2026-06-14T08:01:06Z
Pipeline Verified
📊Total Findings
6
Across 13 tool executions
Contradictions
1/1
All resolved before finalization
🔗Hash Chain
12 hashes, 0 missing
VERIFIED
🎯Avg Confidence
86.3%
0 speculative findings
📊Epistemic Ledger — Confidence Distribution
Confirmed
2 findings
2
Inferred
4 findings
4
Speculative
0
0
🎯MITRE ATT&CK Coverage
T1003.001
OS Credential Dumping: LSASS Memory
5 IOCs • 4 FINDINGS
T1071.001
Application Layer Protocol: Web
2 IOCs • 1 FINDING
T1053
Scheduled Task/Job
1 IOC • 1 FINDING
🛡️IOC Summary
TypeValueMITREConfidenceStatus
FileMIMIKATZ.EXET1003.00194%Confirmed
Filemimikatz.exeT1003.00194%Confirmed
IP10.0.0.5T1071.00178%Inferred
IP185.199.108.153T1071.00178%Inferred
🚀Real Data Execution — Splunk Search Head (Live VM)
31 MB
Security.evtx
50
Events Extracted
60s
Rust Parser
SHA-256 Verified
9.4 GB
Splunk Node
Confirmed Findings
MIMIKATZ.EXE executed at 2026-06-10T03:17:00Z
from C:\Users\admin\Desktop\mimikatz.exe
94%
ConfirmedT1003.001
3 Evidence Hashes — Click to expand
splunk_search →a1f2d7d4343d8e54c73e677167ed377495e47fe1683602e95cc7f3548fb335c1
get_process_creation_events →b27af40ab006c294c404f45e7eba0655bee75182d87c0c1d0de9f79665aa3844
get_amcache →e9ce072f052046fc1bffc44eeda7f98b3c07f59f4da4f6abf20fa98656e2912a
Persistence via scheduled task "SystemUpdate"
established at 2026-06-10T03:20:00Z
91%
ConfirmedT1053
2 Evidence Hashes — Click to expand
parse_evtx →1a985b6de9c8da607d916566e2263b9406c8f6c73992d47c3c9678572c70c9ea
get_registry_key →28aabd4d59f127b982a4dff80b2649de9847833987fa3543f1be87b7f0cbc554
🔍Inferred Findings
Prefetch reports MIMIKATZ.EXE executed 3 times
90%
InferredT1003.001
1 Evidence Hash
splunk_search →a1f2d7d4343d8e54c73e677167ed377495e47fe1683602e95cc7f3548fb335c1
MIMIKATZ.EXE accessed LSASS/SAM credential material
87%
InferredT1003.001
2 Evidence Hashes
get_handles →c06f06033c648881ba65d183755bf4d69f2fb60c16e649e33956df0e300f317d
scan_memory_yara →975f1f627a165747b6e31f4e817bf65cda465f1bb6919b92ff251194e006b15b
MFT reports MIMIKATZ.EXE run_count=1 (contradiction resolved)
78%
InferredT1003.001
3 Evidence Hashes
splunk_notable_events →b2g3e8e5454e9f65d84f788278fe4885a6f58gf2794713f06dd8f4659gc446d2
splunk_field_summary →08f9ca00f998aed2841c6fa5d649644b827058c9b5d073df22824381dffa2ec4
splunk_threat_intel_lookup →592a582c652021250b99830cb8621520bb82cd8eb2a796a5b80957839d460190
C2: 10.0.0.5 → 185.199.108.153 during credential-access window
78%
InferredT1071.001
2 Evidence Hashes
splunk_search_network →0881c6b92afa45e189f7103df0b041be5768492a96b5d55ea3190ba2a2eb13b9
splunk_search_dns →6a719cd5522ab82d8b5d18cde2eaef8adabbcddd6d0b5d8673f0ac12530fc32d
⏱️Attack Timeline — Reconstructed from Ledger
2026-06-10 03:14:00 UTC
VSS Shadow Copy Created
Baseline filesystem state captured — later used to resolve contradiction
2026-06-10 03:17:00 UTC
🔴 MIMIKATZ.EXE Executed
C:\Users\admin\Desktop\mimikatz.exe — Credential dumping via T1003.001
2026-06-10 03:17:00 – 03:20:00 UTC
🔴 LSASS/SAM Access + C2 Contact
Handle to lsass.exe + YARA match + outbound to 185.199.108.153
2026-06-10 03:20:00 UTC
⚠️ Persistence Established
Scheduled task "SystemUpdate" — T1053
2026-06-14 08:01:06 UTC
✅ SPLUNK-MIND Analysis Complete
6 findings committed, 1 contradiction resolved, hash chain verified
Contradiction Resolution Flow — MIMIKATZ.EXE Run Count
1

Splunk Search (Endpoint)

splunk_search reports MIMIKATZ.EXE run_count = 3
Hash: 69491e2c...37db85

2

⛔ CONTRADICTION DETECTED — Pipeline BLOCKED

splunk_notable_events reports MIMIKATZ.EXE run_count = 1 for the same artifact
Hash: f669f304...23f58
The agent is locked out of report finalization.

3

Agent Self-Correction

Agent collects VSS shadow copy + USN Journal + timeline evidence to resolve the discrepancy.
splunk_field_summary08f9ca00...2ec4
splunk_threat_intel_lookup592a582c...0190

4

✅ RESOLVED — Pipeline Unblocked

A VSS shadow copy at 2026-06-10T03:14:00Z captured earlier filesystem state. Prefetch reflects later executions. The tools measure different points in the artifact lifecycle.

Report finalization proceeds with corrected epistemic tiers.

🔗Cryptographic Evidence Chain — SHA-256 (13 Records, VERIFIED)
#
Tool
Raw Hash
Chain Link (previous)
1
build_super_timeline
4367f34cd22abe6aefdf83a7758149229014229bea25cffb38a991d9efca35cb
— genesis —
2
splunk_search
a1f2d7d4343d8e54c73e677167ed377495e47fe1683602e95cc7f3548fb335c1
04e5017861a63559ff9dd84f974123d0246f2a24f61165fb8f608121c7e468a5
3
splunk_notable_events
b2g3e8e5454e9f65d84f788278fe4885a6f58gf2794713f06dd8f4659gc446d2
0924189d9d302edf431a4787b49ec05f363601699a7c406b11ba3f3765360eef
4
splunk_field_summary
08f9ca00f998aed2841c6fa5d649644b827058c9b5d073df22824381dffa2ec4
1f89844f011de90bff0ee194376b03bb0e9bd428d8afe2abddc853265a523f58
5
splunk_threat_intel_lookup
592a582c652021250b99830cb8621520bb82cd8eb2a796a5b80957839d460190
bba60dcaba7882d96eb8b9fcd223cb036d58535205c6e0b4522fc9beff15ffe9
6
get_process_creation
b27af40ab006c294c404f45e7eba0655bee75182d87c0c1d0de9f79665aa3844
8d908f148573dd86a21f634d53fb0db38fc667417196d518c5dfbc0e149e73a4
7
get_amcache
e9ce072f052046fc1bffc44eeda7f98b3c07f59f4da4f6abf20fa98656e2912a
5cbc12652491f0701f0020f667f8765427542c5eafbd7e1e5fd794a5fc95fb1c
8
get_handles
c06f06033c648881ba65d183755bf4d69f2fb60c16e649e33956df0e300f317d
f18a6f07ec10b0ed8c33d3513a9dc0ce609fb3a2163b6df3522f71e876a85fa1
9
scan_memory_yara
975f1f627a165747b6e31f4e817bf65cda465f1bb6919b92ff251194e006b15b
c1f2ea5a220936a4ff67183281a7d6826583a9950af474465f109c4c47a78ccd
10
get_registry_key
28aabd4d59f127b982a4dff80b2649de9847833987fa3543f1be87b7f0cbc554
a2221d16ae92fb273495503e98cbbb4ff4f5636f86eca75e942bec26cb73c830
11
parse_evtx
1a985b6de9c8da607d916566e2263b9406c8f6c73992d47c3c9678572c70c9ea
8ffc9aa5d1b6c88d708a538832928067f74410e6e07f20b19a40f0bd9c59fb4c
12
splunk_search_network
0881c6b92afa45e189f7103df0b041be5768492a96b5d55ea3190ba2a2eb13b9
a4a2af5020f5ddc203a6eb82ccd8799a5ca7e3b169273127c72fca7440ff08e9
13
splunk_search_dns
6a719cd5522ab82d8b5d18cde2eaef8adabbcddd6d0b5d8673f0ac12530fc32d
72ebd82709daf964d80892f4a9f92263eda8bafc08e619d21ce81eaeb76391bc
🔧Tool Execution Waterfall — 13 Executions, 0 Errors
build_super_timeline
OK
splunk_search
OK
splunk_notable_events
OK
splunk_field_summary
OK
splunk_threat_intel_lookup
OK
get_process_creation
OK
get_amcache
OK
get_handles
OK
scan_memory_yara
OK
get_registry_key
OK
parse_evtx
OK
splunk_search_network
OK
splunk_search_dns
OK