F032MEDIUMInconclusivevalidator: passed
Explicit credential logon (Event 4648) from SYSTEM context to external accounts
Event 4648 explicit credential logons from SYSTEM context
Analyst narrative
Windows Security event 4648 (Explicit Credential Logon) shows SYSTEM account (S-1-5-18) performing logons using credentials of external accounts (dmz-ftp$, other service accounts) across multiple dates in May, June, July, and August 2018. Pattern indicates credential theft and reuse for lateral movement.
Claims asserted
event_logEvent 4648 explicit logon from SYSTEM accountparse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs