Created by: J. Krarup (Infrastructure Lead)
Notes: HANSEN-SAP-01 scheduled for decommission. Target date 2024-09-01. CaliSyncPro dependency identified β migration to cloud-native service required before shutdown. Security patching paused pending decommission.
Large Group Artifacts: Winnti β Biotech R&D Espionage
Team-specific evidence cards for Multi-Team Coordination format (12-15+ players). Print all cards, sort by team and tier, and keep face-down until the release point for each round. One set per team β do not mix teams.
Organization: BioGenix Solutions (DK)
Round 1 β Initial Indicators (IC #1)
Release at start of Round 1 (2 cards per team)
Alpha x2 β Bravo x2 β Charlie x2
A-R1-1 | ALPHA β HANSEN-SAP-01 CaliSyncPro Installation Analysis
CrowdStrike Falcon β Software Inventory
CaliSyncPro β v4.2.0
Vendor: CaliSync Instrumentation GmbH
Install Date: 2025-11-18
Install Path: C:\Program Files\CaliSync\CaliSyncPro\
SHA256: a8f3b2c7d1e04f5a9b6c2d8e3f7a1b4c5d6e7f8091a2b3c4d5e6f7081929a3b4
Signed By: CaliSync Instrumentation GmbH
Certificate SN: 4A9F02B1C3D7E8F6
OCSP Status: VALID
CRL Status: NOT REVOKED
EDR Coverage β HANSEN-SAP-01
CrowdStrike Falcon agent: NOT INSTALLED
Windows Defender: Definitions last updated 2023-04-11
Last security scan: No record available
Host Context
OS: Windows Server 2016 (Build 14393)
Last patched: 2023-04-11 (KB5025228)
Network segment: 10.12.4.0/24 (Legacy/Integration)
Collaborative Bridge VPN: Active
Analysis direction: Alpha is looking at the server CFCS indicators pointed to. CaliSyncPro v4.2.0 matches the CFCS advisoryβs vendor delivery vector. The certificate is valid β supply chain puzzle. The critical finding is the EDR gap: no Falcon agent, no Defender definitions since 2023, no scan history. Alpha is blind on this server. They should conclude: we need to do a memory scan because we have zero visibility into whatβs running. That drives the Round 2 memory forensics card. If teams ask about calibration workstations: the workstations are standard operator stations with no CaliSyncPro installed and no indicators of compromise. CaliSyncPro runs only on HANSEN-SAP-01.
A-R1-2 | ALPHA β Azure AD Sign-In Log Extract
| Timestamp | User | Application | IP Address | Status | Risk Level | Auth Method | MFA | Conditional Access |
|---|---|---|---|---|---|---|---|---|
| 2026-04-15 20:02:41 | svc-monitoring-01 | AZURE-MON-01 | 10.12.3.10 | Success | LOW | Kerberos | N/A (svc) | PASSED |
| 2026-04-15 20:14:02 | j.henriksen@biogenix | AZURE-RD-ENV-01 | 10.12.1.44 | Success | LOW | Kerberos | Verified | PASSED |
| 2026-04-15 20:38:17 | l.sorensen@biogenix | AZURE-COLLAB-01 | 10.12.1.88 | Success | LOW | Kerberos | Verified | PASSED |
| 2026-04-15 21:03:18 | m.nielsen@biogenix | AZURE-COLLAB-01 | 10.12.1.52 | Success | LOW | Kerberos | Verified | PASSED |
| 2026-04-15 21:22:09 | svc-sync-agent | AZURE-SYNC-01 | 10.12.2.20 | Success | LOW | Kerberos | N/A (svc) | PASSED |
| 2026-04-15 21:47:55 | r.madsen@biogenix | AZURE-RD-ENV-01 | 10.12.1.71 | Success | LOW | Kerberos | Verified | PASSED |
| 2026-04-15 22:01:33 | k.vestergaard@biogenix | AZURE-RD-ENV-01 | 85.191.44.12 | Success | MEDIUM | Kerberos | Verified | PASSED |
| 2026-04-15 22:20:18 | svc-rdbridge-admin | AZURE-RD-ENV-01 | 198.51.100.201 | Success | HIGH | NTLM | NOT REQ | BYPASSED |
| 2026-04-15 22:44:51 | p.frandsen@biogenix | AZURE-COLLAB-01 | 10.12.1.63 | Success | LOW | Kerberos | Verified | PASSED |
| 2026-04-15 23:15:42 | autosync-backup@biogenix | AZURE-BACKUP-01 | 10.12.2.10 | Success | LOW | Kerberos | N/A (svc) | PASSED |
| 2026-04-16 00:00:08 | svc-backup-nightly | AZURE-BACKUP-01 | 10.12.2.10 | Success | LOW | Kerberos | N/A (svc) | PASSED |
| 2026-04-16 01:30:07 | svc-monitoring-01 | AZURE-MON-01 | 10.12.3.10 | Success | LOW | Kerberos | N/A (svc) | PASSED |
| 2026-04-16 02:14:22 | a.christensen@biogenix | AZURE-RD-ENV-01 | 10.12.1.95 | Success | LOW | Kerberos | Verified | PASSED |
| 2026-04-16 04:00:01 | svc-sync-agent | AZURE-SYNC-01 | 10.12.2.20 | Success | LOW | Kerberos | N/A (svc) | PASSED |
Analysis direction: 14 sign-in entries over the 10-hour window. The svc-rdbridge-admin entry at 22:20:18 is the attacker session β NTLM auth, HIGH risk, no MFA, Conditional Access BYPASSED, from an external IP. The k.vestergaard entry is MEDIUM risk due to an external IP (VPN from home) but uses Kerberos with MFA verified β a legitimate remote worker. Several service accounts appear with expected patterns. Teams must identify the anomalous entry themselves by examining the auth method, risk level, MFA status, and Conditional Access fields.
B-R1-1 | BRAVO β Collaborative Bridge VPN Connection Log
Collaborative Bridge VPN Gateway β Authentication Log
Period: 2026-04-15 08:00:00 UTC to 2026-04-16 08:00:00 UTC
| Timestamp | Account | Source IP | Auth Type | Destination | Status |
|---|---|---|---|---|---|
| 2026-04-15 08:02:14 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | CONNECTED |
| 2026-04-15 08:15:33 | t.lundberg@biogenix | 10.12.1.37 | Kerberos | AZURE-COLLAB-01 | CONNECTED |
| 2026-04-15 09:44:18 | svc-sync-agent | 10.12.2.20 | Kerberos | AZURE-SYNC-01 | CONNECTED |
| 2026-04-15 10:02:07 | svc-backup-incremental | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | CONNECTED |
| 2026-04-15 10:02:07 | svc-backup-incremental | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | DISCONNECTED (completed) |
| 2026-04-15 12:30:44 | h.eriksen@biogenix | 10.12.1.56 | Kerberos | AZURE-RD-ENV-01 | CONNECTED |
| 2026-04-15 14:15:22 | svc-sync-agent | 10.12.2.20 | Kerberos | AZURE-SYNC-01 | CONNECTED |
| 2026-04-15 14:15:22 | svc-sync-agent | 10.12.2.20 | Kerberos | AZURE-SYNC-01 | DISCONNECTED (completed) |
| 2026-04-15 16:48:09 | t.lundberg@biogenix | 10.12.1.37 | Kerberos | AZURE-COLLAB-01 | DISCONNECTED (user) |
| 2026-04-15 17:02:31 | h.eriksen@biogenix | 10.12.1.56 | Kerberos | AZURE-RD-ENV-01 | DISCONNECTED (user) |
| 2026-04-15 20:02:14 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | CONNECTED |
| 2026-04-15 20:45:33 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | CONNECTED |
| 2026-04-15 22:20:18 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | CONNECTED |
| 2026-04-15 23:58:11 | n.poulsen@biogenix | 10.12.1.42 | Kerberos | AZURE-COLLAB-01 | FAILED (expired password) |
| 2026-04-16 00:00:08 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | DISCONNECTED (completed) |
| 2026-04-16 01:30:07 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | CONNECTED |
| 2026-04-16 04:00:01 | svc-sync-agent | 10.12.2.20 | Kerberos | AZURE-SYNC-01 | CONNECTED |
| 2026-04-16 04:00:01 | svc-sync-agent | 10.12.2.20 | Kerberos | AZURE-SYNC-01 | DISCONNECTED (completed) |
| 2026-04-16 06:12:44 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | CONNECTED |
Analysis direction: 19 VPN sessions over 24 hours. The svc-rdbridge-admin entry at 22:20:18 is the attacker session β NTLM auth from an external IP while all other sessions use Kerberos from internal subnets. Teams must identify this themselves. The failed password attempt from n.poulsen is noise (legitimate user, expired credential). The monitoring and sync service accounts appear at regular intervals. Bravo should note the auth type discrepancy and the external source IP as the key anomalies.
B-R1-2 | BRAVO β HANSEN-SAP-01 Outbound Traffic Log
| Timestamp (UTC) | Destination | Port | Protocol | Volume | TLS SNI |
|---|---|---|---|---|---|
| 2026-04-14 23:00:12 | ctldl.windowsupdate.com | 80 | HTTP | 1.8 KB | β |
| 2026-04-15 01:14:22 | 203.0.113.44 | 443 | HTTPS | 1.2 KB | graph.microsoft.com |
| 2026-04-15 01:19:22 | 203.0.113.44 | 443 | HTTPS | 0.8 KB | graph.microsoft.com |
| 2026-04-15 06:14:22 | 203.0.113.44 | 443 | HTTPS | 1.2 KB | graph.microsoft.com |
| 2026-04-15 06:19:22 | 203.0.113.44 | 443 | HTTPS | 0.8 KB | graph.microsoft.com |
| 2026-04-15 08:00:11 | settings-win.data.microsoft.com | 443 | HTTPS | 2.4 KB | settings-win.data.microsoft.com |
| 2026-04-15 11:14:22 | 203.0.113.44 | 443 | HTTPS | 1.2 KB | graph.microsoft.com |
| 2026-04-15 11:19:22 | 203.0.113.44 | 443 | HTTPS | 0.8 KB | graph.microsoft.com |
| 2026-04-15 16:14:22 | 203.0.113.44 | 443 | HTTPS | 1.2 KB | graph.microsoft.com |
| 2026-04-15 16:19:22 | 203.0.113.44 | 443 | HTTPS | 0.8 KB | graph.microsoft.com |
| 2026-04-15 20:02:14 | vendor-sync.calisync-gmbh.de | 443 | HTTPS | 8.4 KB | vendor-sync.calisync-gmbh.de |
| 2026-04-15 21:14:22 | 203.0.113.44 | 443 | HTTPS | 1.2 KB | graph.microsoft.com |
| 2026-04-15 21:19:22 | 203.0.113.44 | 443 | HTTPS | 0.8 KB | graph.microsoft.com |
| 2026-04-15 22:24:33 | 203.0.113.44 | 443 | HTTPS | 842 MB | graph.microsoft.com |
| 2026-04-15 23:48:17 | 203.0.113.44 | 443 | HTTPS | 614 MB | graph.microsoft.com |
| 2026-04-16 02:14:22 | 203.0.113.44 | 443 | HTTPS | 1.2 KB | graph.microsoft.com |
| 2026-04-16 02:19:22 | 203.0.113.44 | 443 | HTTPS | 0.8 KB | graph.microsoft.com |
| 2026-04-16 04:00:01 | ocsp.digicert.com | 80 | HTTP | 0.4 KB | β |
Analysis direction: 18 outbound connections from HANSEN-SAP-01 over 48 hours. The 203.0.113.44 traffic dominates β regular small beacon-like connections every 5 hours (1.2 KB then 0.8 KB) plus two much larger transfers on April 15 evening (842 MB and 614 MB). All connections to 203.0.113.44 use TLS SNI βgraph.microsoft.comβ but the destination IP does not belong to any Microsoft range. The vendor-sync.calisync-gmbh.de connection is legitimate CaliSync telemetry for comparison. Teams should notice: (1) the beacon pattern with consistent 5-hour intervals, (2) the SNI mismatch β claiming to be Microsoft Graph but going to a non-Microsoft IP, (3) the two large transfers on April 15 evening that break the normal beacon pattern, matching the GenixLibrary core collection access timestamps from C-R2-1. The 90-day baseline for this server shows the same beacon pattern going back months.
C-R1-1 | CHARLIE β CFCS Tip-Off: European Life Sciences Campaign Advisory
CFCS Sector Threat Advisory
Authority: Center for Cybersikkerhed (CFCS)
Date issued: 2026-04-14
Classification: TLP:AMBER β share with incident response team only
Summary
CFCS has identified an ongoing supply chain compromise campaign targeting European life sciences and pharmaceutical R&D organizations. Multiple European CSIRTs are tracking this campaign through the EU CSIRTs Network. Three confirmed victims in Germany, Netherlands, and Switzerland have been identified in the past six months.
Observed TTPs
- Initial access: Vendor-signed calibration and instrumentation software updates distributing kernel-level payloads via legitimate vendor update portals
- Persistence: Kernel rootkits using Direct Kernel Object Manipulation (DKOM) to hide processes from standard endpoint enumeration tools
- Lateral movement: NTLM Pass-the-Hash via legacy authentication exceptions in hybrid cloud environments, targeting service accounts with cloud resource access
- Exfiltration: HTTPS traffic mimicking Microsoft Graph API telemetry via TLS SNI header spoofing on port 443
- Operational pattern: Off-hours activity clustered between 00:00-03:00 UTC and 08:00-11:00 UTC, low-volume distributed sessions designed to avoid DLP volume thresholds
Indicators
Domain family: graph-*-sync.bioanalytics.net
Infrastructure range: 203.0.113.0/24
Delivery vector: Vendor-signed calibration software updates
Registration pattern: NameCheap registrar, privacy-protected, 2-6 month old domains
Actor Assessment
Not formally attributed. TTPs are consistent with state-sponsored espionage targeting European biotechnology intellectual property. Campaign has been active since at least late 2025.
CFCS Requests
- Confirm or deny presence of indicators in your environment
- Preserve forensic artifacts, especially kernel driver binaries
- Share anonymized indicators if compromise is confirmed
This is the advisory that triggered the investigation. Charlie received it as part of the CFCS tip-off package. It describes the campaign TTPs without naming the actor β Charlie must build attribution from the evidence across rounds. The TTPs described here should match what Alpha and Bravo discover in their R1 cards (vendor-signed payload, NTLM lateral movement). At the cross-team briefing, Charlie should be able to say βAlphaβs findings match the CFCS advisory exactly.β The advisory does not tell them what to look for at BioGenix specifically β that is the investigation.
C-R1-2 | CHARLIE β Threat Intelligence Platform: CFCS Indicator Enrichment
graph-api-sync.bioanalytics.net
TI Platform β Indicator Enrichment Query
WHOIS
RegistrarNameCheap Inc.
Registration date2026-02-20
RegistrantREDACTED FOR PRIVACY
Name serversns1.bioanalytics.net, ns2.bioanalytics.net
DNS
A record203.0.113.44
First seen2026-02-22
Last seen2026-04-16 (active)
TTL3600
IP Enrichment: 203.0.113.44
ASNAS134567 β CloudServe International Ltd
HostingShared VPS, data center located in Frankfurt, DE
GeolocationFrankfurt, Germany (European point of presence)
Open ports443/tcp (HTTPS)
ReputationNo listings in major blocklists
VirusTotal0/87 (clean)
Related Domains (same registrant pattern)
bioanalytics.netregistered 2025-08-14
pharmacloud.netregistered 2025-03-22
labinstruments.ioregistered 2025-01-10
Passive DNS (203.0.113.44)
| Domain | Period |
|---|---|
| update-service.pharmacloud.net | 2025-07 to 2025-11 |
| sync-agent.labinstruments.io | 2025-04 to 2025-08 |
| graph-telemetry-sync.bioanalytics.net | 2025-09 to 2025-12 |
| api-health-check.bioanalytics.net | 2025-10 to 2026-01 |
| graph-api-sync.bioanalytics.net | 2026-02 to present |
Surface-level enrichment only. Charlie sees the passive DNS history showing previous domains on the same IP β these are campaign infrastructure rotations. The domains target pharma, lab instruments, and biotech. The VirusTotal score is clean β this infrastructure has not been flagged by the security community. Charlie should note the domain registration pattern (life sciences themed) and the passive DNS rotation, but should not yet have enough for attribution. The deeper analysis comes in Round 2.
Round 2 β Deep Analysis (IC #1)
Release at start of Round 2 (3 cards per team)
Alpha x3 β Bravo x3 β Charlie x3
A-R2-1 | ALPHA β HANSEN-SAP-01 Memory Forensics Output
Memory Scan Report β HANSEN-SAP-01
Scan Method: Hardware-Assisted Enumeration (Hypervisor DKOM check)
Timestamp: 2026-04-16 08:32:14 UTC
Installed CaliSyncPro version: v4.2.0 (released 2025-11-18)
vol3 -f HANSEN-SAP-01.mem windows.hidden_modules
Module at 0xFFFFF80012A40000
Size: 147,456 bytes
Signing Certificate: CaliSync Instrumentation GmbH (SN 4A9F02B1C3D7E8F6)
Certificate Status: VALID
Hook: NtQuerySystemInformation
vol3 -f HANSEN-SAP-01.mem windows.pslist --diff hardware
Standard tasklist.exe: 87 processes
Hardware enumeration: 92 processes
PID 4028: svchost.exe ESTABLISHED 203.0.113.44:443 [ACTIVE]
PID 4032: lsass.exe Injected thread (0xFFFFF80012A40000+0x2400)
PID 4036: svchost.exe File I/O: \\GenixLibrary\* (recursive)
PID 4040: System Kernel thread (watchdog, 30-sec interval)
PID 4100: svchost.exe Disk I/O: \\.\PhysicalDrive0\Partition4 (hidden)
Analysis direction: The process count discrepancy (87 vs 92) is the entry point β teams must notice 5 processes are hidden from standard tools. The raw PID data shows what each hidden process is doing but doesnβt label the roles. Teams should work out: 4028 is a C2 beacon (active outbound to the known C2 IP), 4032 is credential harvesting (injected into lsass), 4036 is enumerating GenixLibrary files, 4040 is a watchdog, 4100 is staging data to a hidden partition. PID 4028 is active right now β isolating HANSEN-SAP-01 drops this connection but the kernel driver remains in memory. Memory image must be captured before isolation or reimaging. HANSEN-SAP-01 received the compromised CaliSyncPro update (v4.2.0) in November 2025. The rootkit activated immediately (first VPN session December 10). CaliSyncPro is only installed on HANSEN-SAP-01 β the calibration workstations are standard operator stations with no CaliSyncPro and no indicators of compromise.
A-R2-2 | ALPHA β Supply Chain Certificate & Delivery Verification
π
CaliSync Instrumentation GmbH β Code-Signing Certificate
Certificate Details
SubjectCN=CaliSync Instrumentation GmbH, O=CaliSync GmbH, C=DE
Serial Number4A9F02B1C3D7E8F6
IssuerCN=CaliSync Internal CA
Valid From2024-09-01T00:00:00Z
Valid To2026-09-01T00:00:00Z
Validation Status
Certificate StatusVALID
OCSP ResponseVALID
CRL StatusNOT REVOKED
Delivery Channel Verification
Source portalportal.calisync-gmbh.de (legitimate vendor portal)
Portal integrityNo signs of third-party modification or redirect
Update hashMatches vendor portal manifest
Distribution methodStandard vendor auto-update channel
Signing chainTrusted β chains to CaliSync Internal CA root
Analysis direction: This card establishes that the supply chain looks clean on paper β valid cert, legitimate portal, hash matches, signing chain trusted. The puzzle is not yet visible from this card alone. Alpha will likely conclude βCaliSync is cleanβ and move on.
Hold the behavioral analysis. When Alpha asks βwhat does the software actually do when it runs?β or βhave you looked at the payload behaviour?β β that is your cue to release the verbal supplement below.
Verbal supplement (release on demand β do not volunteer):
βYour dynamic analysis shows the payloadβs observed behaviour diverges significantly from its stated function. Expected: calibration data sync and telemetry reporting. Observed: spawns an encoded PowerShell command, queries domain service accounts, and deploys a kernel driver with DKOM capabilities. The behaviour is inconsistent with legitimate calibration software.β
After releasing this: let Alpha sit with both pieces of information β valid cert, malicious payload. The question they need to reach is βhow is this possible?β not βis CaliSync involved?β Push them toward the question, not the answer. If they ask directly βdoes this mean CaliSync was compromised?β say: βWhat explanations are consistent with a legitimately-signed package that does this?β β and let them list the possibilities (compromised build pipeline, stolen signing key, insider). All three are correct investigative directions. You do not need them to land on a specific one.
A-R2-3 | ALPHA β NTLM Authentication Forensics β svc-rdbridge-admin
Event Viewer
Windows Logs
Security
System
Application
| Level | Date and Time | Event ID | Target User | Source IP | Auth Package |
|---|---|---|---|---|---|
| βΉ | 2026-03-20 01:22:47 | 4624 | svc-backup-nightly | 10.12.2.10 | Kerberos |
| βΉ | 2026-03-20 01:24:11 | 4624 | svc-rdbridge-admin | 198.51.100.201 | NTLM |
| βΉ | 2026-03-27 03:11:09 | 4624 | svc-rdbridge-admin | 198.51.100.201 | NTLM |
| βΉ | 2026-04-02 00:44:31 | 4624 | svc-rdbridge-admin | 198.51.100.201 | NTLM |
| βΉ | 2026-04-02 00:48:17 | 4624 | svc-monitoring-01 | 10.12.3.10 | Kerberos |
| βΉ | 2026-04-08 02:07:58 | 4624 | svc-rdbridge-admin | 198.51.100.201 | NTLM |
| βΉ | 2026-04-14 01:14:22 | 4624 | svc-rdbridge-admin | 198.51.100.201 | NTLM |
| βΉ | 2026-04-14 02:00:14 | 4624 | svc-backup-nightly | 10.12.2.10 | Kerberos |
| βΉ | 2026-04-15 20:02:14 | 4624 | svc-monitoring-01 | 10.12.3.10 | Kerberos |
| βΉ | 2026-04-15 22:20:18 | 4624 | svc-rdbridge-admin | 198.51.100.201 | NTLM |
Source: HANSEN-SAP-01 and DC-BIOGEN-01 forwarded events
Filter: Event ID 4624 (Logon Type 3 β Network Logon)
Period: 2026-03-20 to 2026-04-16
Total entries: 10
Analysis direction: Raw Event 4624 entries showing network logons over the investigation period. The svc-rdbridge-admin entries all show NTLM auth from 198.51.100.201 while legitimate service accounts use Kerberos from internal IPs. Teams must identify the pattern themselves: recurring off-hours NTLM logons from an external IP with no preceding interactive logon (no Event 4648). The mix with legitimate service account logons means teams need to filter and correlate rather than read a pre-built summary.
B-R2-1 | BRAVO β Collaborative Bridge VPN Authentication Log β Full History
Collaborative Bridge VPN Authentication Log
Log period: 2026-03-20 to 2026-04-16 β Report generated: 2026-04-16 09:14:22 UTC
| Timestamp | Account | Source IP | Auth Type | Destination | Conditional Access | Status |
|---|---|---|---|---|---|---|
| 2026-03-20 01:22:47 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-03-20 02:00:11 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-03-20 02:47:33 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | DISCONNECTED |
| 2026-03-27 03:11:09 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-03-27 08:00:14 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | PASSED | CONNECTED |
| 2026-04-02 00:44:31 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-04-02 02:00:09 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-04-02 02:52:18 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | DISCONNECTED |
| 2026-04-08 02:07:58 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-04-08 08:00:22 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | PASSED | CONNECTED |
| 2026-04-14 01:14:22 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
| 2026-04-14 02:00:14 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-04-15 02:00:08 | svc-backup-nightly | 10.12.2.10 | Kerberos | AZURE-BACKUP-01 | PASSED | CONNECTED |
| 2026-04-15 20:02:14 | svc-monitoring-01 | 10.12.3.10 | Kerberos | AZURE-MON-01 | PASSED | CONNECTED |
| 2026-04-15 22:20:18 | svc-rdbridge-admin | 198.51.100.201 | NTLM | AZURE-RD-ENV-01 | BYPASSED | CONNECTED |
Analysis direction: 15 VPN sessions spanning the full investigation period. The svc-rdbridge-admin entries (6 sessions) show a weekly pattern of off-hours NTLM access with Conditional Access BYPASSED, while all other accounts use Kerberos with Conditional Access PASSED. Teams must identify the pattern: recurring off-hours access, external IP, NTLM auth, CA bypass. The legitimate backup and monitoring sessions provide context for normal service account behavior.
B-R2-2 | BRAVO β Azure Conditional Access Bypass Detail
| Field | Value |
|---|---|
| Exception ID | COLLBRIDGE-EXCL-003 |
| Created | 2024-11-14 |
| Created by | IT Security Lead (M. Andersen) |
| Approved by | CTO (K. FΓΈnsmark) |
| Last reviewed | NEVER |
| Expiry date | NOT SET |
| Review cadence | NOT CONFIGURED |
| Policy Bypassed | Description |
|---|---|
| CA-POLICY-MFA-ALL | MFA required for all cloud authentication |
| CA-POLICY-NTLM-BLOCK | Block legacy authentication protocols |
| Scope | Detail |
|---|---|
| Account | svc-rdbridge-admin |
| Source | HANSEN-SAP-01 on-premise subnet (10.12.4.0/24) |
| Permits | NTLM authentication without interactive logon or MFA |
Justification (recorded 2024-11-14):
"Temporary β required during Collaborative Bridge integration phase. To be removed when HANSEN-SAP-01 decommission completes (ITSM-29847)."
"Temporary β required during Collaborative Bridge integration phase. To be removed when HANSEN-SAP-01 decommission completes (ITSM-29847)."
Analysis direction: Two actions are required to close the lateral movement path: (1) revoke svc-rdbridge-admin credentials and (2) close or scope COLLBRIDGE-EXCL-003. Revoking credentials alone is insufficient β the exception policy could enable re-exploitation via another compromised account in the HANSEN-SAP-01 subnet. The justification references ITSM-29847 β teams will find the full ticket in B-R2-3 (same round, same team).
B-R2-3 | BRAVO β Legacy Auth Exception Policy Record
ServiceNow β IT Service Management
ITSM-29847: HANSEN-SAP-01 Decommission β Blocked: Collaborative Bridge Dependency
Ticket
ITSM-29847
Status
OPEN
Priority
LOW
Category
Infrastructure / Decommission
Assigned to
UNASSIGNED
Created
2024-08-15
Updated
2024-11-02
Target date
2024-09-01 (OVERDUE)
Activity Log
2024-08-15 09:14:22 β State: NEW β OPEN
2024-09-01 00:00:00 β Automated: TARGET DATE PASSED
No resolution recorded. Ticket remains OPEN.
2024-09-12 14:33:07 β State: OPEN (no change)
Updated by: J. Krarup (Infrastructure Lead)
Notes: CaliSyncPro migration not scoped. Vendor has no cloud-native alternative. Decommission blocked until dependency resolved. Requesting SOC monitoring exclusion to reduce noise on decommission-backlog systems.
Notes: CaliSyncPro migration not scoped. Vendor has no cloud-native alternative. Decommission blocked until dependency resolved. Requesting SOC monitoring exclusion to reduce noise on decommission-backlog systems.
2024-09-14 10:08:44 β Related: SECOPS-EXCL-2024-017 created
SOC monitoring exclusion approved for HANSEN-SAP-01. Justification: Decommission backlog β alerts suppressed to avoid false positive noise during transition period.
2024-10-18 16:22:11 β Assignment change: J. Krarup β UNASSIGNED
J. Krarup departed organization. No handover recorded.
2024-11-02 11:45:33 β State: OPEN (no change)
Updated by: M. Andersen (IT Security Lead)
Notes: Collaborative Bridge integration completed. CaliSyncPro migration still pending. Created COLLBRIDGE-EXCL-003 to maintain HANSEN-SAP-01 connectivity via Collaborative Bridge. Priority set to LOW. No follow-up date scheduled.
Notes: Collaborative Bridge integration completed. CaliSyncPro migration still pending. Created COLLBRIDGE-EXCL-003 to maintain HANSEN-SAP-01 connectivity via Collaborative Bridge. Priority set to LOW. No follow-up date scheduled.
[No further updates β last activity 2024-11-02]
Analysis direction: The ticket history tells the governance failure story through timestamped state transitions. The attacker found this attack path β they did not create it. Teams should trace the chain: decommission blocked, patching paused, monitoring excluded, owner departed with no handover, exception created with no expiry or review date, then silence for 17 months. Each step had an existing process that was not followed through. The ServiceNow format makes it feel like an authentic ticket rather than a narrative summary.
C-R2-1 | CHARLIE β GenixLibrary Access Log Extract
GenixLibrary Access Log
Period: 2026-03-18 to 2026-04-16 β Export generated: 2026-04-16 09:30 UTC
| Timestamp | Account | Action | Target | Volume | Source Client |
|---|---|---|---|---|---|
| 2026-03-18 10:14:22 | d.kjaer@biogenix | READ | Fermentation-Seq-Archive/2024-Q3 | 240 MB | EntraID-SSO |
| 2026-03-18 14:33:07 | s.holm@biogenix | READ | Enzyme-Engineering-Core/ProductLine-04 | 180 MB | EntraID-SSO |
| 2026-03-19 09:45:11 | d.kjaer@biogenix | READ | Fermentation-Seq-Archive/2024-Q4 | 310 MB | EntraID-SSO |
| 2026-03-20 01:24:55 | svc-rdbridge-admin | READ | Fermentation-Seq-Archive/2022-Q1 | 1.8 GB | API-SvcConnect |
| 2026-03-20 02:00:08 | svc-genix-backup | READ | Full-Archive | 12.1 GB | GenixBackup-Agent |
| 2026-03-21 09:18:33 | m.vestergaard@biogenix | READ | Precision-Fermentation-IP/ActiveProject-02 | 520 MB | EntraID-SSO |
| 2026-03-24 11:02:44 | s.holm@biogenix | WRITE | Enzyme-Engineering-Core/ProductLine-04 | 88 MB | EntraID-SSO |
| 2026-03-27 02:48:11 | svc-rdbridge-admin | READ | Enzyme-Engineering-Core/ProductLine-01 | 1.6 GB | API-SvcConnect |
| 2026-03-27 02:00:14 | svc-genix-backup | READ | Full-Archive | 12.0 GB | GenixBackup-Agent |
| 2026-03-28 15:22:07 | a.lindgren@biogenix | READ | Precision-Fermentation-IP/ActiveProject-01 | 410 MB | EntraID-SSO |
| 2026-04-01 10:44:18 | d.kjaer@biogenix | READ | Fermentation-Seq-Archive/2025-Q1 | 290 MB | EntraID-SSO |
| 2026-04-02 00:51:22 | svc-rdbridge-admin | READ | Precision-Fermentation-IP/ActiveProject-01 | 2.0 GB | API-SvcConnect |
| 2026-04-03 02:00:11 | svc-genix-backup | READ | Full-Archive | 12.2 GB | GenixBackup-Agent |
| 2026-04-07 14:15:33 | m.vestergaard@biogenix | READ | Enzyme-Engineering-Core/ProductLine-06 | 380 MB | EntraID-SSO |
| 2026-04-08 02:14:44 | svc-rdbridge-admin | READ | Fermentation-Seq-Archive/2023-Q2 | 1.6 GB | API-SvcConnect |
| 2026-04-10 02:00:09 | svc-genix-backup | READ | Full-Archive | 12.1 GB | GenixBackup-Agent |
| 2026-04-11 09:33:22 | s.holm@biogenix | WRITE | Enzyme-Engineering-Core/ProductLine-04 | 124 MB | EntraID-SSO |
| 2026-04-14 01:18:07 | svc-rdbridge-admin | READ | GenixLib-Core-Collection-v1 | 1.1 GB | API-SvcConnect |
| 2026-04-15 14:00:11 | svc-genix-backup | READ | Incremental | 1.2 GB | GenixBackup-Agent |
| 2026-04-15 22:24:33 | svc-rdbridge-admin | READ | GenixLib-Core-Collection-v1 | 1.0 GB | API-SvcConnect |
| 2026-04-15 23:48:17 | svc-rdbridge-admin | READ | GenixLib-Core-Collection-v2 | 0.8 GB | API-SvcConnect |
Analysis direction: 21 access log entries spanning nearly 4 weeks. The svc-rdbridge-admin entries show off-hours batch reads with 1-2 GB volumes, while legitimate researchers access specific subdirectories during business hours with smaller volumes. The svc-genix-backup entries are weekly scheduled backups at consistent times. Teams must identify the anomalous pattern themselves: svc-rdbridge-admin accessing broad archive sections at night, then shifting to the core IP collections (v1 and v2) in the most recent sessions. The volume and timing differences between legitimate and suspicious access are visible but not labeled.
C-R2-2 | CHARLIE β C2 Infrastructure Deep Enrichment
C2 Infrastructure Enrichment Report
Primary: graph-api-sync.bioanalytics.net / 203.0.113.44
Primary Infrastructure
Domaingraph-api-sync.bioanalytics.net
IP203.0.113.44
RegistrarNameCheap (registered 2026-02-20, privacy-protected)
Hosting Analysis
ASNAS134567 β CloudServe International Ltd
TypeShared VPS, European PoP (Frankfurt, DE)
RotationNew IP allocation ~quarterly
2025-H2203.0.113.31 (active JulβNov 2025)
2025-H1203.0.113.17 (active JanβJun 2025)
Domain Registration Pattern
| Domain | Registered |
|---|---|
| bioanalytics.net | 2025-08-14 |
| graph-telemetry-sync.bioanalytics.net | 2025-09-01 |
| api-health-check.bioanalytics.net | 2025-10-15 |
| graph-api-sync.bioanalytics.net | 2026-02-20 |
| cdn-edge-04.bioanalytics.net | 2026-02-24 |
Operational Tempo Analysis
Cluster 100:00β03:00 UTC (= 08:00β11:00 UTC+8)
Cluster 208:00β11:00 UTC (= 16:00β19:00 UTC+8)
Passive DNS History (203.0.113.44)
| Domain | Period |
|---|---|
| update-service.pharmacloud.net | 2025-07 to 2025-11 |
| sync-agent.labinstruments.io | 2025-04 to 2025-08 |
| graph-telemetry-sync.bioanalytics.net | 2025-09 to 2025-12 |
| api-health-check.bioanalytics.net | 2025-10 to 2026-01 |
| graph-api-sync.bioanalytics.net | 2026-02 to present |
Target Profile & Cross-References
Sector targetingAll resolved domains target life sciences or pharmaceutical sectors
pharmacloud.netpharmaceutical cloud services theme
labinstruments.iolaboratory instrumentation theme
bioanalytics.netbiotech analytics theme
Confirmed victimsEuropean organizations with proprietary genomic, enzymatic, or molecular research data
BSI cross-refBSI-2025-CS-1247 (2025-H2) references European pharmaceutical R&D targeting from the same /24 infrastructure range
Analysis direction: Charlie sees the infrastructure pattern: quarterly IP rotation within the same /24 range, life sciences themed domains, UTC+8 operational tempo, and European biotech targeting. The BSI advisory cross-reference and passive DNS history show this is a sustained campaign, not a one-off. Charlie should combine the operational tempo (UTC+8 business hours), the target profile (European life sciences), and the infrastructure pattern to build an attribution hypothesis. The card does not name the actor β Charlie must make that deduction themselves.
C-R2-3 | CHARLIE β CFCS Intelligence Update: Cross-Victim Campaign Data
CFCS Intelligence Update
Reference: Follow-up to advisory dated 2026-04-14
Classification: TLP:AMBER
Cross-Victim Data
CFCS has compiled anonymized data from the three confirmed European victims.
Victim A (German biotech, reported via BSI 2025-12-18):
- Target data: Proprietary enzyme synthesis pathways
- Dwell time before detection: 4 months
- Exfiltration volume: Estimated 40β60 GB
- Detection trigger: External notification from sector ISAC
Victim B (Dutch pharmaceutical, reported via NCSC-NL 2026-01-29):
- Target data: Drug formulation research and clinical trial datasets
- Dwell time before detection: 3 months
- Exfiltration volume: Estimated 80β100 GB
- Detection trigger: Network infrastructure audit during compliance review
Victim C (Swiss biotech, reported via NCSC-CH 2026-02-14):
- Target data: Genomic sequence data and protein folding models
- Dwell time before detection: 5 months
- Exfiltration volume: Estimated 120 GB
- Detection trigger: External notification from CFCS
Common Patterns
All three victims used calibration or instrumentation software from European vendors as the initial access vector. All three had legacy authentication exceptions permitting NTLM access to cloud environments. In all three cases the exfiltration channel mimicked legitimate Microsoft API traffic.
Artifact Request
CFCS requests kernel driver artifacts from confirmed victims for binary comparison across the campaign. Chain of custody documentation required for cross-border intelligence sharing.
This update gives Charlie campaign context: dwell times, exfiltration volumes, and detection triggers from other victims. Charlie should notice that BioGenixβs dwell time is much shorter than other victims (3-4 weeks vs months) because CFCS tipped them off early. The exfiltration volumes at other victims (40-120 GB) contextualize BioGenixβs ~7 GB as partial β the attacker was interrupted before reaching the scale seen elsewhere. The common patterns section reinforces the TTPs without naming the actor. The artifact request creates a connection to Alphaβs forensic work.
Round 3 β Deepening Analysis (IC #2 Onboarding)
Release after handover, at start of Round 3 (1 card per team)
Alpha x1 β Bravo x1 β Charlie x1
A-R3-1 | ALPHA β Kernel Driver Activity Timeline Gap
Kernel Driver Activity Log β HANSEN-SAP-01
Source: Extracted from memory image (hardware-assisted enumeration)
Driver load address: 0xFFFFF80012A40000
Certificate SN: 4A9F02B1C3D7E8F6
timeline --driver 0xFFFFF80012A40000 --summary
Activity Timeline (summarized):
2025-12-10 01:22:47 UTC First recorded activity (matches first VPN session)
[...]
2026-04-16 08:31:26 UTC Last pre-gap entry: NtQuerySystemInformation hook active
---
2026-04-16 08:31:27 UTC GAP START β no events logged
2026-04-16 08:32:14 UTC GAP END β memory image capture timestamp
---
Duration: 47 seconds
Events in gap: 0 (all other 1-second intervals contain 1-4 events)
System Context
HANSEN-SAP-01 firmware version: 2023-06-14 (last update)
Scan method: Hardware-assisted hypervisor enumeration
Analysis direction: A 47-second gap in the kernel driverβs activity log during the memory capture window. Either the rootkit detected the scan and wiped its buffer (anti-forensics), or the outdated firmware caused a micro-reboot during hardware-assisted enumeration. Alpha cannot resolve this ambiguity with available data. The learning value is in Alphaβs response to evidential uncertainty β does it change their operational decisions (probably not, the memory image is still the best evidence), and should they disclose the gap to CFCS when sharing the artifact? A strong team notes the ambiguity and moves on. A less experienced team may spiral. If Alpha asks for a definitive answer, say: βYour forensics specialist is still working on it.β
B-R3-1 | BRAVO β Historical NetFlow Baseline Comparison
| Month | Avg Daily Volume (GB) | Change vs. Baseline |
|---|---|---|
| 2025-10 | 4.2 | β |
| 2025-11 (1β14) | 4.3 | +2% |
| 2025-11 (15β30) | 5.8 | +38% |
| 2025-12 | 5.6 | +33% |
| 2026-01 | 6.1 | +45% |
| 2026-02 | 5.9 | +40% |
| 2026-03 | 6.0 | +43% |
| 2026-04 (1β14) | 6.3 | +50% |
ITSM Context:
ITSM-30112 β Collaborative Bridge Batch-to-Realtime Migration
Completed: 2025-11-14
Scope: 3 integration workflows (SAP-finance, SAP-HR, SAP-logistics)
Expected impact: "Moderate increase in off-hours sync traffic due to near-real-time replication replacing nightly batch jobs."
Approved by: IT Operations Lead
Analysis direction: The 6-month NetFlow baseline shows a 30-50% increase in Collaborative Bridge traffic starting mid-November 2025 β but an ITSM-documented migration from batch to real-time sync (ITSM-30112) explains the bulk of the increase. The attackerβs svc-rdbridge-admin sessions (starting December 10, 1-2 per month, 2-3 GB each) are a small fraction hidden within the legitimate traffic increase. Bravo must confront the detection difficulty: aggregate volume monitoring would not have caught this. Only per-account traffic decomposition separates attacker from legitimate traffic. The 26-day gap between the ITSM change and the first attacker session is deliberately ambiguous β coincidence or opportunistic timing.
C-R3-1 | CHARLIE β C2 Infrastructure Rotation Alert
cdn-edge-04.bioanalytics.net
TI Platform β Passive DNS Alert β Infrastructure Rotation Detected
DNS Resolution History
Previous A record104.16.132.229 (Cloudflare)
Previous statusDormant β zero payload transfers
New A record203.0.113.88
Change detected2026-04-16 04:22:18 UTC (6 hours ago)
TTL300 (reduced from 3600)
IP Enrichment: 203.0.113.88
ASNAS134567 β CloudServe International Ltd
Same ASN as203.0.113.44
HostingShared VPS, Frankfurt, DE
Open ports443/tcp (HTTPS)
First seen2026-04-16 04:22:18 UTC
ReputationNo listings in major blocklists
CFCS Indicator Package Cross-Reference
| Domain | Previous IP | Current IP | Status | Notes |
|---|---|---|---|---|
| graph-api-sync.bioanalytics.net | 203.0.113.44 | 203.0.113.44 | Active C2 (confirmed) | Primary exfiltration endpoint |
| cdn-edge-04.bioanalytics.net | 104.16.132.229 | 203.0.113.88 | Active (changed 6h ago) |
Analysis direction: A previously dormant domain from the CFCS indicator package has rotated to a new IP in the same ASN as the confirmed C2. The reduced TTL (300 vs 3600) suggests the attacker is prepared for rapid DNS changes. Charlie should brief the IC immediately and coordinate with Bravo to block 203.0.113.88 at the perimeter. Two hypotheses: attacker detected IR and is rotating (Hypothesis A), or this is a pre-planned failover unrelated to detection (Hypothesis B). The rotation is actually pre-planned (B), but do not reveal this unless the team has already blocked the new IP. The learning value is in Charlieβs urgency assessment and cross-team coordination. This card also rewards teams that tracked the dormant domain from earlier TI enrichment.
Round 4 β Developments (IC #2)
Release at start of Round 4 (2 cards per team)
Alpha x2 β Bravo x2 β Charlie x2
A-R4-1 | ALPHA β Rootkit Capability Analysis
Functions
NtQuerySystemInformation
ZwReadFile
NtQueryDirectoryFile
ObRegisterCallbacks
PsSetCreateProcessNotifyRoutine
Binary Details
Binary: 0xFFFFF80012A40000 (147,456 bytes)
Signing Certificate: CaliSync Instrumentation GmbH (SN 4A9F02B1C3D7E8F6)
Hooked System Calls
0xFFFFF80011200400 nt!NtQuerySystemInformation β 0xFFFFF80012A40800
; Behavior: Filters process list to hide PIDs 4028, 4032, 4036, 4040, 4100
Behavioral Observations (sandbox analysis)
1. Process hiding: Active β standard enumeration returns 87 processes, hardware-assisted returns 92
2. Network activity: Periodic HTTPS POST to 203.0.113.44:443 at 300-second intervals, TLS SNI header set to graph.microsoft.com
3. LSASS injection: PID 4032 reads lsass.exe memory via direct kernel object reference, bypasses usermode API hooks
4. File enumeration: PID 4036 issues NtQueryDirectoryFile calls against mounted GenixLibrary shares, stores results in hidden partition
5. Compression: PID 4100 reads from hidden partition staging area, compresses using LZNT1 algorithm, queues for transmission via PID 4028
File I/O Trace (from sandbox execution)
PID 4036 NtQueryDirectoryFile: \\GenixLibrary\ (recursive)
PID 4036 ZwReadFile: \\GenixLibrary\Fermentation-Seq-Archive\2024-Q3\*.fasta
PID 4036 ZwReadFile: \\GenixLibrary\Enzyme-Engineering-Core\ProductLine-01\*.gb
PID 4100 ZwReadFile: \\?\HarddiskVolume4\staging\queue\*
PID 4100 LZNT1 compress: \\?\HarddiskVolume4\staging\compressed\*
Strings (extracted from binary)
\\GenixLibrary\*
\\GenixLibrary\Core-Collection-v*
\\GenixLibrary\Fermentation-Seq-Archive\*
\\GenixLibrary\Enzyme-Engineering-Core\*
.fasta
.gb
.gbk
.seq
.ab1
graph.microsoft.com
Content-Type: application/json
Analysis direction: The API imports and file I/O trace reveal a purpose-built espionage toolkit targeting life sciences R&D data. The file type targeting (.fasta, .gb, .gbk, .seq, .ab1) shows the rootkit is designed specifically for genomic sequence data β not a generic toolkit repurposed for this victim. The exfiltration mechanism: PID 4036 enumerates and reads from GenixLibrary, stages to a hidden partition, PID 4100 compresses with LZNT1, PID 4028 pushes it out via TLS SNI-spoofed HTTPS. The strings panel shows hardcoded GenixLibrary paths including core collection patterns β the attacker knew what they were looking for. Alpha should notice the specificity of the targeting and brief the IC on the sophistication of the operation.*
A-R4-2 | ALPHA β Lateral Movement Scope Expansion
Sources
Memory
Event Logs
SMB Sessions
SMB Connection Attempts (from PID 4036 network socket reconstruction)
| Timestamp | Direction | Target | Host | Response |
|---|---|---|---|---|
| 2026-04-07 02:14:08 | SYN β | 198.51.100.202:445 | HANSEN-SAP-02 | SYN-ACK |
| 2026-04-07 02:14:09 | SYN β | 198.51.100.203:445 | HANSEN-SAP-03 | RST |
| 2026-04-07 02:14:11 | SYN β | 10.12.4.15:445 | BIOGEN-PRINT-SVR-01 | SYN-ACK |
| 2026-04-07 02:14:12 | SYN β | 10.12.4.1:445 | BIOGEN-LEGACY-DC-01 | SYN-ACK |
Event ID 4624 β HANSEN-SAP-02 (198.51.100.202)
| Field | Value |
|---|---|
| Event ID | 4624 |
| Time Created | 2026-04-07 02:14:22 UTC |
| LogonType | 3 |
| TargetUserName | svc-rdbridge-admin |
| IpAddress | 198.51.100.201 |
| AuthenticationPackageName | NTLM |
| LogonProcessName | NtLmSsp |
File Access Events β HANSEN-SAP-02 (from Security Event Log)
| Event ID | Time Created | Object | Access | Account |
|---|---|---|---|---|
| 4663 | 2026-04-07 02:14:38 | D:\SAPData\ | READ (0x1) | svc-rdbridge-admin |
| 4663 | 2026-04-07 02:14:44 | D:\SAPData\Archive\ | READ (0x1) | svc-rdbridge-admin |
| 4663 | 2026-04-07 02:15:02 | D:\CaliSyncPro\Config\ | READ (0x1) | svc-rdbridge-admin |
No further Event 4663 entries for svc-rdbridge-admin on HANSEN-SAP-02 after 2026-04-07 02:15:02 UTC.
No Event 4624 entries for svc-rdbridge-admin on BIOGEN-PRINT-SVR-01 or BIOGEN-LEGACY-DC-01.
Analysis direction: The evidence shows PID 4036 scanned the legacy segment, got a successful SMB handshake on 3 of 4 hosts, authenticated on HANSEN-SAP-02 with the same NTLM hash, did 3 directory reads, then stopped. Why it stopped is for Alpha to investigate β was it the OS version? Did it find nothing useful? Was the rootkit incompatible? The lack of further activity after 3 directory reads is the puzzle. The port scan also hit a print server and a legacy domain controller but no logon events followed on those hosts. Teams must decide: does HANSEN-SAP-02 need forensic attention or just credential revocation?
B-R4-1 | BRAVO β Outbound HTTPS Traffic Analysis
| Destination | Resolved IP | Volume | Sessions |
|---|---|---|---|
| graph.microsoft.com | 20.190.159.0 | 43.2 GB | 14,822 |
| login.microsoftonline.com | 20.190.160.1 | 12.4 GB | 8,441 |
| storage.azure.com | 20.150.38.0 | 8.1 GB | 2,104 |
| settings-win.data.microsoft.com | 20.189.173.1 | 4.2 GB | 6,233 |
| definitionupdates.microsoft.com | 20.109.210.0 | 3.8 GB | 412 |
| cs.microsoft.com | 23.47.51.0 | 2.1 GB | 1,847 |
| go.microsoft.com | 23.35.180.0 | 1.4 GB | 944 |
| ctldl.windowsupdate.com | 23.48.23.0 | 0.9 GB | 3,122 |
| storeedgefd.dsx.mp.microsoft.com | 152.199.21.0 | 0.8 GB | 288 |
| dl.delivery.mp.microsoft.com | 152.199.21.0 | 0.6 GB | 44 |
| sensor-vortex.adobe.io | 18.162.88.0 | 0.4 GB | 1,204 |
| cdn.crowdstrike.com | 104.18.204.0 | 0.3 GB | 188 |
| vendor-sync.calisync-gmbh.de | 203.0.113.100 | 0.2 GB | 72 |
| ocsp.digicert.com | 93.184.220.0 | 0.1 GB | 4,811 |
| graph-api-sync.bioanalytics.net | 203.0.113.44 | ~10 GB | 18 |
| onedrive.live.com | 13.107.42.0 | 0.08 GB | 322 |
Analysis direction: 16 HTTPS destinations sorted by volume. The graph-api-sync.bioanalytics.net entry shows ~10 GB over only 18 sessions β an anomalous volume-to-session ratio compared to every other destination. Teams should notice the domain does not match any known Microsoft or vendor service, the resolved IP is in a different range from the legitimate Microsoft infrastructure, and the session count is extremely low for the volume transferred. The legitimate Microsoft Graph traffic (43 GB over 14,822 sessions) provides a direct comparison point. Bravo must identify the anomaly from the raw traffic table.
B-R4-2 | BRAVO β DLP Configuration and Alert Log
Blocked (24h)
2
Reviewed (24h)
1
svc-rdbridge-admin alerts
0
DLP Policy Configuration β Active Rules
| Rule ID | Rule Name | Threshold | Scope | Exclusions |
|---|---|---|---|---|
| DLP-001 | Daily Volume Cap | > 50 GB/day | All outbound HTTPS | None |
| DLP-002 | Sensitive File Outbound | Content match: PII, PHI, source (off-hours only) | User accounts | Service accounts excluded (svc-* pattern) |
| DLP-003 | Off-Hours Data Movement | Any outbound > 500 MB after 18:00 | User accounts only | Service accounts excluded (avoid scheduled task noise) |
| DLP-004 | Untrusted Destination | Outbound to non-allowlisted dest. | All accounts | Destinations matching *.microsoft.com SNI pattern |
| DLP-005 | Batch Read Anomaly | Not configured | β | β |
DLP Allowlist β Trusted Destination Patterns
| Pattern | Category | Added |
|---|---|---|
| *.microsoft.com | Microsoft services | 2024-01-15 |
| *.microsoftonline.com | Microsoft auth | 2024-01-15 |
| *.azure.com | Azure services | 2024-01-15 |
| *.crowdstrike.com | EDR vendor | 2024-03-22 |
| *.adobe.io | Adobe telemetry | 2024-06-10 |
| *.calisync-gmbh.de | Calibration vendor | 2024-09-01 |
DLP Alert Log β svc-rdbridge-admin (2026-03-20 to 2026-04-16)
| Alert ID | Timestamp | Rule | Account | Destination | Volume | Verdict |
|---|---|---|---|---|---|---|
| [No entries found for the specified account and period] | ||||||
DLP Alert Log β All Accounts (sample, 2026-04-15 to 2026-04-16)
| Alert ID | Timestamp | Rule | Account | Destination | Volume | Verdict |
|---|---|---|---|---|---|---|
| DLP-44921 | 2026-04-15 09:14:22 | DLP-002 | k.vestergaard | personal.onedrive | 82 MB | BLOCKED |
| DLP-44922 | 2026-04-15 14:33:07 | DLP-002 | m.nielsen | dropbox.com | 44 MB | BLOCKED |
| DLP-44923 | 2026-04-16 07:48:11 | DLP-003 | a.lindgren | storage.azure.com | 1.2 GB | REVIEWED (OK) |
Analysis direction: The DLP configuration and alert data lets Bravo figure out why no alerts fired for svc-rdbridge-admin. DLP-002 and DLP-003 exclude service accounts. DLP-004 allows destinations matching the .microsoft.com SNI pattern β the attackerβs TLS SNI spoofing exploits this. DLP-001 has a 50 GB/day threshold that distributed off-hours sessions never hit. DLP-005 (batch read anomaly) was never configured. The alert log shows the DLP system works for user accounts (blocking personal cloud uploads) but has blind spots for service accounts and SNI-spoofed destinations. Teams must trace through the rules themselves to identify which gaps the attacker exploited.*
C-R4-1 | CHARLIE β CFCS Victim A Recovery Debrief Summary
CFCS Cross-Victim Recovery Intelligence: Victim A
Victim profile: German biotech, ~2,400 employees, enzyme research
Compromise period: 4 months (detected via internal SOC alert)
Exfiltration confirmed: 40-60 GB proprietary research data
Containment to recovery: 6 weeks
What Victim A Did First (within 24 hours)
- Isolated compromised server and revoked service account credentials
- Did NOT close the Conditional Access exception for 72 hours -- attacker re-entered using a different harvested credential during that window
- Preserved memory image before isolation -- kernel driver artifact was available for CFCS
What Victim A Did Not Do (identified in retrospective)
- Did not notify the calibration software vendor for 11 days -- other customers continued receiving compromised updates
- Did not check whether other systems had the same vendor software installed -- discovered a second compromised server 3 weeks later
- Did not coordinate with CFCS on indicator sharing until day 8 -- delayed campaign-wide containment
- Reimaged the compromised server before extracting the full staging buffer contents -- lost visibility into exactly which files were exfiltrated
Victim A Recovery Sequence
- Week 1-2: Containment and forensic preservation (delayed by the CA exception gap)
- Week 3: Vendor notification and CFCS indicator sharing
- Week 4: R&D data access audit -- determined which research projects were exposed
- Week 5-6: System rebuild, monitoring upgrades, DLP reconfiguration
CFCS note: "Victim A's primary lesson: credential revocation without exception closure created a 72-hour re-entry window. Their secondary lesson: delayed vendor notification extended the campaign to at least one additional victim."
Analysis direction: This card gives Charlie a mirror to hold up against BioGenixβs own response. Victim A made specific mistakes that BioGenix may also be making right now: (1) revoked credentials but didnβt close the exception (same T2 threat clock issue), (2) delayed vendor notification (debrief question 4), (3) didnβt verify whether other systems in the environment were affected, (4) reimaged before full forensic extraction. Charlie should brief the IC with: βHereβs what another victim learned the hard way β which of these mistakes are we about to make?β The 72-hour re-entry window from the CA exception gap directly validates the two-step containment lesson from Round 2. If BioGenix hasnβt closed COLLBRIDGE-EXCL-003 yet, this card makes the consequence concrete.
C-R4-2 | CHARLIE β CFCS Forensic Comparison Results
CFCS Cross-Victim Kernel Driver Comparison
Reference: BioGenix kernel driver artifact (SHA256: 8a4f2e...d917) submitted 2026-04-16 10:30 UTC
Binary Comparison β Four Samples
| Sample | Size | Compile Time | Signer | Similarity to BioGenix |
|---|---|---|---|---|
| BioGenix (DK) | 147,456 B | 2025-11-28 09:14:22 UTC | CaliSync Instrumentation GmbH | β |
| Victim A (DE) | 147,456 B | 2025-08-14 09:11:47 UTC | LabTech Calibration AG | 94.2% |
| Victim B (NL) | 147,456 B | 2025-06-02 08:58:33 UTC | PharmaSync BV | 91.7% |
| Victim C (CH) | 143,360 B | 2025-03-19 09:22:08 UTC | BioInstruments SA | 87.3% |
Shared Characteristics
| Attribute | Value (all 4 samples) |
|---|---|
| Compiler | MSVC 14.29 (Visual Studio 2019) |
| Linker | 14.29.30133 |
| PDB path fragment | D:\dev\kdrv\release\ |
| Compile time pattern | All between 08:58 and 09:22 UTC |
| DKOM hook target | NtQuerySystemInformation (identical offset) |
| C2 protocol | HTTPS with TLS SNI spoofing (Microsoft Graph pattern) |
| Exfil compression | LZNT1 staging buffer (identical implementation) |
Variations Between Samples
| Attribute | Variation |
|---|---|
| Signing certificate | Different vendor for each victim (4 distinct CAs) |
| C2 domain | Different domain per victim (all *.bioanalytics.net) |
| File enumeration targets | Customized per victim (GenixLibrary paths for BioGenix, different research DB paths for others) |
| Driver size | Victim C is 4,096 bytes smaller (older version, fewer capabilities) |
CFCS Assessment
Binary similarity, shared toolchain, identical DKOM implementation, and consistent compile-time window across all four samples indicate a single development team producing customized builds per target. The compile times (08:58β09:22 UTC) are consistent with a working day starting at 17:00β17:30 in UTC+8. Each victim was compromised through a different calibration/instrumentation vendor, suggesting the actor maintains access to multiple vendor build pipelines or signing infrastructure simultaneously.
CFCS requests continued indicator sharing as BioGenix investigation progresses. Updated IoCs from all four victims will be distributed to European life sciences sector contacts under TLP:AMBER.
Analysis direction: This card returns value from the CFCS coordination that started in Round 1. Four kernel driver samples compared: identical toolchain, identical DKOM implementation, compile times all within a 24-minute window (mapping to late afternoon UTC+8). Charlie should notice: (1) the actor compromised four different calibration/instrumentation vendors β not just CaliSync β suggesting access to multiple build pipelines simultaneously; (2) the compile time pattern tightens the UTC+8 attribution from C-R2-2; (3) the PDB path fragment D:\dev\kdrv\release\ is a development artefact the attacker left in all four builds; (4) the similarity decreases over time (oldest sample = lowest similarity), consistent with ongoing development. Charlie should synthesize this with earlier TI work to produce an attribution assessment for the IC β but the card doesnβt tell them what to conclude. The CFCS closing paragraph reminds teams that the coordination relationship is bidirectional.