The troubling aspect is (besides the denials of course) is the absence of controls that should have sniffed this out ASAP. Apparently:
- no passive network monitors showing an unknown IP/Mac/Location
- no SOAR to kill off the attempts to gain a foothold/move laterally
- no alerts on above or anything else in the SOC