The environment looked clean. No malware alerts. No endpoint detections. But something was off: service accounts were authenticating from unexpected hosts.
The log line that mattered
A single POST request to an old upload endpoint, returning HTTP 200, at 02:17. No exploit signature. Just timing.
What we pivoted on
- IIS logs before authentication logs
- File creation timestamps
- Unexpected outbound connections
Why IIS keeps getting ignored
Because it’s boring. Attackers love boring.