{"EventID":4624,"TimeCreated":"2024-10-24T00:19:01Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","TargetUserName":"svc_backup","TargetDomainName":"LIFETECHPHARMA","TargetLogonId":"0x2a9f441","LogonType":3,"LogonProcessName":"NtLmSsp","AuthenticationPackageName":"NTLM","WorkstationName":"WS-IT-LEVI","IpAddress":"10.10.3.22","IpPort":49831,"LogonGuid":"{00000000-0000-0000-0000-000000000000}","TransmittedServices":"-","LmPackageName":"NTLM V2","KeyLength":128,"ProcessId":"0x0","ProcessName":"-","analyst_note":"⚠ svc_backup network logon from WS-IT-LEVI at 02:19 IST — outside business hours, 2 min after VPN login from Istanbul"}
{"EventID":4672,"TimeCreated":"2024-10-24T00:19:01Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","SubjectUserName":"svc_backup","SubjectDomainName":"LIFETECHPHARMA","SubjectLogonId":"0x2a9f441","PrivilegeList":"SeSecurityPrivilege\nSeTakeOwnershipPrivilege\nSeLoadDriverPrivilege\nSeBackupPrivilege\nSeRestorePrivilege\nSeDebugPrivilege\nSeSystemEnvironmentPrivilege\nSeEnableDelegationPrivilege\nSeImpersonatePrivilege\nSeDelegateSessionUserImpersonatePrivilege","analyst_note":"⚠ Special privileges assigned — svc_backup has Domain Admin rights (SeBackupPrivilege, SeDebugPrivilege, SeRestorePrivilege confirm elevated rights)"}
{"EventID":4624,"TimeCreated":"2024-10-25T01:41:03Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","TargetUserName":"svc_backup","TargetDomainName":"LIFETECHPHARMA","TargetLogonId":"0x2b1a882","LogonType":3,"LogonProcessName":"NtLmSsp","AuthenticationPackageName":"NTLM","WorkstationName":"WS-IT-LEVI","IpAddress":"10.10.3.22","IpPort":49944,"LogonGuid":"{00000000-0000-0000-0000-000000000000}","TransmittedServices":"-","LmPackageName":"NTLM V2","KeyLength":128,"ProcessId":"0x0","ProcessName":"-","analyst_note":"⚠ svc_backup logon from WS-IT-LEVI at 03:41 IST — off hours, day after first VPN intrusion"}
{"EventID":4624,"TimeCreated":"2024-11-01T07:18:04Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","TargetUserName":"svc_backup","TargetDomainName":"LIFETECHPHARMA","TargetLogonId":"0x2c8a003","LogonType":3,"LogonProcessName":"NtLmSsp","AuthenticationPackageName":"NTLM","WorkstationName":"WS-IT-LEVI","IpAddress":"10.10.3.22","IpPort":50112,"LogonGuid":"{00000000-0000-0000-0000-000000000000}","TransmittedServices":"-","LmPackageName":"NTLM V2","KeyLength":128,"ProcessId":"0x0","ProcessName":"-","analyst_note":"svc_backup logon from WS-IT-LEVI — 4 minutes after C2 reconnection at 07:14 IST (GAP-001 ends)"}
{"EventID":4624,"TimeCreated":"2024-11-06T00:09:11Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","TargetUserName":"svc_backup","TargetDomainName":"LIFETECHPHARMA","TargetLogonId":"0x2e91a44","LogonType":3,"LogonProcessName":"NtLmSsp","AuthenticationPackageName":"NTLM","WorkstationName":"WS-IT-LEVI","IpAddress":"10.10.3.22","IpPort":50882,"LogonGuid":"{00000000-0000-0000-0000-000000000000}","TransmittedServices":"-","LmPackageName":"NTLM V2","KeyLength":128,"ProcessId":"0x0","ProcessName":"-","analyst_note":"⚠ svc_backup logon night of formula exfiltration — off hours (02:09 IST)"}
{"EventID":4672,"TimeCreated":"2024-11-06T00:09:11Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","SubjectUserName":"svc_backup","SubjectDomainName":"LIFETECHPHARMA","SubjectLogonId":"0x2e91a44","PrivilegeList":"SeSecurityPrivilege\nSeTakeOwnershipPrivilege\nSeLoadDriverPrivilege\nSeBackupPrivilege\nSeRestorePrivilege\nSeDebugPrivilege\nSeSystemEnvironmentPrivilege\nSeEnableDelegationPrivilege\nSeImpersonatePrivilege\nSeDelegateSessionUserImpersonatePrivilege","analyst_note":"Domain Admin privileges again confirmed for svc_backup session 0x2e91a44"}
{"EventID":4662,"TimeCreated":"2024-11-06T00:48:33Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","SubjectUserName":"svc_backup","SubjectDomainName":"LIFETECHPHARMA","SubjectLogonId":"0x2e91a44","ObjectServer":"DS","OperationType":"Object Access","ObjectType":"{19195a5b-6da0-11d0-afd3-00c04fd930c9}","ObjectName":"DC=lifetechpharma,DC=local","HandleId":"0x0","AccessList":"%%5136\n%%5137\n%%5141","AccessMask":"0x100","Properties":"{19195a5b-6da0-11d0-afd3-00c04fd930c9}\n{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\n{1131f6ab-9c07-11d1-f79f-00c04fc2dcd2}\n{89e95b76-444d-4c62-991a-0facbeda640c}","AdditionalInfo":"SubjectDomainName: LIFETECHPHARMA\nObjectDN: DC=lifetechpharma,DC=local","analyst_note":"🔴 CRITICAL: DCSync — DS-Replication-Get-Changes + DS-Replication-Get-Changes-All + DS-Replication-Get-Changes-In-Filtered-Set from WORKSTATION IP 10.10.3.22 (WS-IT-LEVI). NOT a DC. NOT in pentest VLAN (10.10.99.x). This is credential harvesting."}
{"EventID":4662,"TimeCreated":"2024-11-06T00:48:44Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","SubjectUserName":"svc_backup","SubjectDomainName":"LIFETECHPHARMA","SubjectLogonId":"0x2e91a44","ObjectServer":"DS","OperationType":"Object Access","ObjectType":"{bf967aba-0de6-11d0-a285-00aa003049e2}","ObjectName":"CN=krbtgt,CN=Users,DC=lifetechpharma,DC=local","HandleId":"0x0","AccessList":"%%1537","AccessMask":"0x10","Properties":"{bf967a9c-0de6-11d0-a285-00aa003049e2}\n{00299570-246d-11d0-a768-00aa006e0529}","AdditionalInfo":"SubjectDomainName: LIFETECHPHARMA\nObjectDN: CN=krbtgt,CN=Users,DC=lifetechpharma,DC=local","analyst_note":"🔴 CRITICAL: krbtgt hash read via DCSync — Golden Ticket creation is now possible. All Kerberos tickets must be considered compromised."}
{"EventID":4662,"TimeCreated":"2024-11-06T00:48:51Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1108","SubjectUserName":"svc_backup","SubjectDomainName":"LIFETECHPHARMA","SubjectLogonId":"0x2e91a44","ObjectServer":"DS","OperationType":"Object Access","ObjectType":"{bf967aba-0de6-11d0-a285-00aa003049e2}","ObjectName":"CN=Administrator,CN=Users,DC=lifetechpharma,DC=local","HandleId":"0x0","AccessList":"%%1537","AccessMask":"0x10","Properties":"{bf967a9c-0de6-11d0-a285-00aa003049e2}\n{00299570-246d-11d0-a768-00aa006e0529}","AdditionalInfo":"SubjectDomainName: LIFETECHPHARMA\nObjectDN: CN=Administrator,CN=Users,DC=lifetechpharma,DC=local","analyst_note":"Domain Administrator account hash read via DCSync"}
{"EventID":4624,"TimeCreated":"2024-11-15T19:52:04Z","Computer":"DC01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-21-3847948241-1882284908-4023491847-2201","TargetUserName":"svc_finreport","TargetDomainName":"LIFETECHPHARMA","TargetLogonId":"0x3f88a01","LogonType":3,"LogonProcessName":"NtLmSsp","AuthenticationPackageName":"NTLM","WorkstationName":"WS-CFO-01","IpAddress":"10.10.1.45","IpPort":51044,"LogonGuid":"{00000000-0000-0000-0000-000000000000}","TransmittedServices":"-","LmPackageName":"NTLM V2","KeyLength":128,"ProcessId":"0x0","ProcessName":"-","analyst_note":"svc_finreport used from WS-CFO-01 for lateral movement to SERVER-FIN-01"}