Handout A: Supply Chain Evidence

Large group equivalent: This handout maps to artifact cards A-R1-1 + A-R1-2.

Captured from system inventory and Azure AD log review 30 minutes after initial alert escalation at BioGenix Solutions.

HANSEN-SAP-01 System Profile
Type: System inventory + software audit Source: IT asset management and manual system review, HANSEN-SAP-01 (10.12.4.50), 2026-04-16 08:30 UTC
System Profile โ€” HANSEN-SAP-01
IT Asset Management โ€บ Legacy Systems โ€บ HANSEN-SAP-01
System Profile โ€” HANSEN-SAP-01
Hostname: HANSEN-SAP-01
IP Address: 10.12.4.50
OS: Windows Server 2016 (Build 14393)
Last Patched: 2023-04-12 (3 years ago)
EDR Agent: NOT INSTALLED โ€” excluded from Defender scope per COLLBRIDGE-EXCL-003
Monitoring: EXCLUDED โ€” SOC exclusion per ITSM-29847
Decommission Status: 18 months overdue โ€” blocked by Collaborative Bridge VPN dependency
ITSM Ticket: ITSM-29847 (owner departed, unassigned)
Installed Software โ€” R&D Calibration
CaliSyncPro v4.2.0 (installed 2025-11-18) REVIEW
Vendor: CaliSync Instrumentation GmbH
SHA256: a8f3b2c7d1e04f5a9b6c2d8e3f7a1b4c5d6e7f8091a2b3c4d5e6f7081929a3b4
Signed By: CaliSync Instrumentation GmbH
Certificate SN: 4A9F02B1C3D7E8F6
OCSP Status: VALID ยท CRL Status: NOT REVOKED
Revocation Check at Install: SKIPPED โ€” trusted vendor exception policy
Network Connectivity
Collaborative Bridge VPN: ACTIVE โ€” NTLM authentication to Azure AD
Subnet: 10.12.4.0/24 (legacy infrastructure segment)
Conditional Access: BYPASSED via COLLBRIDGE-EXCL-003 (no MFA required)
Cross-Reference Note

IM NOTES (Do Not Show to Players):

  • OCSP and CRL status show VALID / NOT REVOKED โ€“ the certificate is genuinely legitimate. The supply chain attack means the build pipeline was compromised, not the certificate.
  • The revocation check was skipped at install time under the trusted vendor exception โ€“ this is the root policy gap that prevented detection at delivery.
  • HANSEN-SAP-01 is the active threat: 3 years unpatched, no EDR, no monitoring, decommission overdue, and CaliSyncPro installed with the compromised update.
Azure AD Sign-In Log Extract
Type: Azure AD sign-in log  Source: Azure AD Identity Protection, 2026-04-15 20:00 to 2026-04-16 06:00 UTC โ€” HANSEN-SAP-01 subnet + reference accounts
Azure AD Sign-In Log
Azure Active Directory โ€บ Sign-in logs โ€บ Filtered view
2026-04-15 20:00 โ€“ 2026-04-16 06:00 UTC HANSEN-SAP-01 subnet + reference
Timestamp (UTC) Account Source IP Risk Auth Method MFA Conditional Access
2026-04-15 14:31:02 j.nielsen 198.51.100.44 NONE Kerberos Verified PASSED
2026-04-15 16:48:19 m.andersen 198.51.100.52 NONE Kerberos Verified PASSED
2026-04-15 22:20:18 svc-rdbridge-admin 198.51.100.201 HIGH NTLM NOT REQ BYPASSED (COLLBRIDGE-EXCL-003)
2026-04-16 07:02:44 k.foensmark 198.51.100.38 NONE Kerberos Verified PASSED

IM Facilitation Notes

  • Release when participants ask for technical evidence of the initial compromise or the CaliSyncPro update details.
  • Use this handout to drive discussion on supply chain trust policy and the gap between vendor trust and certificate validation.