EventPeeker

This is a sample analysis — a simulated domain controller compromise scenario.

DC01-Security.evtx

48,312 events · 8 findings · 4 critical

Health Score

12
At Riskout of 100

Event Breakdown

By channel

Security 38,540System 6,201Microsoft-Windows-PowerShell/Operational 2,918Application 653

By level

Information 41,204Warning 3,891Error 2,108Critical 1,109

AI Summary

gpt-4o-mini · 387 tokens

SUMMARY

- Critical brute-force attack: 847 failed logins in 5 minutes from 185.220.101.47 against Administrator and svc-backup accounts - Audit log was cleared at 02:31 UTC — evidence destruction in progress - DSRM password changed at 02:33 UTC — attacker installed a domain controller backdoor - 3 encoded PowerShell scripts executed — likely payload download and C2 staging - 2 suspicious scheduled tasks created under system-looking names for persistence - svc-backup account added to Domain Admins — unauthorized privilege escalation

RISK

This domain controller shows signs of a complete compromise. The attacker gained initial access via credential attack, escalated to Domain Admin, installed multiple persistence mechanisms, and attempted to cover their tracks by clearing the audit log. If unaddressed, the attacker retains full domain control through the DSRM backdoor even if other access is removed.

KEY EVENTS

- 4625: 847 failed logons in 5 minutes — automated credential attack - 1102: Audit log cleared — anti-forensics, attacker covering tracks - 4794: DSRM password changed — persistent domain backdoor installed - 4104: Encoded PowerShell executed — malware staging likely - 4698: Scheduled tasks created — persistence after reboot - 4728: svc-backup added to Domain Admins — unauthorized privilege grant

RECOMMENDED ACTIONS

1. Isolate DC01 from the network immediately pending forensic investigation 2. Reset the DSRM password on all domain controllers via ntdsutil 3. Remove svc-backup from Domain Admins and audit all privileged group memberships 4. Delete suspicious scheduled tasks: UpdateSync and WindowsDefenderCheck 5. Block 185.220.101.47 at the perimeter firewall 6. Reset credentials for Administrator and svc-backup accounts 7. Enable log forwarding to a remote SIEM before bringing DC01 back online

Findings (8)4 critical3 high

criticalsecurityT1110

847 failed logins within 5m from 185.220.101.47 targeting Administrator (612x), svc-backup (189x) — brute-force attack likely

847 events · IDs: 4625 · Apr 30, 02:14 – Apr 30, 02:18 · Learn more

criticalsecurityT1070

1 Security audit log clearing — strong indicator of active attack or cover-up

1 event · IDs: 1102 · Apr 30, 02:31 · Learn more

criticalsecurityT1098

1 DSRM account password change — attacker persistence via domain admin backdoor

1 event · IDs: 4794 · Apr 30, 02:33 · Learn more

criticalsecurityT1059.001

3 suspicious PowerShell scripts — encoded commands or download cradles detected

3 events · IDs: 4104 · Apr 30, 02:29 – Apr 30, 02:30 · Learn more

highsecurityT1110

14 account lockouts — accounts: Administrator (9x), svc-backup (5x)

14 events · IDs: 4740 · Apr 30, 02:14 – Apr 30, 02:19 · Learn more

highsecurityT1053

2 scheduled tasks created — common persistence technique — tasks: \Microsoft\Windows\UpdateSync (1x), \WindowsDefenderCheck (1x)

2 events · IDs: 4698 · Apr 30, 02:34 – Apr 30, 02:34 · Learn more

highsecurityT1098

1 user added to privileged group — verify authorized — members: CORP\svc-backup (1x)

1 event · IDs: 4728 · Apr 30, 02:35

mediumsecurityT1078

312 special privilege logons — review for unexpected admin access — users: CORP\svc-backup (298x), CORP\Administrator (14x)

312 events · IDs: 4672 · Apr 30, 02:20 – Apr 30, 04:58