
82,847 log lines, one attack chain: a Sysmon intrusion reconstructed
A Windows endpoint compromised by a single malicious HTA — and the whole chain (mshta as a LOLBIN, a fileless PowerShell stager, a COMSPEC persistence trick that never touches the registry, and a self-replicating Python RAT beaconing to C2) reconstructed from an 82,847-line Sysmon export with nothing but jq.