F046Inconclusivevalidator: blocked
Event log evidence of credential logon with SYSTEM context (Lateral Movement / Credential Theft)
Event log entries: EventID 4648, 4611, 4625 with SYSTEM/dmz-ftp$ credential context
Analyst narrative
Event log entries (EventID 4648, 4611, 4625) documenting explicit credential logons with SYSTEM account (s-1-5-18) on account dmz-ftp$. Multiple entries across 2018 (May–August) suggest persistent lateral movement or credential reuse. Candidates cand-0091 through cand-0096. Fact_ids: event_log_fact-0029467, event_log_fact-0031358, event_log_fact-0032980, event_log_fact-0033770, event_log_fact-0033929, event_log_fact-0035590.
Claims asserted
pathSecurity event log with explicit credential logons to dmz-ftp$
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs