Incident timeline

5 numbered actions. Map each to a MITRE ATT&CK Enterprise technique ID.

  1. 2026-05-15 09:14 IST
    Edge IDS logs show a TCP SYN scan from 185.X.X.X against ports 22, 80, 443, 3389. Open: 80, 443, 3389.
  2. 2026-05-15 09:31 IST
    RDP server logs show 200 distinct username attempts in 8 minutes, each with the password Acme@2026. One succeeds: jdoe.
  3. 2026-05-15 09:48 IST
    Windows Security log Event 4720: local account svc-update created, then added to the local Administrators group via Event 4732.
  4. 2026-05-15 10:02 IST
    Sysmon Event 1 shows schtasks.exe /create /tn UpdaterHelper /tr "powershell -enc SQB...=" /sc minute /mo 60.
  5. 2026-05-15 10:33 IST
    Outbound HTTPS flows to api.dropboxapi.com totaling 412 MB. curl in the powershell payload uploaded the company-secrets folder.
ATT&CK lookup: attack.mitre.org · Use the Enterprise matrix.