F042Suspiciousvalidator: blocked
Explicit-credential logons (4648) from DMZ-FTP$
Explicit credential logons by DMZ-FTP$ (Event 4648)
Analyst narrative
Multiple 4648 explicit-credential logon events involving DMZ-FTP$ machine account suggest credential reuse / lateral movement attempts. cand-0091 through cand-0096.
Claims asserted
path4648 explicit credential logon dmz-ftp$
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs