F051Suspiciousvalidator: blocked
Credential access: explicit-credential logons with DMZ-FTP$
Explicit credential logon using DMZ-FTP$ machine account (Event 4648)
Analyst narrative
candidate cand-0091..cand-0096 fact_ids=event_log_fact-0029467 etc. Repeated Event 4648 explicit-credential logons referencing s-1-5-18 and DMZ-FTP$ indicate credential reuse/pass-the-hash style access.
Claims asserted
pathevent_log_fact-0029467
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
get_amcacheparse_event_logs