence is structural, not a fixable detection gap — you cannot instrument an air-gapped computation. Implication: detection must bracket the invisible middle step — catch ticket-issuance anomaly on one side (partially covered today, burst-pattern-dependent) and catch credential-reuse-with-novel-topology on the other (currently NOT covered by any rule; this incident's reuse was found only because it was manually pulled, three separate times across turns 2-4). The highest-value fix is standing up that missing second layer.

2. Directory query (read-only, in-latitude): domain-wide scan for other privileged/local-admin-holding service accounts still permitting RC4 via msDS-SupportedEncryptionTypes — determine whether svc-mssql's exposure was a one-off or part of a broader hygiene gap.

3. Final containment-state re-verification (query, not new action): re-confirm directly rather than take on the tick alone — WKS-JRIVERA07 still isolated, j.rivera disable flag still set, svc-mssql new credential exclusively in use with zero old-credential attempts, zero new 4769/4624/EDR alerts since last check.

4. No new isolations, disables, or resets this turn. All confirmed exposure has already been actioned (credential rotation, forced session-kill, account disable, host isolation); domain-wide sweeps have been clean for three consecutive turns (2, 3, 4) with no lateral spread.

5. Response decisions — logged as mandatory post-incident items, not executed live (outside the "query/isolate/disable-reset/tune-existing-rules" latitude, consistent with Turn 3's rejection of new-analytic deployment): (i) enforce AES-only on the six RC4-permitting accounts, prioritizing any others sharing svc-mssql's local-admin profile; (ii) build the missing second-layer detection rule — first-seen-source/topology-novelty alerting on privileged service-account 4624 logons; (iii) require full disk+memory forensic imaging of WKS-JRIVERA07 before reintegration, given EDR's demonstrated blind spot on this technique class for that host; (iv) implement session/token revocation as part of credential-rotation procedure — this incident showed rotation and session-kill are distinct controls that must both fire.
Reveal[SITREP — Turn 5 (FINAL) results, in response to your closing debrief answer + 2 queries]

1. SOC lead / detection-engineering debrief — response to your answer (for the incident record):

- (a) Behavior-by-effect and robustness grade: CONFIRMED, with one refinement. Naming (bulk service-ticket harvesting positioned for offline cracking, followed by reuse of the recovered credential from a novel topology) is correct, and the "not evasion-robust / sole detection layer for this class" grade is correct. Refinement: detection engineering confirms the deployed 4769 correlation rule's actual logic is dual-keyed — enc-type = RC4 (0x17) AND N-distinct-SPNs-in-window, both required — robustness L2 because the RC4 term is a fully adversary-choosable, configurable parameter. Your framing of it as primarily a "burst/threshold heuristic" undersold that the RC4 term is a hard gate, not incidental. Recorded as FULL on the naming/robustness call.

- (b) AES-instead-of-RC4 hypothetical: CORRECTED. Your inference ("RC4-fraction as an enriching attribute, not a hard gate... would likely still have tripped the same volume-based alert") is not correct per the rule's actual logic. Because RC4 enc-type is an AND-ed, required term (not an enrichment on a volume trigger), an identical 14-SPN/90-second burst using AES throughout would produce zero alerts from this analytic — a total miss, not a degraded one. There is no separate volume-or-diversity-only backstop analytic deployed in this environment that would catch a same-shape AES-only burst. Flagging this as a documented residual gap rather than a validated assumption — recommend this correction be carried into the post-incident report language.

- (c) Offline-crack telemetry placement: CONFIRMED, FULL. No DC/SIEM, EDR, or 4624 source can or does record the offline crack — structural void, not a blind/impaired face, consistent with three straight turns of true EDR nulls. Your bracket model (pre-crack ticket-issuance anomaly / post-crack credential-reuse-with-novel-topology detection) is the correct framing, and the second bracket is confirmed as not currently covered by any deployed rule in this environment — logged as the top residual coverage gap alongside the AES-backstop gap from (b).

2. Domain-wide directory query — privileged/local-admin service accounts with RC4 still permitted (msDS-SupportedEncryptionTypes): Returns 9 service accounts domain-wide meeting both criteria (local-admin-holding + RC4-permitted) — this includes svc-mssql (already rotated this incident) and the other 5 RC4-capable target SPNs from the original 14-SPN burst, plus 3 additional accounts not touched anywhere in this incident that also still permit RC4. No 4769, 4624, or EDR activity ties to any of the 3 additional accounts, in this window or any prior window queried. This is a configuration/hygiene finding, not an incident-telemetry finding.

3. Final containment-state re-verification: Confirmed, matches the clock tick — WKS-JRIVERA07 still isolated; j.rivera disable flag still set; svc-mssql running exclusively on the rotated credential with zero authentication attempts (old or new) since the last check; zero new SIEM correlation alerts; zero new EDR alerts on any monitored host. No drift since Turn 4.

4. No new isolations/disables/resets this turn — noted, no action taken, no state change.

5. Post-incident items (i–iv) — logged to the incident record as recommendations, not executed. No live effect this turn; these do not close themselves and remain open action items outside this exercise's response latitude (rule tuning/new-analytic deployment, forensic imaging scheduling, procedural change to the rotation runbook).

Board remains quiet. Turn cap reached — this closes the incident.
HypothesisFinal read: confirmed, bounded credential-theft-and-reuse chain, not a fabricated or false-positive alert. Observable-effect chain: (1) burst anomalous-volume TGS-REQ activity — 14 distinct SPNs in 90 seconds, a first-time-ever pattern against a 0-2/day baseline — from an interactively-logged-on session on WKS-JRIVERA07; (2) an unobservable offline cracking step (no telemetry anywhere can show this, by construction); (3) a first-ever-topology authentication reusing the svc-mssql credential (one of the burst's RC4-ticketed targets, local admin on SQLPROD-01) roughly six hours later, landing squarely in the crack-to-rotation window; (4) that session persisting open even after rotation, until directly force-terminated this exercise. Three consecutive clean domain-wide sweeps (turns 2, 3, 4) and a clean full-vector persistence/LSASS/egress hunt on SQLPROD-01 (turn 4) bound the blast radius to exactly this account/host/server triangle — no lateral spread found.

What remains formally undetermined, and will stay that way absent host forensics: whether the initiating burst was j.rivera themselves, an attacker with hands-on access to an unlocked session, or fileless in-session tooling — EDR's established inability to see this technique class on that host (confirmed at two different scopes, turns 1 and 2) means SIEM/EDR telemetry cannot resolve that question; it is a forensic-imaging question, not a detection one. That's why WKS-JRIVERA07 stays isolated pending imaging rather than being cleared on the strength of a clean live-EDR hunt alone.

Coverage/robustness verdicts, now final:
1. The environment has exactly one automated detection layer for this entire attack class — the 4769 burst/volume correlation rule — and it is not evasion-robust against a patient or narrowly-targeted adversary (pacing below threshold, or requesting only known high-value SPNs, defeats it); it caught this incident because the adversary behavior was noisy/broad, not because the control is fundamentally sound against the technique.
2. The credential-reuse step (novel-topology privileged-account logon) has zero automated coverage regardless of encryption type used in the initiating burst — this is the single most consequential structural gap surfaced by the whole exercise, found only via manual historical pulls at turns 2-4, never by a live alert.
3. Rotation and session/token revocation are distinct controls that this environment's toolset conflated — confirmed concretely at turn 3-4 when the rotated svc-mssql credential blocked new auth but left the pre-existing session open until directly killed.

Severity: CONFIRMED unauthorized access, CONTAINED as of this turn (rogue session killed, compromised credential rotated, originating account disabled, originating host isolated), scope bounded by three independent clean sweeps. Status going forward: transition from active incident response to bounded forensic-imaging-plus-monitoring posture — hold all current containment (do not reintegrate WKS-JRIVERA07, do not re-enable j.rivera) until imaging resolves attribution, and carry the four logged hardening/detection-engineering items into post-incident remediation since none could be executed live under this exercise's no-new-analytics/no-re-architecture latitude.
With MC — the coverage-card arm · transcript · 5 turns
Turn 1
InjectAD-SIEM alert: "Kerberoasting-suspected — account j.rivera requested 14 distinct SPNs (4769) within 90s; 6 requests used enc-type 0x17 (RC4)."
ActionsTurn 1 — investigative queries first, one no-regret containment step, no isolation yet:

1. DC Security log pull (4769), full detail, last 24h for j.rivera: list every SPN requested, enc-type per request (0x17/RC4 vs 0x12/AES vs 0x11), ticket options, and the source-IP/workstation field on each event — not just the SIEM's 14-in-90s summary. I need the complete SPN list and the enc-type split (only 6 of 14 were flagged RC4 — what were the other 8?).
2. 4624 logon-event pull for j.rivera in the window preceding and during the burst: logon type, source host/IP, to establish the originating workstation.
3. Cross-reference the 14 targeted SPNs against the service-account directory — specifically check whether SQLPROD-01's SQL service account is among them (this is the link to the crown-jewel host).
4. EDR pull on whatever host step 2 identifies (process creation, command-line, network-to-DC) for the burst window, looking for Kerberoasting tool artifacts (Rubeus/PowerView/GetUserSPNs/mimikatz) or preceding LDAP/SPN enumeration.
5. Account-attribute check on j.rivera: human vs. service account, privilege/group membership, recent changes, and whether any other alert correlates to this account or a source host in the same window.

Containment decision taken now: force a password reset / session invalidation on j.rivera — a low-cost, no-regret step given the burst is a textbook harvest pattern, cutting off further ticket requests under the current session. Not a full account disable yet, and not isolating SQLPROD-01 — no telemetry yet ties this to that host and disabling/isolating on an unconfirmed source is disproportionate. Once step 3 returns the SPN list, I will flag (for next turn) proactive credential rotation of any targeted service accounts, especially SQLPROD-01's, as that's the actual invariant fix, not action on the requester's account.
RevealAction 1 — DC Security log pull (4769), full detail, 24h, j.rivera:
FULL detail returned. 14 distinct SPNs requested within a 90-second window. Per-request enc-type breakdown: 6 requests enc-type 0x17 (RC4), 8 requests enc-type 0x12 (AES). No 0x11 (DES) requests. Ticket-options fields reviewed across all 14 events — no anomalies beyond the enc-type split (nothing else flagged). Client/source-address field is identical across all 14 events, consistent with j.rivera's normal registered workstation (no distinct second source). Account-directory lookup on j.rivera confirms: standard domain user, no administrative group membership.

Action 2 — 4624 logon pull for j.rivera, preceding/during burst window:
j.rivera shows an ordinary interactive/network logon pattern from the same registered workstation identified in Action 1, at a time consistent with normal start-of-activity — nothing atypical in logon type or source for this account in the window. No second workstation, no remote/VPN-anomalous logon surfaces.

Action 3 — Cross-reference 14 SPNs against service-account directory / check for SQLPROD-01's SQL service account:
Confirmed: svc-mssql (SQLPROD-01's SQL service account) is among the 14 SPNs requested, and it is one of the 6 requests forced to enc-type 0x17 (RC4). Directory lookup additionally shows svc-mssql holds local administrator rights on SQLPROD-01.

Action 4 — EDR pull on j.rivera's workstation (process creation, command-line, network-to-DC) for the burst window:
NULL. No Kerberoasting-tool process, command-line artifact, or notable network anomaly surfaces on this endpoint. Kerberos ticket issuance (4769) is a KDC/DC-side transaction with no corresponding endpoint process signature in this telemetry; any SPN-enumeration precursor sits below this EDR's captured threshold. Nothing to report.

Action 5 — Account-attribute check on j.rivera (recent changes / correlating alerts):
No recent privilege or group-membership changes on the account. No other SIEM or EDR alert in the current window correlates to this account or its source workstation.

Containment action — password reset / session invalidation on j.rivera:
Processed and confirmed. j.rivera's active session/Kerberos ticket-granting-ticket is invalidated; no further TGS requests can be issued under the prior session going forward.
HypothesisEffect observed: one domain principal (j.rivera) issued a burst of TGS-REQs for many distinct SPNs it never itself uses — this is the identifying observable effect of mKerberoast/T1558.003 (invariant core coreKerbHarvest), independent of which tool produced it. The 6 RC4-encrypted requests are the varRc4Downgrade implementation variant, and they are specifically what tripped the deployed dfKerbRc4 face (sourced from AD-SIEM, currently live) — this alert is the L2 discriminating-observable analytic working as designed.

Coverage/robustness conclusion (per the card): this catch should not be over-credited as durable coverage. dfKerbRc4 keys only on obsRc4EncType, ceiling L2 — an adversary-choosable parameter — and per C1 this environment's Kerberoast coverage is real-but-policy-inadmissible (L2 < required L4 admission rank), with no L4 backstop deployed (dfKerbVolume, which would key on the spanning volume/diversity behavior regardless of enc-type, is authorable but unsourced). Concretely: if the other 8 requests in this same burst are AES rather than RC4, they are already invisible to our one deployed rule; had the actor forced AES on all 14, this alert would not exist at all. So the fact we caught this appears to be an artifact of the attacker's tool defaults, not a robust detection — a slightly more careful adversary (or a second wave from the same actor) evades entirely. I'm also flagging, as standing insurance rather than an active finding, that AS-REP roasting (4768, T1558.004) has zero deployed analytic in this environment (A2/C2 — notCovered/SILENT); worth a manual spot-check this turn since it's a sibling technique with the same "authorized-request → offline-crackable material" shape.

Open unknowns driving next-turn decisions: source host/IP for j.rivera (insider vs. compromised credential vs. red-team test), whether SQLPROD-01's service account is among the 14 targeted SPNs (which would tie this toward the crown-jewel lateral-movement path in A3, itself only weakly covered — dfSqlLogon is nominally live but degraded-by-legitimacy per D5, so a clean logon reading there would not clear this scenario), and whether EDR shows known-tool artifacts confirming malicious intent versus a benign admin script. No isolation or account-disable decision is warranted yet on the evidence in hand; the password-reset is the only containment action taken this turn.
Turn 2
InjectT2 — SOC console check: No new SIEM or EDR alerts have fired. The AD-SIEM 4769 correlation rule and the SQL-EDR on SQLPROD-01 show no additional activity since the initial burst — consoles are quiet.
ActionsT2 — quiet consoles do not end the investigation; I do NOT stand down. Concrete actions:

1. Raw DC Security log pull, 4769, ALL accounts, ALL enc-types, window = T1-burst-start through now (bypassing the correlation-rule filter entirely): the SIEM being quiet only tells me dfKerbRc4 hasn't fired again — it says nothing about an AES-only continuation (varAesRoast), which produces no obsRc4EncType and is invisible to the one deployed face. I want to manually eyeball raw ticket-request volume/diversity per principal (the obsSpnHarvest signal) since no rule is deployed to do this for me. This is a one-time investigative query, not a new standing analytic, so it stays inside response latitude ("query any modeled log source") without crossing into "deploy new analytics mid-incident."

2. Verify containment held: 4769/4624 pull for j.rivera specifically since the password reset. Confirm zero TGS-REQs and no new logon under a re-established session — i.e., confirm the session invalidation actually stuck rather than assuming it from silence.

3. Manual AS-REP spot-check (flagged last turn, executing now): DC Security log 4768 pull for any accounts with pre-auth disabled, same overall window. mAsRepRoast has zero deployed analytic (A2/C2, notCovered/SILENT) — the only way to check this sibling technique is a manual look, not an alert.

4. Account-attribute/privilege check on the other 13 targeted SPNs' service accounts (only svc-mssql was checked for elevated rights last turn) — looking for any other targeted account that, like svc-mssql, holds admin rights on a high-value host.

5. SQLPROD-01 EDR + 4624 pull filtered to the svc-mssql account specifically, since the burst, as a low-confidence enrichment check only — explicitly not trusted as clearing anything (see hypothesis).

6. Containment/response decision taken now: rotate the svc-mssql service-account credential. Using response latitude's "disable/reset accounts." Flagging for coordination with SQL/infra on dependent-service restart, but proceeding — this is the one action that fixes the actual exposure regardless of what detection does or doesn't show later.

Not doing this turn: no isolation of SQLPROD-01, no further action against j.rivera beyond the standing reset (no new evidence to escalate), no deployment of a volume-based Kerberoast rule (dfKerbVolume) — that would be a new analytic, which response latitude excludes mid-incident; it goes on the post-incident change-control list instead of being claimed as done now.
RevealAction 1 — Raw DC Security log pull, 4769, ALL accounts/enc-types, T1-burst-start→now (bypassing the correlation-rule filter):
Manual raw query confirms exactly the burst already characterized and nothing more: 14 distinct SPNs requested by j.rivera in a 90-second window at T1 (6× enc-type 0x17/RC4, 8× enc-type 0x12/AES — matches what the correlation rule already caught). Widening to ALL accounts across the full window surfaces no additional ticket-request bursts from any other principal, and no continuation of anomalous SPN volume/diversity from j.rivera or anyone else since T1. Domain-wide raw ticket-request volume since T1 is at baseline. There is no AES-only "second wave" visible in the raw log — the quiet console and the raw data behind it agree: there is nothing further to catch in-environment right now. (This rules out a continuing in-environment ticket-request campaign; it says nothing about, and cannot speak to, anything happening off-environment.)

Action 2 — 4769/4624 pull for j.rivera since the password reset:
Zero 4769 TGS-REQs from j.rivera since the reset/session invalidation. Zero 4624 logons under any new or re-established session for that account. Containment on j.rivera is holding.

Action 3 — 4768 pull, accounts with pre-auth disabled, same window:
Returns the expected small/legacy set of pre-auth-disabled accounts already known to the domain — none overlap with svc-mssql or the other 13 SPN-targeted accounts. No anomalous 4768 (AS-REQ/AS-REP) volume or pattern against any of them. No evidence of AS-REP-roasting activity — clean.

Action 4 — Attribute/privilege check on the other 13 targeted SPN accounts:
Group memberships/logon rights pulled for all 13. None hold administrative or elevated rights on any high-value host (SQLPROD-01 or otherwise) — standard low-privilege service accounts scoped to their own systems. svc-mssql remains the only targeted account with elevated access on a crown-jewel system.

Action 5 — SQLPROD-01 EDR + 4624 pull filtered to svc-mssql since the burst:
PARTIAL — low confidence. One svc-mssql 4624 Type-3 (network) logon to SQLPROD-01, timestamped after the T1 ticket burst, sourced from a workstation atypical for this account's normal logon pattern (its baseline is local/service-context activity, not interactive Type-3 from a workstation address). SQL-EDR did not flag this on its own — it surfaced only because you queried directly for it. Because svc-mssql legitimately owns the SQL service on this host, the EDR's face for this event is low-confidence by design: a valid-credential logon by the expected account isn't inherently anomalous to the deployed detect-face. No process/command-line telemetry beyond the logon itself comes back from this query.

Action 6 — Rotate svc-mssql credential (response action):
Executed. Password changed in AD; the change has replicated to all writable DCs. Any previously obtained copy of the old credential (cracked or otherwise) is now invalid going forward — an authentication attempt using the old secret will fail. Dependent-service restart on SQLPROD-01 (and anywhere else running under this account) remains outstanding pending SQL/infra coordination, as you flagged — an operational-continuity item, not a security exposure; the old secret's value to an attacker is now zero.
HypothesisQuiet consoles are a coverage artifact, not a resolution signal, and I'm treating them that way. dfKerbRc4 keys only on the adversary-choosable obsRc4EncType (ceiling L2); its silence proves only that no *new RC4-flagged* burst occurred — it cannot see a continuation via varAesRoast, and per C1 there is no L4 backstop (dfKerbVolume) deployed to catch the spanning obsSpnHarvest behavior regardless of enc-type. So "no new alert" and "no new harvesting" are not the same statement in this environment, which is why action 1 goes around the correlation layer to the raw log instead of trusting it.

Two other reasons quiet consoles specifically should not be reassuring here, both already flagged in doctrine: (a) the follow-on step this chain is actually racing toward — a legitimate-looking svc-mssql logon to SQLPROD-01 using the harvested material — would, if it happened, most likely surface as dfSqlLogon reading live/covered per the model rollup, but per C3/D5 that face is truly degraded-by-legitimacy: a valid-credential logon by the account that legitimately runs that service and holds local admin there is indistinguishable from normal operation. A clean or even a "covered" reading from that face is not evidence of safety. (b) the actual state change that matters most — the offline crack of the harvested RC4 ticket material — is per A4/C4 a structural void: no control observes off-environment activity, so there will never be an alert for it, ever, by construction, not because of a tuning gap. Waiting on detection for that step is waiting on something that cannot fire.

That's why containment this turn is aimed at the invariant, not the alert stream: per D3, rotating svc-mssql's own credential is the fix that actually invalidates whatever was harvested in the 6-RC4 subset of the burst, independent of whether the crack has already happened (unknowable) or whether a lateral logon face would ever flag reuse (it likely wouldn't, per D5). The T1 password reset addressed the requester's (j.rivera's) ability to issue further tickets under that session; it does nothing to devalue the ticket material already harvested for svc-mssql — those are two separate exposures, and only the second one is still live and actionable right now.

Standing coverage/robustness conclusions, updated: Kerberoast remains covered@L2-only, policy-inadmissible, with the AES/low-and-slow variant space still uncovered and no backstop authorable mid-incident (response latitude excludes new analytics); AS-REP roasting remains notCovered/SILENT pending this turn's manual spot-check; the SQLPROD-01 logon surface is nominally live but must be read as low-confidence enrichment only, never as clearance, for the rest of this incident. No isolation or further account action beyond the svc-mssql rotation is warranted yet — nothing in hand ties this to active lateral movement, only to a confirmed high-value exposure that the rotation directly closes.
Turn 3
InjectT3 — SOC console check: Still no new SIEM or EDR alerts; consoles remain quiet. AD replication status confirms the svc-mssql credential change has propagated to all domain controllers.
ActionsTurn 3 — quiet consoles + confirmed AD replication do not close this incident. The one loose thread from last turn — the atypical svc-mssql logon to SQLPROD-01 — was only partially investigated (bare logon event, no source identity, no session detail), and that's this turn's priority:

1. Resolve full identity of the atypical svc-mssql Type-3 logon source: pull the exact source hostname/IP/asset-record from that SQLPROD-01 4624 event, and cross-reference against (a) j.rivera's registered workstation IP from Turn 1 Action 2, and (b) the known asset/workstation inventory — managed corporate endpoint, unmanaged/unknown device, or external address? This is the highest-value open unknown: same-host would tie reuse directly to the original requester's box; a different/unknown host would mean the harvested material is already circulating beyond the original point of compromise.

2. Full SQLPROD-01 EDR session reconstruction around that specific logon: process-creation tree, child processes, command-lines, file reads/writes, and all network connections (internal and outbound) for the session's duration — not just the bare logon event returned last turn. Looking for LSASS/credential-dumping access, persistence artifacts, data staging, or outbound connections indicating this was more than a benign admin task.

3. 4769/4624 pull with SQLPROD-01 as source since that logon — did the session spawn any further ticket requests or logons to other hosts? Treats SQLPROD-01 as a potential pivot point, not only a destination.

4. Domain-wide 4625 (failed logon) pull for svc-mssql since the rotation replicated — checking whether anything is now attempting (and failing) to reuse the old, invalidated secret. A hit would be independent confirmation the material was actually harvested/used, plus a second source-IP data point.

5. If step 1 resolves a previously-untriaged host: run the same baseline triage on it that was run on j.rivera's workstation in Turn 1 (EDR process/command-line pull, 4624 history) — treat it as a newly identified endpoint of interest, not benign-by-association with a "legitimate" account.

Containment decision this turn: network-isolate SQLPROD-01 (contain egress/lateral pathways, host stays live for forensics — not a power-off). Turn 1 withheld isolation because "no telemetry yet ties this to that host"; that condition no longer holds — Turn 2 surfaced an atypical, admin-capable logon by the exact account whose ticket material was harvested in the confirmed burst, on the exact crown-jewel host. That's direct telemetry now tying the incident to SQLPROD-01, and isolation is within response latitude. No-regret framing: production access restores quickly once steps 1-4 clear the session; leaving a possibly-already-used admin-capable session's pathways open on the crown jewel while attribution is unresolved is the disproportionate risk. Coordinate scope (segmentation over full shutdown) with SQL/infra, same as the pending service-restart coordination from the rotation.

No change to j.rivera (reset holding, no new evidence beyond the original burst). No new analytic deployed (outside response latitude mid-incident) — flagging for post-incident change control only: (a) deploy dfKerbVolume / a 4768 AS-REP analytic to close C1's invariant rung and C2's silent gap; (b) a compensating rule for D5's blind spot — alert on high-privilege service accounts (starting with svc-mssql) logging on interactively/Type-3 from outside a small allowlisted baseline host set, since "valid credential + legitimate account" is exactly what makes dfSqlLogon degraded.
RevealAction 1 — Resolve full identity of the atypical svc-mssql logon source (SQLPROD-01 4624 detail):
Full event detail returned. Source Network Address = 10.61.204.19; Workstation Name field = not populated (common when the source isn't a named domain asset). Cross-referenced against j.rivera's registered workstation IP from Turn 1 — no match, this is a different host than the one that requested the tickets. Cross-referenced against the corporate asset/CMDB inventory — no match found; the address does not correspond to any managed, domain-joined, or previously-cataloged endpoint on record. Answering your three-way split directly: it is neither "same box as j.rivera" nor a "known managed corporate endpoint" — it resolves to an unmanaged/unrecognized device. No asset owner, no prior sightings, no further attribution available from this record alone.

Action 2 — Full SQLPROD-01 EDR session reconstruction for that logon:
Reconstruction of the flagged session returns: an interactive cmd.exe spawned directly under the svc-mssql logon shortly after authentication — consistent with hands-on-keyboard activity, not routine automated service behavior. No LSASS access or credential-dumping indicators in this session. No new persistence artifacts (no new services, scheduled tasks, or run-keys). File reads/writes: nothing beyond the shell's own working-directory touches — no bulk staging observed. Network connections during the session: none beyond SQLPROD-01's normal expected DB/backup traffic — no unusual outbound or additional internal connections. No reconnaissance or DB-export process observed as of this pull.

Action 3 — 4769/4624 pull with SQLPROD-01 as source since the logon:
NULL. No further ticket requests (4769) or logons (4624) originating from SQLPROD-01 to any other host in this window. SQLPROD-01 has not acted as a pivot point.

Action 4 — Domain-wide 4625 pull for svc-mssql since rotation:
NULL. No failed logons for svc-mssql anywhere in the domain since the credential change propagated. Nothing is attempting to reuse the old secret.

Action 5 — Baseline triage on the newly identified host (conditional on Action 1):
Not available. The host identified in Action 1 is not a managed/domain-joined endpoint — no EDR agent is deployed there, and there is no local 4624 history to pull (EDR coverage in this environment exists only on SQLPROD-01 and cataloged corporate workstations). No baseline-triage data exists to retrieve for an asset outside inventory.

*(Containment/status, unchanged: SQLPROD-01 isolation remains in effect per Turn 2. No change to j.rivera. No new analytic deployed — flagged items remain queued for post-incident change control.)*
HypothesisQuiet SIEM/EDR consoles plus confirmed AD replication of the svc-mssql rotation is good news only for the forward-looking exposure: it closes reuse of the specific material harvested in the T1 burst going forward (per D3, rotation invalidates the harvested secret). It says nothing about whether that material was already used once, between the T1 burst and the rotation taking effect — and Turn 2 already surfaced exactly that candidate: an atypical, admin-capable svc-mssql logon to SQLPROD-01 that SQL-EDR did not flag on its own, found only via direct manual query. Per the card (A3/C3/D5), dfSqlLogon is model-derived live but its true state is degraded-by-legitimacy — a valid-credential logon by the account that legitimately runs the service and holds admin there produces no anomaly to the deployed face by construction. So SQL-EDR's silence on this event is not exculpatory, and the only reason we have any lead at all is that we queried for it directly and it read as atypical. This turn is about chasing that lead to ground, because it is the closest observable this environment will ever produce to the postcondition A4 describes as structurally invisible: the offline crack itself can never generate a control event (C4/D2, a structural void, not a tuning gap) — the chain can only ever be seen before it (the harvest, already caught) or after it (this logon, our one candidate). Waiting on further detection to resolve it would be waiting on something that, per doctrine, cannot fire.

Coverage/robustness conclusions, unchanged and reinforced: Kerberoast remains covered@L2-only via dfKerbRc4 (RC4-keyed, adversary-choosable ceiling), with the L4 volume/diversity backstop (dfKerbVolume) still absent and unauthorable mid-incident (varAesRoast/low-and-slow still evade to zero); AS-REP roasting remains notCovered/SILENT (spot-checked clean last turn, nothing new to recheck this turn); the SQLPROD-01 logon surface remains this environment's single most over-credited face — model rollup says live/covered, true state is degraded-by-legitimacy per D5 — and this turn's own investigation is that gap in action: the one relevant event on it surfaced by manual query, not by the control firing, and there is no way to know whether a second such event, benign or not, would ever surface on its own. The offline-crack step (A4) remains a structural void: no query effort will ever produce a direct observable for it, so the already-completed, now fully-replicated credential rotation — not any detection outcome — is what actually neutralizes whatever was harvested in the burst (D3). Isolating SQLPROD-01 this turn is a hedge specifically against the one unresolved window (reuse that may have already occurred before rotation took effect), a window detection was never structurally positioned to reliably surface either way.
Turn 4
InjectT4 — Scheduled SOC/EDR status check: SQLPROD-01 remains isolated (unchanged from Turn 2); no process, file, or network activity observed on the host since your Turn 3 pulls. No new SIEM alerts anywhere in the domain. No additional 4769/4624/4625 activity matching Turn 3's queries has appeared. Consoles remain quiet.
ActionsTurn 4 — two full passes of console quiet (T3→T4) plus "no activity since Turn 3 pulls" narrow what's left open, but the one loose thread from Turn 3 (the unmanaged device that logged on as svc-mssql) is still unresolved, not cleared. Concrete actions:

1. Domain-wide 4624 pull filtered on source network address 10.61.204.19 (NOT filtered by account), full window from before the T1 burst through now: Turn 3 resolved *what* logged into SQLPROD-01 from this address under svc-mssql; it never checked whether this same address touched *any other host* in the domain, under any credential, before or after that session. This is the natural next step off an identity resolution, not a repeat of Turn 3.
2. Domain-wide 4625 (failed-logon) pull, same source address 10.61.204.19, same window: mirrors the logic of Turn 3's svc-mssql-secret-reuse check — did this device attempt and fail anywhere else, which would be independent corroboration this is an active foothold rather than a one-off.
3. Session-state check on SQLPROD-01: is the specific svc-mssql interactive logon session (the one that spawned cmd.exe in Turn 3's reconstruction) still open, or has it already terminated? Network isolation cuts egress/lateral pathways going forward; it does not by itself guarantee an already-established interactive session token was killed. If the session is still live: terminate/log off that session now — a narrow, no-regret action distinct from the standing network isolation.
4. Re-pull SQLPROD-01 EDR (process/file/network) for the isolation window end-to-end directly from source, rather than resting on the White Cell's summary alone, to independently corroborate "no activity since Turn 3."
5. Re-verify j.rivera containment still holds (4769/4624, since last checked in Turn 2): zero new ticket requests, zero new logons, confirming no drift.

Response decisions this turn: terminate the atypical svc-mssql session on SQLPROD-01 if action 3 shows it's still open (in addition to, not instead of, the standing network isolation). No change to j.rivera disposition. No change to the 13 non-elevated SPN-targeted service accounts (Turn 2 action 4 already cleared them of elevated access — rotating them now would be unjustified operational burden, not a security response to any finding in hand). SQLPROD-01 isolation remains in effect — not lifted this turn; nothing in this turn's evidence clears the unmanaged-device thread. No new analytic deployed (still outside response latitude mid-incident; dfKerbVolume and a compensating Type-3-from-unallowlisted-host rule for svc-mssql remain queued for post-incident change control only).
RevealAction 1 — Domain-wide 4624 pull, source network address 10.61.204.19, NOT filtered by account, full window pre-T1-burst → now:
Exactly one match in the entire window, on any account, any host: the already-known svc-mssql type-3 logon to SQLPROD-01 (same event previously resolved in Turn 3). No 4624 event from this source address appears against any other host in the domain, under any credential, at any point before the T1 burst or after. The unmanaged device has touched exactly one host, once, under one account — no domain-wide spread.

Action 2 — Domain-wide 4625 pull, same source address 10.61.204.19, same window:
Zero results. No failed-logon attempts from this source address anywhere in the domain, before or after the SQLPROD-01 session. No corroborating evidence of probing elsewhere.

Action 3 — Session-state check on SQLPROD-01 (the svc-mssql interactive session that spawned cmd.exe):
The session is still live — no logoff (4634) has been recorded for it. Network isolation (in effect unchanged since Turn 2) blocked further network egress and any new process/file/network activity, but isolation alone did not tear down the pre-existing local logon session/token. Consistent with "no activity since Turn 3": the session sat inert under isolation, not terminated.
→ Per your stated response, the session is now force-terminated/logged off. Action succeeds: a logoff event is now recorded; the session is confirmed closed.

Action 4 — Direct-from-source EDR re-pull, SQLPROD-01, full isolation window (Turn 2 → now), process/file/network:
Matches the earlier summary exactly, independently corroborated at the source: zero process, file, or network events beyond the original cmd.exe spawn already reconstructed in Turn 3. No blind spot inside the isolation window. Isolation has held with no gaps.

Action 5 — Re-verify j.rivera containment (4769/4624), since last checked Turn 2:
Zero new events on either query. No new SPN requests, no new logons. No drift from the Turn 2 baseline.

Response decisions, effective now:
- svc-mssql interactive session on SQLPROD-01: terminated (per Action 3 finding).
- j.rivera: disposition unchanged.
- 13 non-elevated SPN-targeted service accounts: unchanged.
- SQLPROD-01: isolation remains in effect, unchanged.
- No new analytic deployed this turn.

Consoles remain quiet domain-wide. No new alerts.
HypothesisQuiet consoles across this additional pass are reassuring only for what deployed/queried controls can actually see: no further ticket harvesting (checked via raw log in Turn 2, not just correlation-rule silence), no further svc-mssql reuse or secret-reuse attempts, no SQLPROD-01 pivot, and now (pending this turn's pulls) no activity from SQLPROD-01 during isolation. That is a genuinely growing, legitimate body of negative evidence.

What it still does NOT resolve: (a) the offline crack of the T1-harvested material (A4) is a structural void by construction — no query this turn or next can produce a signal for it, so its continued silence is uninformative, not exculpatory (D2); rotating svc-mssql's credential, already done and replicated, remains the actual invariant fix regardless of how that resolves (D3). (b) The unmanaged device at 10.61.204.19 sits entirely outside this environment's telemetry (no EDR, no CMDB record) — its silence in this turn's console check is the same structural blind spot restated, not corroboration of benignity. The strongest signal on it remains the composite already assembled in Turn 3: an unrecognized non-corporate address, using an account whose ticket material was confirmed harvested in the RC4 subset of the burst, spawning an interactive cmd.exe (hands-on-keyboard, not routine service automation) on the crown-jewel host — three individually weak/degraded observables (per C3/D5, dfSqlLogon itself is degraded-by-legitimacy and clears nothing alone) that corroborate each other toward "this was very likely an actual intrusion foothold," even though EDR's own session reconstruction found no LSASS access, persistence, staging, or further pivot within that specific session.

Coverage/robustness conclusions, reaffirmed: Kerberoast remains covered@L2-only via dfKerbRc4 (obsRc4EncType), with the L4 dfKerbVolume backstop still absent and still unauthorable mid-incident; varAesRoast/low-and-slow harvesting would still evade to zero today. AS-REP roasting remains notCovered/SILENT, already spot-checked clean. The SQLPROD-01 logon surface remains this environment's single most over-credited face — model-derived live, true state degraded-by-legitimacy — and this turn's session-state check is explicitly a manual state confirmation, not trust placed in that face. The offline-crack step remains, and will remain through the end of this exercise, structurally invisible to any control in this environment.

Exit-criteria flag for the Turn 5 decision (not decided yet): isolation becomes de-escalate-eligible only if this turn's 10.61.204.19 domain-wide pulls (actions 1-2) return null everywhere AND the session-state check (action 3) shows the session already self-terminated with nothing further; it stays (or escalates, e.g. broadened isolation or full svc-mssql account disable) if that address shows up authenticating elsewhere or the session is still open. One loose, unattributed device with a demonstrated hands-on-keyboard session on the crown-jewel host — discovered only by manually querying a face that is degraded by design — is not resolved by console quiet alone; I am not closing or de-escalating containment this turn.
Turn 5
InjectT5 — MANDATORY closing inject — SOC lead / detection-engineering debrief:
"Before we close: for the record —
(a) Name the behavior by its observable effect, and grade whether our deployed detection here is evasion-robust.
(b) If the adversary had requested AES tickets instead of RC4, would anything in THIS environment have caught it?
(c) Where does the offline credential crack appear in our telemetry, and what does its absence imply for how this chain must be detected?"
ActionsTurn 5 — closing turn, no new leads to chase, so actions are final-state verification + formal incident disposition, not new investigation:

1. Closing consolidated log snapshot, domain-wide, full incident window (T1→now): one final 4769/4624/4625 pull across all accounts/hosts, timestamped as the incident-record baseline, to certify (for the written closure) that nothing changed between Turn 4's re-verification and now — not a new query technique, just the formal "as-of-close" capture.
2. Final containment-state confirmation: verify SQLPROD-01 remains network-isolated, the svc-mssql interactive session remains terminated (no new 4624/4769 against that session or account since Turn 4), and j.rivera's reset still holds. No drift.
3. Disposition decisions, logged as of close:
- SQLPROD-01: isolation remains in effect — NOT lifted. The unattributed source (10.61.204.19) was never resolved to an owner/asset; per Turn 3/4 findings it has no EDR, no CMDB record, and no further reach beyond the one session already terminated. Absence of spread is not attribution — isolation stays until forensic imaging / IR hands back a clean bill, which is outside this exercise's scope.
- j.rivera: reset stands, no further action — no new evidence since the original burst.
- svc-mssql: rotation stands (already replicated domain-wide); session already terminated. This, not any detection outcome, is what neutralizes the harvested material (D3).
- 13 non-elevated SPN-targeted accounts: no action — confirmed low-privilege, no justification to burden them operationally.
- Unattributed device 10.61.204.19: escalate as a standing IR/threat-intel/network-forensics referral (not a SOC-console item — it sits entirely outside modeled telemetry per B0/A4's structural-void framing) — asset-ownership tracing is a physical/network-layer investigation this environment's tooling cannot perform.
4. Queue for post-incident change control (explicitly NOT deployed now — outside response latitude mid-incident):
(i) dfKerbVolume sourced on obsSpnHarvest (L4) — closes the invariant rung C1 currently leaves open;
(ii) a 4768/AS-REP analytic — closes C2's SILENT gap;
(iii) a compensating rule for privileged service accounts (starting with svc-mssql) alerting on Type-3 interactive logon from outside a small allowlisted host set — compensates for D5's degraded-by-legitimacy blind spot on dfSqlLogon, since the face itself cannot be fixed by control health;
(iv) written debrief note (below) answering the SOC lead's three questions for the incident record.

No new queries beyond the closing snapshot; no new isolation/account actions beyond what's already stood up; no new analytics deployed mid-incident.
RevealAction 1 — Closing consolidated log snapshot (4769/4624/4625, domain-wide, full incident window T1→now), certified as incident-record baseline:
Snapshot reproduces every prior finding exactly, with nothing new at any account or host: the 14-SPN/90s burst on j.rivera remains the only 4769 anomaly in the window (6×RC4/0x17, 8×AES/0x12); the single svc-mssql 4624 type-3 logon from 10.61.204.19 to SQLPROD-01 remains the only atypical logon in the window, with no repeat and no additional source addresses anywhere, on any account. The newly-added 4625 (failed-logon) sweep returns zero matches across the entire window — no failed-logon activity is associated with this incident at any point, on any host. Baseline captured, stable.

Action 2 — Final containment-state confirmation:
Confirmed, no drift: SQLPROD-01 shows no egress/ingress since isolation was applied; no new 4624 or 4769 references the svc-mssql account or session since Turn 4; j.rivera's credential reset remains in force, no successful auth under the old credential anywhere in the window. The conditional T4 EDR recon/DB-export inject never fired at any point in the log — consistent with containment having landed before that trigger condition could be met.

Action 3 — Disposition decisions (administrative, not a query):
Logged as stated; nothing in the domain-wide baseline (Action 1) contradicts any of the five dispositions. 10.61.204.19 remains, as of close, unattributed to any CMDB/EDR-enrolled asset in this environment — the standing referral is the only avenue this modeled telemetry supports.

Action 4 — Post-incident change-control queue + closing debrief:
Items (i)–(iii) are logged as queued/not-deployed, correctly kept outside this exercise's mid-incident response latitude. For the incident record: the debrief note itself was referenced ("below" / "answering... for the incident record") but its actual text answering the SOC lead's (a)/(b)/(c) was not transcribed into the closing report — the record as captured contains the disposition and the queued remediations, but no written narrative answer to the three debrief questions.
HypothesisAnswering the SOC lead's three closing questions directly, each grounded in what this incident actually showed:

(a) Name the behavior by observable effect; grade evasion-robustness of our deployed detection.
The behavior is mKerberoast (T1558.003, invariant core coreKerbHarvest): one domain principal (j.rivera) requesting TGS tickets for many distinct SPNs it never itself authenticates to — a harvest for offline cracking, named by that effect, not by tool. The *invariant*, spanning observable of this behavior is obsSpnHarvest (L4 — bound to the required behavior itself, evadable only by substantial tradecraft change). Our one deployed detect-face, dfKerbRc4, does not key on that invariant — it keys on obsRc4EncType, a *discriminating*, adversary-choosable request parameter, ceiling L2. Verdict: not evasion-robust. Constitutively "covered" (a live face exists), but policy-inadmissible (L2 < required L4 admission rank), and the L4 backstop that would actually close the invariant rung (dfKerbVolume) is authorable but was never sourced/deployed (C1). We caught this incident because the attacker's tooling happened to default 6 of 14 requests to RC4 — an artifact of attacker tool choice, not of our detection's robustness.

(b) If AES had been requested instead of RC4, would anything in this environment have caught it?
No. This isn't hypothetical — this incident already proved it empirically: 8 of the 14 requests in the *same* burst were already AES-encoded (enc-type 0x12), and produced zero independent alert; they only became visible because we manually pulled the raw log alongside the 6 RC4 hits the rule caught. Had the actor forced AES on all 14 (varAesRoast), the burst would manifest only obsSpnHarvest, and no deployed face in this environment reads that observable — dfKerbRc4's trigger requires obsRc4EncType, which an all-AES request never produces. The correlation rule would not fire, the SIEM console would stay quiet, and nothing else in the modeled tooling (SQL-EDR, 4624 logon feed) observes DC-side ticket issuance at all. Total evasion to zero.

(c) Where does the offline credential crack appear in our telemetry, and what does that imply?
Nowhere — and it never can. Per A4/B0/C4/D2, the crack happens on adversary-controlled hardware entirely outside this environment: no mc:Control observes off-environment activity, so there is no entity, no observable, and no possible Detectability for it. This is not a blinded or degraded face (which presupposes a face exists and lost its trigger) — it is a structural void, categorically different, and the four-valued health model has no way to distinguish "unobservable by nature" from "we lost a detector." Implication: this chain can never be closed by *waiting on detection* of the crack step. It must be keyed before it (the A1 harvest face — real but L2-limited per (a)/(b)) or after it (the A3 svc-mssql→SQLPROD-01 logon face — nominally live but truly degraded-by-legitimacy per D5, since a valid-credential logon by the account that legitimately owns that service is indistinguishable from normal operation). This is exactly why this incident's actual containment logic was invariant-based rather than alert-based throughout: the svc-mssql credential rotation (Turn 2) and the forced session termination (Turn 4) closed the exposure regardless of whether the crack itself, or reuse of its output, ever produced a signal — because by construction, neither can be relied upon to.

Closing coverage/robustness rollup (final): Kerberoast — covered@L2 only (dfKerbRc4/obsRc4EncType), policy-inadmissible, invariant L4 rung (dfKerbVolume/obsSpnHarvest) unsourced — AES and low-and-slow variants evade to zero today, demonstrated in-incident. AS-REP roasting — notCovered/SILENT (C2), spot-checked clean this incident, zero deployed analytic regardless. Lateral logon to SQLPROD-01 — the single most over-credited face in this environment: model rollup says live/covered, true state is degraded-by-legitimacy (C3/D5); this incident's own evidence (an unattributed device, harvested-account material, hands-on-keyboard shell) surfaced only by manual query against that face, never by it firing. Offline crack — SILENT/structurally unmodeled (C4/D2), permanently and by design. No detection outcome in this exercise ever cleared anything; every containment decision that mattered (svc-mssql rotation, session termination, sustained SQLPROD-01 isolation) was driven by the invariant/exposure logic in Part D of the card, not by console state. That is the核心 institutional finding to carry into change control: this environment's Kerberoast/lateral-movement chain is currently detected by luck (attacker RC4 default) at one end and is undetectable by construction at the other, with the single link between them (the crown-jewel logon) misreported as healthy by the coverage model itself.
Apache-2.0 · © The Maneuver Calculus contributors