Handout C: Lateral Movement Log
Large group equivalent: This handout maps to artifact cards B-R23-1 + part of A-R1-2.
Collaborative Bridge VPN authentication log and Azure AD sign-in correlation completed by the network security team at BioGenix Solutions. Covers the period from initial attacker foothold on HANSEN-SAP-01 to confirmed cloud R&D environment access. Log period: 2026-03-20 to 2026-04-16.
Collaborative Bridge VPN Authentication Log — Full History
Collaborative Bridge VPN Authentication Log
Log period: 2026-03-20 to 2026-04-16 — Report generated: 2026-04-16 09:14:22 UTC
| Timestamp | Account | Source IP | Auth Type | Destination | Conditional Access | Status |
|---|---|---|---|---|---|---|
| 2026-03-20 01:22:47 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-03-20 02:00:11 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-03-20 02:47:33 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | DISCONNECTED |
| 2026-03-27 03:11:09 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-03-27 08:00:14 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | PASSED | CONNECTED |
| 2026-04-02 00:44:31 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-04-02 02:00:09 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-04-02 02:52:18 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | DISCONNECTED |
| 2026-04-08 02:07:58 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-04-08 08:00:22 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | PASSED | CONNECTED |
| 2026-04-14 01:14:22 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-04-14 02:00:14 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-04-15 02:00:08 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-04-15 20:02:14 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | PASSED | CONNECTED |
| 2026-04-15 22:20:18 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
IM NOTES (Do Not Show to Players):
- The absence of any interactive logon event for
svc-rdbridge-adminfrom198.51.100.201across all 6 sessions is the definitive Pass-the-Hash indicator. The attacker harvested the NTLM credential hash from memory (via the PowerShell process chain in HANDOUT-A) and used it directly without ever knowing the plaintext password. COLLBRIDGE-EXCL-003was created during the Collaborative Bridge integration in late 2024 and was never reviewed or expired. It removed the only authentication control that would have stopped lateral movement.- The legitimate backup and monitoring sessions (svc-backup-nightly, svc-monitoring-01) provide contrast: normal service account behavior uses Kerberos from internal subnets.
- The weekly cadence of attacker sessions (Mar 20, Mar 27, Apr 2, Apr 8, Apr 14, Apr 15) reflects deliberate low-volume collection to evade volume-based anomaly detection.
Azure AD Sign-In Log — svc-rdbridge-admin Sessions
| Timestamp (UTC) | Target Resource | Source IP | Risk | Auth Method | MFA | Conditional Access |
|---|---|---|---|---|---|---|
| 2026-03-20 01:22:51 | AZURE-RD-ENV-01 | 198.51.100.201 | HIGH | NTLM | NOT REQUIRED | BYPASSED (COLLBRIDGE-EXCL-003) |
| 2026-04-02 00:44:37 | GENIX-PROD-01 | 198.51.100.201 | HIGH | NTLM | NOT REQUIRED | BYPASSED (COLLBRIDGE-EXCL-003) |
| 2026-04-08 02:08:02 | GENIX-PROD-01 | 198.51.100.201 | HIGH | NTLM | NOT REQUIRED | BYPASSED (COLLBRIDGE-EXCL-003) |
| 2026-04-14 01:14:28 | GENIX-PROD-01/CoreCollections | 198.51.100.201 | HIGH | NTLM | NOT REQUIRED | BYPASSED (COLLBRIDGE-EXCL-003) |
| 2026-04-15 22:20:18 | GENIX-PROD-01/CoreCollections | 198.51.100.201 | HIGH | NTLM | NOT REQUIRED | BYPASSED (COLLBRIDGE-EXCL-003) |
IM Facilitation Notes
- Release after participants have scoped the Azure authentication anomaly.
- Use the 6-session VPN pattern (4 historical + 2 recent) to prompt discussion on attacker persistence and detection window: how long was this access active before CFCS tipped off BioGenix, and what would have surfaced it earlier?
- The shift from
AZURE-RD-ENV-01toGENIX-PROD-01/CoreCollectionsin the recent sessions is a key observation – the attacker escalated targeting based on strategic file classification. COLLBRIDGE-EXCL-003is a rich debrief point: system integration creates temporary exceptions that become permanent attack paths without active lifecycle management.- If participants ask about the full scope of GenixLibrary access, answer: the access log analysis is still in progress.