F028Suspiciousvalidator: blocked
Explicit-credential logons indicating lateral movement
Explicit credential logon events from DMZ-FTP$ (Event ID 4648)
Analyst narrative
candidate cand-0091/cand-0092: multiple Event ID 4648 explicit-credential logons referencing S-1-5-18 / DMZ-FTP$ account, indicating credential reuse / lateral movement. fact_ids=event_log_fact-0029467, event_log_fact-0031358
Claims asserted
pathevent_log_fact-0029467
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
get_amcacheparse_event_logs