Handout C: Lateral Movement Log

Collaborative Bridge VPN authentication log and Azure AD sign-in correlation completed by the network security team at BioGenix Solutions. Covers the period from initial attacker foothold on HANSEN-SAP-01 to confirmed cloud R&D environment access.

Collaborative Bridge VPN Auth Log – svc-rdbridge-admin

Collaborative Bridge VPN Authentication Log
Log period: 2025-12-10 to 2026-03-10
Account: svc-rdbridge-admin
Report generated: 2026-03-10 09:14:22 UTC

--- NTLM Authentication Events (No Preceding Interactive Logon) ---

Timestamp (UTC)           Source Host         Auth Type   CA Result
2025-12-10 01:22:47       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2025-12-17 03:11:09       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2025-12-29 00:44:31       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-01-06 02:07:58       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-01-14 01:55:22       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-01-21 03:30:14       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-02-03 00:18:47       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-02-11 02:44:03       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-02-18 01:29:55       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-03-04 00:52:11       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)
2026-03-09 22:20:18       HANSEN-SAP-01       NTLM        BYPASSED (COLLBRIDGE-EXCL-003)

Note: COLLBRIDGE-EXCL-003 is a legacy authentication exception created 2024-11-14.
Last reviewed: NEVER. Expiry date: NONE SET.

--- Azure AD Sign-In Events (svc-rdbridge-admin, HANSEN-SAP-01 source range) ---

Timestamp (UTC)           Target Resource         Risk    MFA
2025-12-10 01:22:51       AZURE-RD-ENV-01         HIGH    NOT REQUIRED (legacy auth)
2026-01-06 02:08:02       GENIX-PROD-01           HIGH    NOT REQUIRED (legacy auth)
2026-01-21 03:30:19       GENIX-PROD-01           HIGH    NOT REQUIRED (legacy auth)
2026-02-18 01:30:01       AZURE-RD-ENV-01         HIGH    NOT REQUIRED (legacy auth)
2026-03-04 00:52:16       GENIX-PROD-01           HIGH    NOT REQUIRED (legacy auth)
2026-03-09 22:20:23       AZURE-RD-ENV-01         HIGH    NOT REQUIRED (legacy auth)

IM NOTES (Do Not Show to Players):

  • The absence of any interactive logon event for svc-rdbridge-admin from HANSEN-SAP-01 in all 11 sessions is the definitive Pass-the-Hash indicator. The attacker harvested the NTLM credential hash from memory (via the PowerShell process chain in HANDOUT-A) and used it directly without ever knowing the plaintext password.
  • COLLBRIDGE-EXCL-003 was created during the Collaborative Bridge merger integration in late 2024 and was never reviewed or expired. It removed the only authentication control that would have stopped lateral movement.
  • The 10-week cadence of sessions (roughly weekly to biweekly) reflects deliberate, low-volume collection designed to avoid volume-based anomaly detection.

IM Facilitation Notes

  • Release after participants have scoped the Azure authentication anomaly in INJ-003.
  • Use the 11-session pattern to prompt discussion on attacker persistence and detection window: how long was this access active before detection, and what would have surfaced it earlier?
  • The COLLBRIDGE-EXCL-003 exception is a rich debrief point: merger integration creates temporary exceptions that become permanent attack paths without active lifecycle management.