F045Inconclusivevalidator: blocked
RDP connections to 172.16.4.5:3389 in CLOSED state (Lateral movement attempt)
RDP attempts to 172.16.4.5:3389
Analyst narrative
Multiple RDP connection attempts from 172.16.6.11 to 172.16.4.5:3389 with CLOSED state, indicating failed or completed connections. Eight distinct attempts with different source ports. Suggests potential RDP lateral movement probing. Fact_ids: network_connection_fact-0000017, network_connection_fact-0000052, network_connection_fact-0000069, network_connection_fact-0000083, network_connection_fact-0000090, network_connection_fact-0000097.
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_netscan