F018LOWBenign / FPvalidator: passed

Multiple privileged network services listening on non-standard ports

Service network listeners on custom ports

Analyst narrative

spoolsv.exe (PID 1040) and macmnsvc.exe (PID 2228) configured to listen on non-standard ports (8081, 8082) with UDP/TCP bindings. This configuration enables lateral movement and remote service exploitation.

Claims asserted

pid-vol_netscanvol_pstree

Proof chain · 50 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

⊞

handle facthandle:pid:2228:event:4

vol_handles

›

Raw tool output · c3e72ae00e4f10d65c77a4385f5fc1cdc1f09c7c

{"GrantedAccess": 2031619, "HandleValue": 4, "Name": null, "Offset": 154518748633472, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:waitcompletionpacket:8

vol_handles

›

Raw tool output · e409b821cebd9ed6636a6af94149dc9473dec64d

{"GrantedAccess": 1, "HandleValue": 8, "Name": null, "Offset": 154518748595600, "PID": 2228, "Process": "macmnsvc.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:iocompletion:12

vol_handles

›

Raw tool output · 359b4a45aa26f26104c91cb0a4bfa24c2e152759

{"GrantedAccess": 2031619, "HandleValue": 12, "Name": null, "Offset": 154518748633280, "PID": 2228, "Process": "macmnsvc.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:tpworkerfactory:16

vol_handles

›

Raw tool output · e0d9069bee63d21dc48120d8a2f454676fafdb2e

{"GrantedAccess": 983295, "HandleValue": 16, "Name": null, "Offset": 154518748525072, "PID": 2228, "Process": "macmnsvc.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:irtimer:20

vol_handles

›

Raw tool output · 3a0185e5a8f362f119a256156e9694cac84e6afc

{"GrantedAccess": 1048578, "HandleValue": 20, "Name": null, "Offset": 154518748524640, "PID": 2228, "Process": "macmnsvc.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:waitcompletionpacket:24

vol_handles

›

Raw tool output · 74d5d20832778a7a0cfa91a07b66a6dd0c9b1481

{"GrantedAccess": 1, "HandleValue": 24, "Name": null, "Offset": 154518748647312, "PID": 2228, "Process": "macmnsvc.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:irtimer:28

vol_handles

›

Raw tool output · 377247212493e9cc8abc97faa6c4cb91273198a8

{"GrantedAccess": 1048578, "HandleValue": 28, "Name": null, "Offset": 154518748647040, "PID": 2228, "Process": "macmnsvc.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:waitcompletionpacket:32

vol_handles

›

Raw tool output · 3a76b480b4175675fdafa3613cd423010653185f

{"GrantedAccess": 1, "HandleValue": 32, "Name": null, "Offset": 154518748646832, "PID": 2228, "Process": "macmnsvc.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:36

vol_handles

›

Raw tool output · cb7426fca64c2997d5a3fc37502302f53f73006f

{"GrantedAccess": 2052, "HandleValue": 36, "Name": null, "Offset": 154518748646624, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:40

vol_handles

›

Raw tool output · d7796c9706d8705612af3a41b5116e0c3bb53e00

{"GrantedAccess": 2052, "HandleValue": 40, "Name": null, "Offset": 154518748628288, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:44

vol_handles

›

Raw tool output · a5c265670cd19698709fa8932031d24c8aab38bc

{"GrantedAccess": 2052, "HandleValue": 44, "Name": null, "Offset": 154518748628064, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:directory:knowndlls

vol_handles

›

Raw tool output · 30471d0c741d53cf7e1c1c6666e206351b49d999

{"GrantedAccess": 3, "HandleValue": 48, "Name": "KnownDlls", "Offset": 229276702421120, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Directory", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:event:52

vol_handles

›

Raw tool output · 1b3cab2acbeec6c699a294661ddc319c48c404b8

{"GrantedAccess": 2031619, "HandleValue": 52, "Name": null, "Offset": 154518748524944, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:event:56

vol_handles

›

Raw tool output · 10e6dbcb6b67923112c1e2b3661a2beec3bd7fd6

{"GrantedAccess": 2031619, "HandleValue": 56, "Name": null, "Offset": 154518748646480, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:file:\device\harddiskvolume2\windows\system32

vol_handles

›

Raw tool output · b7cd896595727c7d6259f4e19c41441ffa07525a

{"GrantedAccess": 1048608, "HandleValue": 60, "Name": "\\Device\\HarddiskVolume2\\Windows\\System32", "Offset": 154518748641296, "PID": 2228, "Process": "macmnsvc.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:64

vol_handles

›

Raw tool output · 5a8df8e7d5c2d000bdfffe655a3f8e27fc30fb31

{"GrantedAccess": 2052, "HandleValue": 64, "Name": null, "Offset": 154518748613472, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:68

vol_handles

›

Raw tool output · f59e94898168906edca24a1e231e131f5b544cdd

{"GrantedAccess": 2052, "HandleValue": 68, "Name": null, "Offset": 154518748613248, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:alpc port:72

vol_handles

›

Raw tool output · 473e0f77f05cec78282dc01a4ca502eee8c01706

{"GrantedAccess": 2031617, "HandleValue": 72, "Name": null, "Offset": 154518748607856, "PID": 2228, "Process": "macmnsvc.exe", "Type": "ALPC Port", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:iocompletion:76

vol_handles

›

Raw tool output · f256b85a2bbd4fd8ab98b6be0cf3e058becbb1c0

{"GrantedAccess": 2031619, "HandleValue": 76, "Name": null, "Offset": 154518748650816, "PID": 2228, "Process": "macmnsvc.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:tpworkerfactory:80

vol_handles

›

Raw tool output · 27f9b34c32220a8d11c861fec894ab5aac7fc6d2

{"GrantedAccess": 983295, "HandleValue": 80, "Name": null, "Offset": 154518748650288, "PID": 2228, "Process": "macmnsvc.exe", "Type": "TpWorkerFactory", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:irtimer:84

vol_handles

›

Raw tool output · 05df439505b3c786a88324427679078dc87a2708

{"GrantedAccess": 1048578, "HandleValue": 84, "Name": null, "Offset": 154518748615408, "PID": 2228, "Process": "macmnsvc.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:waitcompletionpacket:88

vol_handles

›

Raw tool output · 8d39f2e752534aebb771aa6df15c3e8d4b0e3e84

{"GrantedAccess": 1, "HandleValue": 88, "Name": null, "Offset": 154518748650080, "PID": 2228, "Process": "macmnsvc.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:irtimer:92

vol_handles

›

Raw tool output · 12431ba2a8fa9e6d80b073967afedac452186629

{"GrantedAccess": 1048578, "HandleValue": 92, "Name": null, "Offset": 154518748649808, "PID": 2228, "Process": "macmnsvc.exe", "Type": "IRTimer", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:waitcompletionpacket:96

vol_handles

›

Raw tool output · d39d83e0ebc58788983b0ab80beb78b7cc75776d

{"GrantedAccess": 1, "HandleValue": 96, "Name": null, "Offset": 154518748649600, "PID": 2228, "Process": "macmnsvc.exe", "Type": "WaitCompletionPacket", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:key:machine\system\controlset001\control\session manager

vol_handles

›

Raw tool output · 59d4d091b8f19fb597b7d2291e09aac96eb36499

{"GrantedAccess": 1, "HandleValue": 100, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER", "Offset": 229276731861392, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:104

vol_handles

›

Raw tool output · 745fea25e9b649f4415f3c0ae151001d509f6840

{"GrantedAccess": 2052, "HandleValue": 104, "Name": null, "Offset": 154518748807760, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:108

vol_handles

›

Raw tool output · b6f3c31f97cb8de25f44a6e1777b460e6d54a5ba

{"GrantedAccess": 2052, "HandleValue": 108, "Name": null, "Offset": 154518748875616, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:112

vol_handles

›

Raw tool output · 79cde0a6089086ca3a730097f6ca8f71e78ddeae

{"GrantedAccess": 2052, "HandleValue": 112, "Name": null, "Offset": 154518748807984, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:key:machine\system\controlset001\control\nls\sorting\versions

vol_handles

›

Raw tool output · 85e28814f8853d10408b8b2449dcb23e8d2593fe

{"GrantedAccess": 131097, "HandleValue": 116, "Name": "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\NLS\\SORTING\\VERSIONS", "Offset": 229276733206016, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:120

vol_handles

›

Raw tool output · 44c1d13b298bc4c1affa84a02a4c0cec9cb18934

{"GrantedAccess": 2052, "HandleValue": 120, "Name": null, "Offset": 154518748875392, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:124

vol_handles

›

Raw tool output · 75ea36fe3d0afdbc9628b90174fa2c68a692cc82

{"GrantedAccess": 2052, "HandleValue": 124, "Name": null, "Offset": 154518748830608, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:128

vol_handles

›

Raw tool output · 540f79a5a06d7d5198664971f559c44feef6b758

{"GrantedAccess": 2052, "HandleValue": 128, "Name": null, "Offset": 154518748830256, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:key:machine\software\microsoft\windows nt\currentversion\image file execution options

vol_handles

›

Raw tool output · 58c8cdbfb333277f63822651e03c64aa698f3600

{"GrantedAccess": 9, "HandleValue": 132, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS", "Offset": 229276732930400, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:event:136

vol_handles

›

Raw tool output · a39e7704ee0aa0448234ff2e84e30408ae5a1ae4

{"GrantedAccess": 2031619, "HandleValue": 136, "Name": null, "Offset": 154518748082800, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:iocompletion:140

vol_handles

›

Raw tool output · 0eca60cd76fafa4be91f046a678309ec070f8fd6

{"GrantedAccess": 2031619, "HandleValue": 140, "Name": null, "Offset": 154518748887488, "PID": 2228, "Process": "macmnsvc.exe", "Type": "IoCompletion", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:windowstation:service-0x0-3e5$

vol_handles

›

Raw tool output · 340f2ee11c779db14a8d097ef3ae84c48714d1b0

{"GrantedAccess": 983150, "HandleValue": 144, "Name": "Service-0x0-3e5$", "Offset": 154518721536144, "PID": 2228, "Process": "macmnsvc.exe", "Type": "WindowStation", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:desktop:default

vol_handles

›

Raw tool output · e3c5ddd384cf0c57a88aa4e4ca024bdc7df5dc5b

{"GrantedAccess": 983247, "HandleValue": 148, "Name": "Default", "Offset": 154518745677472, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Desktop", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:key:machine

vol_handles

›

Raw tool output · 2aa3af132aedb57751090743e5669a46e2329624

{"GrantedAccess": 131097, "HandleValue": 156, "Name": "MACHINE", "Offset": 229276733195680, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:etwregistration:160

vol_handles

›

Raw tool output · c55281f16ab9db227755e86778ad004de39bb64a

{"GrantedAccess": 2052, "HandleValue": 160, "Name": null, "Offset": 154518748857184, "PID": 2228, "Process": "macmnsvc.exe", "Type": "EtwRegistration", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:file:\device\cng

vol_handles

›

Raw tool output · ebd219048102470f5534e3acc2648b0932affa97

{"GrantedAccess": 1048577, "HandleValue": 168, "Name": "\\Device\\CNG", "Offset": 154518748842128, "PID": 2228, "Process": "macmnsvc.exe", "Type": "File", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:key:machine\software\microsoft\ole

vol_handles

›

Raw tool output · 25a4ba23d4d549f9211c43569ca8fe60f0bf0cf3

{"GrantedAccess": 131097, "HandleValue": 172, "Name": "MACHINE\\SOFTWARE\\MICROSOFT\\OLE", "Offset": 229276733227584, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:event:176

vol_handles

›

Raw tool output · 86e3cef5d2898179fb5d48e34ae760e1712dbe5c

{"GrantedAccess": 2031619, "HandleValue": 176, "Name": null, "Offset": 154518748865616, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Event", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:key:user\s-1-5-19\software\classes\local settings\software\microsoft

vol_handles

›

Raw tool output · 8c01783be2b89cd39d869bd8fda4d08812f2b118

{"GrantedAccess": 131097, "HandleValue": 180, "Name": "USER\\S-1-5-19\\SOFTWARE\\CLASSES\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT", "Offset": 229276733256688, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Key", "TreeDepth": 0}

⊞

handle facthandle:pid:2228:key:user\s-1-5-19\software\classes\local settings

vol_handles

›

Raw tool output · 39aee012c3081db92acda9b5862d3179fb0c99e4

{"GrantedAccess": 131097, "HandleValue": 184, "Name": "USER\\S-1-5-19\\SOFTWARE\\CLASSES\\LOCAL SETTINGS", "Offset": 229276733252480, "PID": 2228, "Process": "macmnsvc.exe", "Type": "Key", "TreeDepth": 0}

▣

network connection factpid:2228

vol_netscan

›

Raw tool output · 70f3c07b252874dfc519c826a553f189f93c73e1

{"Created": "2018-08-30T13:52:49+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 8082, "Offset": 154518762496768, "Owner": "macmnsvc.exe", "PID": 2228, "Proto": "UDPv4", "State": "", "TreeDepth": 0}

▣

network connection factpid:2228

vol_netscan

›

Raw tool output · 56dd7fd24de824ef0a9abc51a36e0c3a7062a192

{"Created": "2018-08-30T13:52:49+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 8082, "Offset": 154518762496768, "Owner": "macmnsvc.exe", "PID": 2228, "Proto": "UDPv6", "State": "", "TreeDepth": 0}

▣

network connection factpid:2228

vol_netscan

›

Raw tool output · 8cb3bb49a7cd1cf50541ef21c5006545e11703af

{"Created": "2018-08-30T13:52:49+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 8081, "Offset": 154518762628544, "Owner": "macmnsvc.exe", "PID": 2228, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}

▣

network connection factpid:2228

vol_netscan

›

Raw tool output · 421fa53b7705274d2bc47da3c88f9333b93ccd5f

{"Created": "2018-08-30T13:52:49+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 8081, "Offset": 154518762796400, "Owner": "macmnsvc.exe", "PID": 2228, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}

▣

process factpid:2228

vol_psscan

›

Raw tool output · 1e729ab4f1d0140c59479220f5a4f4fbe1e8eb75

{"CreateTime": "2018-08-30T13:52:23+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "macmnsvc.exe", "Offset(V)": 154518748149120, "PID": 2228, "PPID": 740, "SessionId": 0, "Threads": 2, "Wow64": false, "TreeDepth": 0}

▣

process relationship factpid:2228->pid:740

vol_psscanvol_pstree

›

Raw tool output · ebe72cf157b440fdfc47a1e13336737e0ef236aa

{"CreateTime": "2018-08-30T13:52:23+00:00", "ExitTime": null, "File output": "Disabled", "Handles": null, "ImageFileName": "macmnsvc.exe", "Offset(V)": 154518748149120, "PID": 2228, "PPID": 740, "SessionId": 0, "Threads": 2, "Wow64": false, "TreeDepth": 0}

Source tools

vol_netscanvol_pstree