PowerShell process memory injection (reflective load)

PowerShell process memory injection (reflective load)

Defense evasion via rundll32 with null command lines

Defense evasion via rundll32 with null command lines

Reflective PE-load PowerShell execution

cmd.exe launches staged p.exe (Execution)

PsExecSvc service registered (Lateral Movement / Persistence)

rundll32.exe defense-evasion chain (null cmdline)

rundll32.exe defense-evasion chain (null cmdline)

Security log cleared - Event 1102 (Defense Evasion)

Explicit-credential logons (Event 4648) from DMZ-FTP$

Admin-share access to 172.16.5.26 / 172.16.10.12

Outbound RDP (3389) and WinRM (5985) to internal hosts

PowerShell reflective DLL load / shellcode injection

Multiple rundll32 children with null command lines (injection/evasion)

Repeated outbound connections to internal peer on port 8080 (C2-like)

Image File Execution Options debugger on sethc.exe

Audit log cleared - anti-forensics

Explicit-credential logons indicating lateral movement

Admin-share access to internal host 172.16.5.26

Repeated DismHost execution from temp GUID staging paths

Nagios NCPA installer executed from temp

Encoded reflective-load PowerShell execution

Repeated beacon-like connections to 172.16.4.10:8080

Security event log cleared (anti-forensics)

Admin-share lateral movement to 172.16.5.26

Outbound SMB to internal hosts (lateral movement)

Image File Execution Options debugger on sethc.exe

Explicit-credential logons (4648) from DMZ-FTP$

Encoded/reflective-load PowerShell execution

Repeated outbound connections to 172.16.4.10:8080 (beacon-like)

SMB admin-share access to 172.16.5.26

Outbound WinRM (5985) connection to 172.16.5.21

Outbound RDP attempts to 172.16.4.5

Anti-forensics: Security event log cleared

Credential access: explicit-credential logons with DMZ-FTP$

lateral movement admin share: ip:172.16.5.26

lateral movement admin share: ip:172.16.10.12

defense evasion anti forensics: event:1102 (audit log cleared) · microsoft-windows-eventlog