F017LOWBenign / FPvalidator: passed

Multiple privileged network services listening on non-standard ports

Service network listeners on custom ports

Analyst narrative

spoolsv.exe (PID 1040) and macmnsvc.exe (PID 2228) configured to listen on non-standard ports (8081, 8082) with UDP/TCP bindings. This configuration enables lateral movement and remote service exploitation.

Claims asserted

pid-vol_netscanvol_pstree

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

⊞

handle facthandle:pid:1040:key:machine\software\microsoft\windows nt\currentversion\image file execution options

vol_handles

›

Raw tool output · bfcebf9005adb0be21681bbde2e8d3a7f94eb823

{"GrantedAccess": 9, "HandleValue": 4, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS", "Offset": 229276729395824, "PID": 1040, "Process": "spoolsv.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:token:8

vol_handles

›

Raw tool output · f84da46c7f19e36205fcf5561fbc82b12086f1a6

{"GrantedAccess": 72, "HandleValue": 8, "Name": null, "Offset": 229276731464144, "PID": 1040, "Process": "spoolsv.exe", "Type": "Token", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:event:12

vol_handles

›

Raw tool output · 00443ce209cc36d84e50f695d1f4e03c12b21f5e

{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518739405760, "PID": 1040, "Process": "spoolsv.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:waitcompletionpacket:16

vol_handles

›

Raw tool output · e750f587b265f83b9a96044ae113aa4ac1ca5a1e

{"GrantedAccess": 1, "HandleValue": 16, "Name": null, "Offset": 154518740925952, "PID": 1040, "Process": "spoolsv.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:iocompletion:20

vol_handles

›

Raw tool output · 930c54b0c6a7a17cfaa460b9dd73895bb2096fa2

{"GrantedAccess": 2031619, "HandleValue": 20, "Name": null, "Offset": 154518739444736, "PID": 1040, "Process": "spoolsv.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:tpworkerfactory:24

vol_handles

›

Raw tool output · 480ab9e44757d884cb5644a3639727459622a509

{"GrantedAccess": 983295, "HandleValue": 24, "Name": null, "Offset": 154518739016800, "PID": 1040, "Process": "spoolsv.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:irtimer:28

vol_handles

›

Raw tool output · 99342b9e598b58159058345adf96a7c73f072d8a

{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518739350256, "PID": 1040, "Process": "spoolsv.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:waitcompletionpacket:32

vol_handles

›

Raw tool output · fc41b3cb4433077b1345991d6d65897244eb1ff9

{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518739078272, "PID": 1040, "Process": "spoolsv.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:irtimer:36

vol_handles

›

Raw tool output · 4972e25b81fe85dba649077abed59ebad97c1f34

{"GrantedAccess": 1048578, "HandleValue": 36, "Name": null, "Offset": 154518739159280, "PID": 1040, "Process": "spoolsv.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:waitcompletionpacket:40

vol_handles

›

Raw tool output · 480c6fdac076cb742cc0daacc1a8a6ea682952ac

{"GrantedAccess": 1, "HandleValue": 40, "Name": null, "Offset": 154518739275296, "PID": 1040, "Process": "spoolsv.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:44

vol_handles

›

Raw tool output · fc6ed81becf8b053c81dc777db43bd42648cbf8b

{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518739444480, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:48

vol_handles

›

Raw tool output · 4caaec789382c468d607c99bcc56e8ab867827c6

{"GrantedAccess": 2052, "HandleValue": 48, "Name": null, "Offset": 154518739444256, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:52

vol_handles

›

Raw tool output · f8152b7f0142631e016303a6bca7dea06cf3c511

{"GrantedAccess": 2052, "HandleValue": 52, "Name": null, "Offset": 154518739374192, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:directory:knowndlls

vol_handles

›

Raw tool output · b118f6fb8f86623aa6e212ef6edd9af58262b726

{"GrantedAccess": 3, "HandleValue": 56, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 1040, "Process": "spoolsv.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:event:60

vol_handles

›

Raw tool output · 57975b870f328319032460ad3f41efb1058e7811

{"GrantedAccess": 2031619, "HandleValue": 60, "Name": null, "Offset": 154518738955696, "PID": 1040, "Process": "spoolsv.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:event:64

vol_handles

›

Raw tool output · eb4e9278ad889d5787985d2fdc05528dc81c0251

{"GrantedAccess": 2031619, "HandleValue": 64, "Name": null, "Offset": 154518738964448, "PID": 1040, "Process": "spoolsv.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:file:\device\harddiskvolume2\windows\system32

vol_handles

›

Raw tool output · b4bc88cf18d4420290d02f9434eefdc6b21a7797

{"GrantedAccess": 1048608, "HandleValue": 68, "Name": "\\Device\\HarddiskVolume2\\Windows\\System32", "Offset": 154518739382400, "PID": 1040, "Process": "spoolsv.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:72

vol_handles

›

Raw tool output · 1f30e9ffac8479bbc7d2c09df957ccf3f5cd8493

{"GrantedAccess": 2052, "HandleValue": 72, "Name": null, "Offset": 154518739443824, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:event:76

vol_handles

›

Raw tool output · 9904c2f0517764a4eece8f475cb7bd7299a37fc2

{"GrantedAccess": 2031619, "HandleValue": 76, "Name": null, "Offset": 154518739554784, "PID": 1040, "Process": "spoolsv.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:alpc port:80

vol_handles

›

Raw tool output · cd6211d4dd1a70775c3c6d7161d0521f03616f9f

{"GrantedAccess": 2031617, "HandleValue": 80, "Name": null, "Offset": 154518739517552, "PID": 1040, "Process": "spoolsv.exe", "Type": "ALPC Port", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:84

vol_handles

›

Raw tool output · 253837053f4e3f761cffbd105f247d0a6985e087

{"GrantedAccess": 2052, "HandleValue": 84, "Name": null, "Offset": 154518739518432, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:iocompletion:88

vol_handles

›

Raw tool output · 498278fb526ab29bfa08ac3212582547e09f2c84

{"GrantedAccess": 2031619, "HandleValue": 88, "Name": null, "Offset": 154518738758784, "PID": 1040, "Process": "spoolsv.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:tpworkerfactory:92

vol_handles

›

Raw tool output · 33460f29c83f4280d8667483388038e103861fc9

{"GrantedAccess": 983295, "HandleValue": 92, "Name": null, "Offset": 154518739516656, "PID": 1040, "Process": "spoolsv.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:irtimer:96

vol_handles

›

Raw tool output · de8510de2c339fc9696de0f2f0203995295288f4

{"GrantedAccess": 1048578, "HandleValue": 96, "Name": null, "Offset": 154518739516384, "PID": 1040, "Process": "spoolsv.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:waitcompletionpacket:100

vol_handles

›

Raw tool output · 2793ea3d9f98c2c104c8b502548896b4e50ff52d

{"GrantedAccess": 1, "HandleValue": 100, "Name": null, "Offset": 154518739392928, "PID": 1040, "Process": "spoolsv.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:irtimer:104

vol_handles

›

Raw tool output · 89232e0fe699c7ad85603e1dba84a20348d3aed0

{"GrantedAccess": 1048578, "HandleValue": 104, "Name": null, "Offset": 154518739525456, "PID": 1040, "Process": "spoolsv.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:waitcompletionpacket:108

vol_handles

›

Raw tool output · 79adc3c5d3343a7709a8646340d0240a05b730c6

{"GrantedAccess": 1, "HandleValue": 108, "Name": null, "Offset": 154518739420608, "PID": 1040, "Process": "spoolsv.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:directory:basenamedobjects

vol_handles

›

Raw tool output · 3572bbc9569a3e271f779e173612ca2783fca5e0

{"GrantedAccess": 15, "HandleValue": 112, "Name": "BaseNamedObjects", "Offset": 229276810769120, "PID": 1040, "Process": "spoolsv.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:116

vol_handles

›

Raw tool output · 79273d32357ea937757c9be1866e14483975f1d4

{"GrantedAccess": 2052, "HandleValue": 116, "Name": null, "Offset": 154518739538944, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:120

vol_handles

›

Raw tool output · 84737b762917d6b550eb1b1e0c14b04a7922a31f

{"GrantedAccess": 2052, "HandleValue": 120, "Name": null, "Offset": 154518739663264, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:124

vol_handles

›

Raw tool output · c0fc181a1a9a588a6be309a96f4eb786f590dee7

{"GrantedAccess": 2052, "HandleValue": 124, "Name": null, "Offset": 154518739663040, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:key:machine\system\controlset001\control\session manager

vol_handles

›

Raw tool output · 6a55b376e33f87534416e7b8e4cc7d4117b709ad

{"GrantedAccess": 1, "HandleValue": 128, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276730466160, "PID": 1040, "Process": "spoolsv.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:key:machine\system\controlset001\control\nls\sorting\versions

vol_handles

›

Raw tool output · 9237a84e702ce435311ba150ffd18cb873f2aa2b

{"GrantedAccess": 131097, "HandleValue": 132, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276730231152, "PID": 1040, "Process": "spoolsv.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:136

vol_handles

›

Raw tool output · 479bca4d5634d9d5c23502b75be741d2caff26c3

{"GrantedAccess": 2052, "HandleValue": 136, "Name": null, "Offset": 154518739543728, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:event:140

vol_handles

›

Raw tool output · 6807b1deaf674ff1bf4eff0e67fc898b7c621f2b

{"GrantedAccess": 2031619, "HandleValue": 140, "Name": null, "Offset": 154518739544224, "PID": 1040, "Process": "spoolsv.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:iocompletion:144

vol_handles

›

Raw tool output · b6b95d4ec8f49cbda2701acdb3b96a28a6441a93

{"GrantedAccess": 2031619, "HandleValue": 144, "Name": null, "Offset": 154518739543488, "PID": 1040, "Process": "spoolsv.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:powerrequest:148

vol_handles

›

Raw tool output · 6504b5a38f87e1c2a9b6650521eedd3259050ed7

{"GrantedAccess": 0, "HandleValue": 148, "Name": null, "Offset": 154518772208592, "PID": 1040, "Process": "spoolsv.exe", "Type": "PowerRequest", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:desktop:default

vol_handles

›

Raw tool output · f4961a331a0b8a10d74826964ec2b89742cb7eb0

{"GrantedAccess": 983247, "HandleValue": 152, "Name": "Default", "Offset": 154518745783008, "PID": 1040, "Process": "spoolsv.exe", "Type": "Desktop", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:windowstation:winsta0

vol_handles

›

Raw tool output · 0e6430d3a3af6232b9622bc1f1f56872c1cc5f00

{"GrantedAccess": 131843, "HandleValue": 156, "Name": "WinSta0", "Offset": 154518703630832, "PID": 1040, "Process": "spoolsv.exe", "Type": "WindowStation", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:file:\device\harddiskvolume2\windows\system32\en-us\spoolsv.exe.mui

vol_handles

›

Raw tool output · ea1417d8c604b59d2ba5aedc911ff7feb354ed5c

{"GrantedAccess": 1179785, "HandleValue": 160, "Name": "\\Device\\HarddiskVolume2\\Windows\\System32\\en-US\\spoolsv.exe.mui", "Offset": 154518739380176, "PID": 1040, "Process": "spoolsv.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:164

vol_handles

›

Raw tool output · 475072b0f20dbfcf9b0e01ab51da682b28e058c0

{"GrantedAccess": 2052, "HandleValue": 164, "Name": null, "Offset": 154518739564416, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:thread:tid 1912 pid 1040

vol_handles

›

Raw tool output · 56bf46b71655d77ac28f152716327e4bf007b001

{"GrantedAccess": 2097151, "HandleValue": 168, "Name": "Tid 1912 Pid 1040", "Offset": 154518739636352, "PID": 1040, "Process": "spoolsv.exe", "Type": "Thread", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:172

vol_handles

›

Raw tool output · 393d4beee3a35d6714321782b48fac47e96bfa2f

{"GrantedAccess": 2052, "HandleValue": 172, "Name": null, "Offset": 154518739564064, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:176

vol_handles

›

Raw tool output · a3b7f4a1eb627582bca246da7bc98f034c60b282

{"GrantedAccess": 2052, "HandleValue": 176, "Name": null, "Offset": 154518739563840, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:180

vol_handles

›

Raw tool output · 547b923af12c50075926fffd7daf9b5e84ae4c6a

{"GrantedAccess": 2052, "HandleValue": 180, "Name": null, "Offset": 154518739563616, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:1040:etwregistration:184

vol_handles

›

Raw tool output · 6457895ca2be4cd6d27d0fed4ee5bc26720a911a

{"GrantedAccess": 2052, "HandleValue": 184, "Name": null, "Offset": 154518739574672, "PID": 1040, "Process": "spoolsv.exe", "Type": "EtwRegistration", "TreeDepth": 0}

▣

network connection factpid:1040

vol_netscan

›

Raw tool output · a8047402ed505919d986f1cbfeccb454b1143e82

{"Created": "2018-08-30T13:52:23+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 49673, "Offset": 154518738835696, "Owner": "spoolsv.exe", "PID": 1040, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}

▣

network connection factpid:1040

vol_netscan

›

Raw tool output · 7eddc54f19641d7ac24e5813b7e4c3b4b84f855c

{"Created": "2018-08-30T13:52:23+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 49673, "Offset": 154518738835696, "Owner": "spoolsv.exe", "PID": 1040, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}

▣

process factpid:1040

vol_psscan

›

Raw tool output · 52790235ba614ff7a5a0255dea8de7b5fab33d1b

{"CreateTime": "2018-08-30T13:52:23+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "spoolsv.exe", "Offset(V)": 154518739060096, "PID": 1040, "PPID": 740, "SessionId": 0, "Threads": 10, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:1040->pid:740

vol_psscanvol_pstree

›

Raw tool output · 5e5aa6333f00c1cfe1c88bdec81cd36382e8ff44

{"CreateTime": "2018-08-30T13:52:23+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "spoolsv.exe", "Offset(V)": 154518739060096, "PID": 1040, "PPID": 740, "SessionId": 0, "Threads": 10, "Wow64": false, "TreeDepth": 0}

Source tools

vol_netscanvol_pstree