F026Inconclusivevalidator: blocked
SMB connections to internal network shares (lateral movement indicator)
network_connection:172.16.5.50:445
Analyst narrative
TCP connections to SMB ports (445) on internal IPs 172.16.5.50 and 172.16.7.15 detected in vol_netscan, with ESTABLISHED state. Combined with PsExec staging, indicates lateral movement reconnaissance.
Claims asserted
connection-
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_netscan