F026MEDIUMSuspiciousvalidator: passed
Explicit credential usage by SYSTEM account (TA0008: Lateral Movement)
Event 4648 SYSTEM credential usage
Analyst narrative
Security event logs (EventID 4648) document SYSTEM account (S-1-5-18) performing explicit credential logons targeting remote systems DMZ-FTP$ with service principal names. Multiple instances across 6-month span indicate persistent lateral movement infrastructure.
Claims asserted
event_logEventID 4648 SYSTEM lateral movementparse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs