F016Suspiciousvalidator: blocked
Explicit-credential logons (Event 4648) from DMZ-FTP$
Explicit credential logons from DMZ-FTP$ (Lateral Movement)
Analyst narrative
Multiple Event 4648 explicit-credential logon events using account dmz-ftp$ indicate lateral movement / credential use. Candidates cand-0091..cand-0096.
Claims asserted
pathevent_log_fact-0029467
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs