VERA — Shift 7 in Review

Operational Handoff

**Shift window:** 2026-05-04 to 2026-05-08
**Cases investigated:** 11
**Pending ARIA action:** 10 cases — urgency breakdown: immediate: 10 | within_shift: 0 | next_available: 0
**On hold:** 0 cases pending additional telemetry
**Watch list:** ARIA should prioritize ws-legal-077.corp.local (CASE-20260508-0024, parse failure) and the unidentified two additional hosts in the update-relay-svc.com same_domain_count=3 Remcos cluster — these represent the widest uncontained exposure entering the incoming shift.

Investigation Overview

**Cases investigated:** 11
**Verdicts:** ESCALATE_TO_ARIA: 10 | CLOSED: 0 | HOLD: 0 | UNKNOWN: 1
**Root cause confidence:** CONFIRMED: 10 | PROBABLE: 0 | UNDETERMINED: 0 | UNKNOWN: 1
**TORA hypothesis resolution:** CONFIRMED: 1 | REFINED: 9 | REFUTED: 0 | UNKNOWN: 1
**Parse failures:** 1 — CASE-20260508-0024 (VERA-20260508-0024: reasoning narrative present, verdict not committed to output schema fields; case remains unresolved entering handoff)
**Blast radius:** confirmed assets: 40+ | probable assets: 6 | lateral movement: yes | crown jewels: affected

What TORA Handed Off

All 11 escalations this shift were dns_malicious_lookup alerts. Asset profiles spanned high-criticality production workstations (legal, finance, marketing), an executive jump server (srv-jump-01.corp.local), a crown-jewel-adjacent Active Directory server (srv-ad-01.corp.local), and a finance workstation (ws-fin-015.corp.local) that appeared in multiple cases as a recurring target. TORA’s hypotheses were specific and P1-prioritized across the board, with confident framing around C2 family identification (Remcos, dnscat2, Metasploit) and phishing kill-chain stages — the quality of the triage packages was generally high, though the phishing-framed cases consistently understated the actual compromise state of the target endpoints at investigation time. No ssh_bruteforce_c2_dns cases were present in this escalation queue; one case (VERA-20260504-0002) involved a concurrent SSH brute-force from 91.92.251.103 as a correlated but assessed-as-independent signal, which required separating the brute-force thread from the C2 DNS investigation — a distinction ssh_bruteforce_c2_dns cases embed by design, whereas the dns_malicious_lookup framing here required VERA to establish the independence of the two signals through separate evidence review.

What the Investigations Found

[CASE-20260504-0004] / [VERA-20260509-0001] | dns_malicious_lookup | ESCALATE_TO_ARIA | CONFIRMED | CONFIRMED Finding: TORA’s dnscat2 DNS tunneling hypothesis on ws-exec-005.corp.local was fully confirmed — a masqueraded nc binary at C:\ProgramData\nc spawned by a rogue winlogon.exe from C:\Users\Public\ generated 192 high-entropy TXT queries to cdn-metrics-pipe.io, with two external TCP C2 connections established post-DNS and confirmed lateral movement to three internal assets via RDP, WMI, and SMB. Why it’s worth noting: This is the only CONFIRMED hypothesis resolution this shift — TORA’s framing required no structural refinement, only scope expansion — and the case documents a 24-hour uncontested dwell window attributable directly to an unresolved prior escalation from 2026-05-03, making it the clearest evidence this shift of detection-without-remediation as an operational gap.

[CASE-20260504-0002] / [VERA-20260504-0002] | dns_malicious_lookup | ESCALATE_TO_ARIA | CONFIRMED | REFINED Finding: ws-legal-077.corp.local carried a three-layer LOLBin masquerading chain (winlogon.exe from C:\ProgramData → explorer.exe from C:\Temp → wscript.exe from C:\ProgramData) executing under bwilliams — not the elevated-privilege m.reyes session TORA flagged — with confirmed on-host credential harvesting of m.reyes via Kerberos and NTLM, a 2.99MB payload written to disk, C2 connections established to 19.26.8.31:22 and 73.47.150.205:8443, and SMB lateral movement confirmed to two additional high-criticality internal assets (10.10.5.125 and 192.168.1.11). Why it’s worth noting: The executing account (bwilliams) diverging from the session account (m.reyes) is the first instance of a recurring shift pattern — phishing or DNS alerts attributed to one user identity while a separate, unexplained account drives malicious execution — a pattern that TORA’s current alert enrichment does not surface at triage time.

[CASE-20260505-0008] / [VERA-20260505-0013] | dns_malicious_lookup | ESCALATE_TO_ARIA | CONFIRMED | REFINED Finding: TORA escalated ws-mktg-042.corp.local as a phishing-click-pending case with the critical unknown being whether j.kim submitted credentials to okta-verify.co; endpoint telemetry established that the host was already running an active post-exploitation implant with a confirmed C2 beacon to 147.148.16.124:445 (18 connections, 212s interval, 0.282% jitter) under user mjones at least 17 minutes before the phishing email was delivered. Why it’s worth noting: This case is the clearest example of a structural triage gap recurring across this shift: phishing alert escalations scoped as user-action-pending events while the endpoint was already in an adversarial state, with the active compromise independently confirmable from EDR telemetry without resolving the user action at all.

[CASE-20260507-0017] / [VERA-20260509-0001] | dns_malicious_lookup | ESCALATE_TO_ARIA | CONFIRMED | REFINED Finding: Remcos RAT compromise on ws-fin-015.corp.local was confirmed via four independent evidence streams — masqueraded process chain under bwilliams, two persistence mechanisms installed within 10 minutes of the DNS alert, post-DNS child processes from non-canonical temp paths, and a svc-sysadmin privilege escalation from 192.168.10.57 recording auth_method='mfa' despite MFA being disabled on that account — with the initiating process running under bwilliams rather than svc-sysadmin, separating the infection delivery thread from the credential abuse thread. Why it’s worth noting: The MFA method recorded against a no-MFA account (svc-sysadmin) is a high-confidence credential relay or cross-host abuse indicator that TORA’s current enrichment did not flag as a standalone signal, and the same_domain_count=3 Remcos cluster leaves two additional compromised assets unidentified entering the handoff.

Where Confidence Hit Its Ceiling

Zero cases were dispositioned at PROBABLE this shift; all 10 investigated cases reached CONFIRMED, and one case (CASE-20260508-0024) could not be dispositioned due to a parse failure. The recurring missing telemetry type across confirmed cases was lateral movement target endpoint data — in seven of ten confirmed cases, one or more hosts reachable via confirmed network flows lacked EDR or authentication log coverage, leaving secondary compromise unconfirmable and blast radius underspecified. What would have pushed the parse failure and any scope-limited findings to fully resolved dispositions was lateral movement target telemetry for the secondary hosts (10.10.5.125, 192.168.1.11, DC-291, 192.168.1.204, DEV-102, WORKSTATION-429, LAPTOP-311, WEB-505, 10.10.2.174) combined with Okta authentication logs post-credential-submission for the phishing cases and identity resolution for the anomalous executing accounts (bwilliams, user42, jsmith, alee).

Patterns Across Cases

Binary masquerading (T1036.005) — system binaries executing from non-canonical staging paths (C:\Windows\Temp\, C:\Users\Public\, C:\ProgramData\, C:\Temp\, /var/tmp/, /tmp/) — appeared as a confirmed technique in 8 of 10 investigated cases. The specific field evidence includes: winlogon.exe from C:\ProgramData (VERA-20260504-0002), nc and winlogon.exe from C:\Users\Public\ (VERA-20260509-0001 / cdn-metrics-pipe.io), firefox.exe from C:\Windows\SysWOW64\ (VERA-20260505-0014), svchost.exe from C:\Temp\System (VERA-20260505-0014), lsass.exe from C:\Windows\Temp\ (VERA-20260505-0013), curl from temp paths (VERA-20260506-0015), wscript.exe from C:\Windows\Temp\ (VERA-20260509-0001 / update-relay-svc.com), and chrome.exe from C:\Users\Public\ (CASE-20260508-0024), all confirmed under T1036.005. This concentration of masqueraded execution from staging paths across cases sharing attacker infrastructure (okta-verify.co, workday-notifications.net, update-relay-svc.com) indicates a campaign-level tradecraft baseline — the attacker or operator group uses pre-staged binaries at fixed high-suspicion paths as a delivery pattern, and detection of any process executing from those specific directories should be treated as a campaign indicator rather than an isolated host anomaly.

For NOVA

**Alert type distribution:** dns_malicious_lookup: 11
**IDS/netflow DNS discrepancy:** 1 case affected — VERA-20260504-0002 (fonts-static-cdn.net: NOERROR in primary alert at 15:51Z vs. NXDOMAIN in dns_history at 15:52Z — one-minute conflict between resolver records for the same domain; possible rapid sinkholing or log normalization defect)
**Prior alert closure pattern:** 2 cases where prior closures or unresolved escalations preceded confirmed compromise — VERA-20260509-0001/cdn-metrics-pipe.io (prior escalation 2026-05-03 unresolved, 24h+ uncontested dwell confirmed); CASE-20260508-0024/VERA-20260506-0015 (IDS-204524 Process Injection Detected CLOSED during active exploitation window at 2026-05-06T20:22:16Z)
**Recurring attacker IPs:** none confirmed across 2+ cases (C2 IPs are per-case; svc-sysadmin lateral source 192.168.10.57 appears in VERA-20260509-0001/update-relay-svc.com and warrants cross-case review)
**Recurring malware families:** Remcos RAT: confirmed in VERA-20260509-0001 (update-relay-svc.com) and CASE-20260508-0024 (update-relay-svc.com); dnscat2: confirmed in VERA-20260509-0001 (cdn-metrics-pipe.io)
**Confirmed MITRE techniques (shift-wide, 2+ cases):** T1036.005 (8 cases) | T1059.001 (4 cases) | T1053.005 (3 cases) | T1547.001 (3 cases) | T1566.002 (3 cases) | T1071.001 (3 cases) | T1021.001 (3 cases) | T1070.004 (3 cases) | T1105 (3 cases) | T1021.006 (2 cases) | T1218.011 (2 cases) | T1566.001 (2 cases)
**Open question:** The domain telemetry-cloud-api.com (NXDOMAIN) appears in SIEM log_context for at least three cases (VERA-20260506-0013, VERA-20260506-0015, VERA-20260509-0001/update-relay-svc.com) sourced from external IPs with no confirmed connection to the internal assets under investigation — is this a secondary campaign C2 or staging domain appearing shift-wide, a DGA pattern requiring cross-shift IOC hunting, or a SIEM correlation rule misfire polluting investigation packages with unrelated external traffic?

For ARIA

**Escalations pending:** 10 cases
**Urgency breakdown:** immediate: 10 | within_shift: 0 | next_available: 0
**Immediate actions required:**
  - isolate_host: ws-legal-077.corp.local (10.10.2.77) — active Metasploit C2, lateral movement confirmed, Remcos DNS (CASE-20260508-0024 unresolved), multiple cases
  - isolate_host: ws-exec-005.corp.local (10.10.2.5) — dnscat2 active, lateral movement to WORKSTATION-429/10.10.3.173, LAPTOP-311/10.10.5.158, 10.10.5.88
  - isolate_host: srv-jump-01.corp.local — active post-exploitation, confirmed lateral movement to DC-291
  - isolate_host: DC-291 — confirmed lateral movement target from srv-jump-01, SSH and WMI activity; treat as compromised
  - isolate_host: ws-mktg-042.corp.local (10.10.1.42) — active C2 beacon to 147.148.16.124:445, confirmed shift blast radius across VERA-20260505-0013 and VERA-20260505-0014
  - isolate_host: ws-fin-015.corp.local (10.10.2.15) — Remcos confirmed, same_domain_count=3 two unidentified hosts still at large; svc-sysadmin credential abuse active
  - isolate_host: srv-ad-01.corp.local — active compromise confirmed 10 hours pre-phishing, crown-jewel-adjacent AD server
  - isolate_host: WEB-505 (10.10.5.76) — confirmed lateral movement target from ws-legal-077 via RDP
  - isolate_host: 192.168.1.204 and DEV-102 (10.10.1.50) — confirmed lateral movement targets from ws-fin-015 (VERA-20260506-0013)
  - isolate_host: WORKSTATION-429 (10.10.3.173), LAPTOP-311 (10.10.5.158), 10.10.5.88 — confirmed lateral movement targets from ws-exec-005
  - block_ioc: 19.26.8.31:22, 73.47.150.205:8443 (Metasploit C2 — VERA-20260504-0002)
  - block_ioc: 98.109.211.188:1337 (C2 — VERA-20260504-0003)
  - block_ioc: 242.232.158.170:1337, 78.74.222.238:135 (dnscat2 C2 — VERA-20260509-0001/cdn-metrics-pipe.io)
  - block_ioc: 147.148.16.124:445 (C2 beacon — VERA-20260505-0013)
  - block_ioc: 22.171.40.27:1337 (C2 beacon — VERA-20260507-0020)
  - block_ioc: 200.205.57.167:443 (Remcos C2 — CASE-20260508-0024)
  - block_ioc: fonts-static-cdn.net, okta-verify.co, cdn-metrics-pipe.io, workday-notifications.net, sharepoint-files.net, update-relay-svc.com, login-microsofft-com.net, telemetry-cloud-api.com, cdn-739-assets.net, cdn-119-assets.net (all confirmed or high-suspicion campaign domains)
  - block_ioc: cdn-413-assets.net, cdn-471-assets.net, cdn-650-assets.net, cdn-316-assets.net, cdn-128-assets.net, cdn-505-assets.net (CDN-pattern lookalike domains, NOERROR responses, pre-compromise timestamps across multiple cases)
  - disable_account: bwilliams — executing account in VERA-20260504-0002 and VERA-20260509-0001/update-relay-svc.com; origin unknown
  - disable_account: m.reyes — credentials confirmed harvested and abused in VERA-20260504-0002 and VERA-20260509-0001/cdn-metrics-pipe.io; Kerberos ticket rotation required
  - disable_account: c.wardlaw — phishing credential submission confirmed, VERA-20260504-0003; revoke all SSO/Okta sessions
  - disable_account: helpdesk01 — executing post-exploitation tooling in VERA-20260504-0003 and VERA-20260505-0014; origin and provenance unknown
  - disable_account: user42 — implant runtime account on ws-exec-005 (VERA-20260509-0001/cdn-metrics-pipe.io); no prior context, treat as potential attacker-created backdoor account
  - disable_account: jsmith — ncat execution on ws-fin-015 (VERA-20260506-0013) under unknown provenance; disable pending identity investigation
  - disable_account: alee — executing post-exploitation tooling on ws-legal-077 (VERA-20260507-0020); not the phishing target, identity unknown
  - disable_account: svc-sysadmin — admin service account, MFA disabled, confirmed credential abuse across at least two internal hosts; disable and rotate immediately
  - disable_account: svc_backup — implicated in CASE-20260508-0024 Remcos masquerading chain on ws-legal-077; disable pending investigation
  - revoke_tokens: c.wardlaw — all active Okta/SSO sessions; MFA bypass cannot be ruled out
  - revoke_tokens: m.reyes — Kerberos tickets and NTLM hashes confirmed abused; full Kerberos ticket rotation required
  - revoke_tokens: contractor_1 — MFA disabled, phishing exposure confirmed on ws-legal-077 (VERA-20260506-0011) and srv-ad-01 (VERA-20260506-0015); disable account and revoke sessions
**Cross-case coordination needed:**
  - update-relay-svc.com Remcos cluster: same_domain_count=3 means two additional hosts beyond ws-fin-015 and ws-legal-077 are beaconing to the same Remcos C2; these hosts are unidentified and must be hunted environment-wide before isolation actions are scoped as complete
  - okta-verify.co phishing campaign: at minimum 6 assets in same_domain_count pool (VERA-20260504-0003, VERA-20260505-0013, VERA-20260506-0011); recall phishing email from all 12 recipients identified in VERA-20260506-0011, block bit.ly redirect chain, revoke any active Okta sessions from the recipient list
  - helpdesk01 account pivot: helpdesk01 is the executing account in confirmed post-exploitation on both srv-jump-01 (VERA-20260504-0003) and ws-mktg-042 (VERA-20260505-0014); a single account-based pivot across two confirmed blast-radius assets requires coordinated identity investigation before scope can be closed
  - svc-sysadmin credential abuse: privilege escalation from 192.168.10.57 (VERA-20260509-0001/update-relay-svc.com) and attributed DNS callback on ws-legal-077 (CASE-20260508-0024) indicate the admin service account is being abused from at least two internal hosts; 192.168.10.57 must be investigated immediately
  - DC-291 exposure: lateral movement to a domain controller via SSH is confirmed from srv-jump-01 (VERA-20260504-0003); if attacker achieved execution on DC-291, recovery scope expands to a full domain credential reset — this coordination action must be treated as the highest-priority scope-determination task for ARIA
**Credential exposure:** c.wardlaw (phishing credential submission confirmed, Okta session compromise probable) | helpdesk01 (post-exploitation execution confirmed, origin unknown) | m.reyes (Kerberos and NTLM harvested and abused, confirmed) | bwilliams (malicious process execution confirmed, cross-case) | user42 (implant runtime account, ws-exec-005) | jsmith (ncat execution, ws-fin-015, no provenance) | alee (post-exploitation execution, ws-legal-077, no provenance) | svc-sysadmin (admin credential abuse confirmed, MFA-disabled, multi-host) | svc_backup (Remcos masquerading chain, ws-legal-077) | contractor_1 (MFA disabled, phishing exposure confirmed on two assets) | a.patel (privilege escalation pre-phishing confirmed, ws-fin-015) | j.kim (phishing target, credential submission status unconfirmed on two cases) | mjones (post-exploitation execution, ws-mktg-042) | ctaylor (ws-fin-015 auth context, unresolved)

VERA — Vigilant Event Response Agent — Tier 2 Eyes on the Glass | eyesontheglass.ai Shift 7 | Shift ID: VSHIFT-20260509-033704 | Output schema: vera_output_schema_v1.1.0