Veritas
F020LOWSuspiciousvalidator: passed

Network connections to internal targets on RDP port 3389 in CLOSED state

RDP port connections to 172.16.4.5:3389

Analyst narrative

Multiple TCP connections to 172.16.4.5:3389 (RDP port) from system IP 172.16.6.11 left in CLOSED state without active connection. Pattern suggests reconnaissance or failed RDP lateral movement attempts.

Claims asserted

connection-vol_netscan

Proof chain · 43 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

network connection factpid:652
vol_netscan
Raw tool output · 725aba10d88e7b947aca621d3fe003ccb08fbd81
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3389, "Offset": 154518674278720, "Owner": "svchost.exe", "PID": 652, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:49788-172.16.4.10:8080
vol_netscan
Raw tool output · 45d4b7c2f777e9f81d108fdb0c35dcb3cd371886
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49788, "Offset": 154518679887024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factpid:9088
vol_netscan
Raw tool output · 0479e83c55bb3a9f97be35caa60f18cd3eb7c35b
{"Created": "2018-08-30T13:55:00+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 51201, "Offset": 154518682425664, "Owner": "svchost.exe", "PID": 9088, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
network connection factnet:172.16.6.11:52703-172.16.4.10:8080
vol_netscan
Raw tool output · fe28080ea5e105743a465f19a1aa8bc81315c5ff
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 52703, "Offset": 154518690153728, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factnet:172.16.6.11:50253-172.16.4.10:8080
vol_netscan
Raw tool output · eb2d424706139a55a1b8caf8f665d269ca9e42bc
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50253, "Offset": 154518692227712, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factnet:172.16.6.11:50263-172.16.4.10:8080
vol_netscan
Raw tool output · 8240d15b6f90596d65d9ce49eb06acabf6e2a8aa
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50263, "Offset": 154518692506208, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factnet:172.16.6.11:63826-172.16.4.5:3389
vol_netscan
Raw tool output · aeb9209ea4368f567ce272e01203d0a200e2b524
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63826, "Offset": 154518692996752, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:50259-172.16.4.10:8080
vol_netscan
Raw tool output · 73371a820927922ddc29f6f811bae01b09352b55
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50259, "Offset": 154518694399152, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factnet:172.16.6.11:59352-172.16.7.15:445
vol_netscan
Raw tool output · 9a78f1990baabbfb213815c38baf3de2eca500bd
{"Created": null, "ForeignAddr": "172.16.7.15", "ForeignPort": 445, "LocalAddr": "172.16.6.11", "LocalPort": 59352, "Offset": 154518694659152, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factpid:692
vol_netscan
Raw tool output · 40f62b286451ff6ac82c166792107e871ea9c6a7
{"Created": "2018-08-30T13:53:54+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 5040, "Offset": 154518715144704, "Owner": "svchost.exe", "PID": 692, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:49774-172.16.4.10:8080
vol_netscan
Raw tool output · 52eb5529a86798cbf807b242ba07f4e4be093f65
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49774, "Offset": 154518715368640, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factnet:172.16.6.11:49782-13.89.220.65:443
vol_netscan
Raw tool output · 8d5932d9b0576f65f07029e72d9e4ef5e644b20c
{"Created": null, "ForeignAddr": "13.89.220.65", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 49782, "Offset": 154518715500448, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factpid:4
vol_netscan
Raw tool output · 9b268e648672ae208d5c9239da8015936175146e
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 139, "Offset": 154518717071376, "Owner": "System", "PID": 4, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:50257-172.16.4.10:8080
vol_netscan
Raw tool output · d2c17272872caf1e215e31b676a6baa675c8e639
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50257, "Offset": 154518720063824, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factpid:4
vol_netscan
Raw tool output · 76a48cd2750e404abea09669bccde1534f1fe61d
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 137, "Offset": 154518723210944, "Owner": "System", "PID": 4, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
network connection factnet:172.16.6.11:49763-172.16.4.5:445
vol_netscan
Raw tool output · ff3db042d5cb036bf168fa4b21fcd3477e6c0198
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 445, "LocalAddr": "172.16.6.11", "LocalPort": 49763, "Offset": 154518739399760, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · 20515eec923e3b6cee0a06158eb8fc2aabb2c4e7
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3389, "Offset": 154518740366080, "Owner": "svchost.exe", "PID": 652, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · e991c423bba30db63e7d41e31ecc6a8c1f7fb53a
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3389, "Offset": 154518740366080, "Owner": "svchost.exe", "PID": 652, "Proto": "UDPv6", "State": "", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · 7319f2005261363b3d8787294fdcbc3de825a56b
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3389, "Offset": 154518740519152, "Owner": "svchost.exe", "PID": 652, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:63834-172.16.4.5:3389
vol_netscan
Raw tool output · 405beeb570082cbe9e89df17ff6d6da38904065b
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63834, "Offset": 154518742383024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factpid:4
vol_netscan
Raw tool output · 3463442a527eccd5c71f05a8be0b0d91fa0306ff
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 138, "Offset": 154518746994880, "Owner": "System", "PID": 4, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
network connection factnet:172.16.6.11:63828-172.16.4.5:3389
vol_netscan
Raw tool output · 0f1fa89fc3ba9d753331710bc918bda45828d2f9
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63828, "Offset": 154518754851184, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63958-172.16.4.5:3389
vol_netscan
Raw tool output · 6e7b21f9db76f724fcb16f9bf65a79c5be53e861
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63958, "Offset": 154518756274192, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factpid:9088
vol_netscan
Raw tool output · 5ff044be3e6e0538d23b1ce4e375aee7905bf59c
{"Created": "2018-08-30T13:55:00+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "172.16.6.11", "LocalPort": 1900, "Offset": 154518760493072, "Owner": "svchost.exe", "PID": 9088, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
network connection factnet:172.16.6.11:50254-172.16.4.10:8080
vol_netscan
Raw tool output · 21d0b079670960346cbf62318b356b9b83230116
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50254, "Offset": 154518766804144, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factnet:172.16.6.11:50258-172.16.4.10:8080
vol_netscan
Raw tool output · 063cb3cd2c0c96a76efc4bb37108c4b4bc2cca8d
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50258, "Offset": 154518774604992, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}
network connection factnet:172.16.6.11:3262-172.16.5.50:39372
vol_netscan
Raw tool output · f3681a99312046d05d017452339a36616bda5e39
{"Created": null, "ForeignAddr": "172.16.5.50", "ForeignPort": 39372, "LocalAddr": "172.16.6.11", "LocalPort": 3262, "Offset": 154518785087184, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factnet:172.16.6.11:56345-172.16.4.4:389
vol_netscan
Raw tool output · a06e6c11912b6fd9cf66931a52d3965c0e44029a
{"Created": null, "ForeignAddr": "172.16.4.4", "ForeignPort": 389, "LocalAddr": "172.16.6.11", "LocalPort": 56345, "Offset": 154518791757840, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63848-172.16.4.5:3389
vol_netscan
Raw tool output · c287666702eb8f1a5812e152a6ca658068dd7b24
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63848, "Offset": 154518792675744, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63823-172.16.4.5:3389
vol_netscan
Raw tool output · 24bc6ebbe4d10f91ce96ca8921b39e7e33782e2f
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63823, "Offset": 154518804605376, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63841-172.16.4.5:3389
vol_netscan
Raw tool output · 419365dd4d760daf13900223644b67a1fe7ad7a7
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63841, "Offset": 154518806287488, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63835-172.16.4.5:3389
vol_netscan
Raw tool output · e86027055d20ad56a1baecd5f41c330f26ba1e69
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63835, "Offset": 154518820071680, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:445-172.16.6.14:65368
vol_netscan
Raw tool output · a19cc14d223a05f1dda6f207bfdb770e5df5bbf8
{"Created": null, "ForeignAddr": "172.16.6.14", "ForeignPort": 65368, "LocalAddr": "172.16.6.11", "LocalPort": 445, "Offset": 154518820254832, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63931-172.16.4.10:8080
vol_netscan
Raw tool output · b952b56ef64df8581e1aa604faaacb30bb3f85bd
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 63931, "Offset": 154518826270736, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49790-172.16.4.10:8080
vol_netscan
Raw tool output · 3f36c971b486b7ff307956461dd2d61654777753
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49790, "Offset": 154518828363792, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49787-172.16.4.10:8080
vol_netscan
Raw tool output · e392f5b73c6f58acd8bcfbe3d21a21608a73493a
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49787, "Offset": 154518829561024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49360-52.16.55.11:443
vol_netscan
Raw tool output · 0970c338a07a54d32016c46c5470dfb476d0b791
{"Created": null, "ForeignAddr": "52.16.55.11", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 49360, "Offset": 154518829570624, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49735-172.16.4.10:8080
vol_netscan
Raw tool output · a3d6adec60488c187a6d12c31139174433984f05
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49735, "Offset": 154518833790992, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:65294-172.16.5.20:443
vol_netscan
Raw tool output · 23d50e5d62f96012434d891394333cb91e3ec70d
{"Created": null, "ForeignAddr": "172.16.5.20", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 65294, "Offset": 154518834879664, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49791-172.16.5.21:5985
vol_netscan
Raw tool output · 93af04c5a34a0af5441fe618fdda658fc0872e0d
{"Created": null, "ForeignAddr": "172.16.5.21", "ForeignPort": 5985, "LocalAddr": "172.16.6.11", "LocalPort": 49791, "Offset": 154518835141808, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49786-172.16.4.10:8080
vol_netscan
Raw tool output · 0cc280c297fb251385dbd928ce5126267bb989f9
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49786, "Offset": 154518847709200, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network ioc fact172.16.6.11
extract_network_iocs
Raw tool output · 68f14fd4fad8ecb4e951f3c801abfcdf20d4118c
{"type": "ipv4", "value": "172.16.6.11", "original_value": "172.16.6.11", "classification": "private", "port": null, "source_tools": ["vol_netscan"], "sources": [{"source_tool": "vol_netscan", "source_field": "LocalAddr", "source_index": 9, "source_path": "vol_netscan.output[9].LocalAddr", "context": "172.16.6.11", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "LocalAddr", "source_index": 10, "source_path": "vol_netscan.output[10].LocalAddr", "context": "172.16.6.11", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "LocalAddr", "source_index": 13, "source_path": "vo
network ioc fact172.16.4.5
extract_network_iocs
Raw tool output · f84874d0852c27d777f18ba517d4df25ef31c342
{"type": "ipv4", "value": "172.16.4.5", "original_value": "172.16.4.5", "classification": "private", "port": null, "source_tools": ["vol_netscan"], "sources": [{"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 16, "source_path": "vol_netscan.output[16].ForeignAddr", "context": "172.16.4.5", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 52, "source_path": "vol_netscan.output[52].ForeignAddr", "context": "172.16.4.5", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 70, "source_pa

Source tools

vol_netscan