Lateral Movement Post-Firewall Compromise — Interlock Ransomware Pattern

Detects remote execution of administration tools after perimeter device compromise, consistent with Interlock ransomware TTPs that exploit enterprise firewalls as an initial access vector as documented by Amazon threat intelligence