The Plumber: An Uninvited SMB Service Call
Our SMB honeypot captured a PsExec-style attack in full: an authentication probe, 13 seconds of silence, then a 2.5-second blitz through IPC$, the svcctl named pipe, and the Service Control Manager. The payload is a four-layer LOLBin chain ending in msiexec pulling an MSI disguised as a PNG from three C2 servers. Total time on target: under 17 seconds.