Veritas
F029MEDIUMBenign / FPvalidator: passed

RDP connections to multiple internal hosts from compromised system

network_connection:172.16.4.5:3389

Analyst narrative

Multiple RDP (port 3389) connection attempts to internal IPs 172.16.4.5 and 172.16.5.21 detected in CLOSED state, indicating lateral movement reconnaissance or failed/completed RDP sessions.

Claims asserted

connection-vol_netscan

Proof chain · 14 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

network connection factpid:652
vol_netscan
Raw tool output · 725aba10d88e7b947aca621d3fe003ccb08fbd81
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3389, "Offset": 154518674278720, "Owner": "svchost.exe", "PID": 652, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:63826-172.16.4.5:3389
vol_netscan
Raw tool output · aeb9209ea4368f567ce272e01203d0a200e2b524
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63826, "Offset": 154518692996752, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49763-172.16.4.5:445
vol_netscan
Raw tool output · ff3db042d5cb036bf168fa4b21fcd3477e6c0198
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 445, "LocalAddr": "172.16.6.11", "LocalPort": 49763, "Offset": 154518739399760, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · 20515eec923e3b6cee0a06158eb8fc2aabb2c4e7
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3389, "Offset": 154518740366080, "Owner": "svchost.exe", "PID": 652, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · e991c423bba30db63e7d41e31ecc6a8c1f7fb53a
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3389, "Offset": 154518740366080, "Owner": "svchost.exe", "PID": 652, "Proto": "UDPv6", "State": "", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · 7319f2005261363b3d8787294fdcbc3de825a56b
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3389, "Offset": 154518740519152, "Owner": "svchost.exe", "PID": 652, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:63834-172.16.4.5:3389
vol_netscan
Raw tool output · 405beeb570082cbe9e89df17ff6d6da38904065b
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63834, "Offset": 154518742383024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63828-172.16.4.5:3389
vol_netscan
Raw tool output · 0f1fa89fc3ba9d753331710bc918bda45828d2f9
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63828, "Offset": 154518754851184, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63958-172.16.4.5:3389
vol_netscan
Raw tool output · 6e7b21f9db76f724fcb16f9bf65a79c5be53e861
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63958, "Offset": 154518756274192, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63848-172.16.4.5:3389
vol_netscan
Raw tool output · c287666702eb8f1a5812e152a6ca658068dd7b24
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63848, "Offset": 154518792675744, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63823-172.16.4.5:3389
vol_netscan
Raw tool output · 24bc6ebbe4d10f91ce96ca8921b39e7e33782e2f
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63823, "Offset": 154518804605376, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63841-172.16.4.5:3389
vol_netscan
Raw tool output · 419365dd4d760daf13900223644b67a1fe7ad7a7
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63841, "Offset": 154518806287488, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63835-172.16.4.5:3389
vol_netscan
Raw tool output · e86027055d20ad56a1baecd5f41c330f26ba1e69
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63835, "Offset": 154518820071680, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network ioc fact172.16.4.5
extract_network_iocs
Raw tool output · f84874d0852c27d777f18ba517d4df25ef31c342
{"type": "ipv4", "value": "172.16.4.5", "original_value": "172.16.4.5", "classification": "private", "port": null, "source_tools": ["vol_netscan"], "sources": [{"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 16, "source_path": "vol_netscan.output[16].ForeignAddr", "context": "172.16.4.5", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 52, "source_path": "vol_netscan.output[52].ForeignAddr", "context": "172.16.4.5", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 70, "source_pa

Source tools

vol_netscan