Veritas
F036MEDIUMSuspiciousvalidator: passed

Additional outbound RDP and SMB reconnaissance connections (TA0007: Discovery, TA0008: Lateral Movement)

network_ioc

Analyst narrative

Network records show multiple CLOSED-state TCP connections to port 3389 (RDP) on 172.16.4.5 and 172.16.5.x systems, and port 445 (SMB) on 172.16.7.15 and 172.16.6.14. Pattern indicates attacker reconnaissance and lateral movement scanning.

Claims asserted

connection-vol_netscan
connection-vol_netscan

Proof chain · 19 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

network connection factpid:652
vol_netscan
Raw tool output · 725aba10d88e7b947aca621d3fe003ccb08fbd81
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3389, "Offset": 154518674278720, "Owner": "svchost.exe", "PID": 652, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:63826-172.16.4.5:3389
vol_netscan
Raw tool output · aeb9209ea4368f567ce272e01203d0a200e2b524
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63826, "Offset": 154518692996752, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:59352-172.16.7.15:445
vol_netscan
Raw tool output · 9a78f1990baabbfb213815c38baf3de2eca500bd
{"Created": null, "ForeignAddr": "172.16.7.15", "ForeignPort": 445, "LocalAddr": "172.16.6.11", "LocalPort": 59352, "Offset": 154518694659152, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factnet:172.16.6.11:49763-172.16.4.5:445
vol_netscan
Raw tool output · ff3db042d5cb036bf168fa4b21fcd3477e6c0198
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 445, "LocalAddr": "172.16.6.11", "LocalPort": 49763, "Offset": 154518739399760, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · 20515eec923e3b6cee0a06158eb8fc2aabb2c4e7
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 3389, "Offset": 154518740366080, "Owner": "svchost.exe", "PID": 652, "Proto": "UDPv4", "State": "", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · e991c423bba30db63e7d41e31ecc6a8c1f7fb53a
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "*", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3389, "Offset": 154518740366080, "Owner": "svchost.exe", "PID": 652, "Proto": "UDPv6", "State": "", "TreeDepth": 0}
network connection factpid:652
vol_netscan
Raw tool output · 7319f2005261363b3d8787294fdcbc3de825a56b
{"Created": "2018-08-30T13:52:22+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 3389, "Offset": 154518740519152, "Owner": "svchost.exe", "PID": 652, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}
network connection factpid:4
vol_netscan
Raw tool output · 76c3f1ead8c3368ea68da2918b3335bfc0e0eb16
{"Created": "2018-08-30T13:52:23+00:00", "ForeignAddr": "0.0.0.0", "ForeignPort": 0, "LocalAddr": "0.0.0.0", "LocalPort": 445, "Offset": 154518740852752, "Owner": "System", "PID": 4, "Proto": "TCPv4", "State": "LISTENING", "TreeDepth": 0}
network connection factpid:4
vol_netscan
Raw tool output · 63388592bdd54580ae53fd4791568c5852b9140f
{"Created": "2018-08-30T13:52:23+00:00", "ForeignAddr": "::", "ForeignPort": 0, "LocalAddr": "::", "LocalPort": 445, "Offset": 154518740852752, "Owner": "System", "PID": 4, "Proto": "TCPv6", "State": "LISTENING", "TreeDepth": 0}
network connection factnet:172.16.6.11:63834-172.16.4.5:3389
vol_netscan
Raw tool output · 405beeb570082cbe9e89df17ff6d6da38904065b
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63834, "Offset": 154518742383024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63828-172.16.4.5:3389
vol_netscan
Raw tool output · 0f1fa89fc3ba9d753331710bc918bda45828d2f9
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63828, "Offset": 154518754851184, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63958-172.16.4.5:3389
vol_netscan
Raw tool output · 6e7b21f9db76f724fcb16f9bf65a79c5be53e861
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63958, "Offset": 154518756274192, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63848-172.16.4.5:3389
vol_netscan
Raw tool output · c287666702eb8f1a5812e152a6ca658068dd7b24
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63848, "Offset": 154518792675744, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63823-172.16.4.5:3389
vol_netscan
Raw tool output · 24bc6ebbe4d10f91ce96ca8921b39e7e33782e2f
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63823, "Offset": 154518804605376, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63841-172.16.4.5:3389
vol_netscan
Raw tool output · 419365dd4d760daf13900223644b67a1fe7ad7a7
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63841, "Offset": 154518806287488, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:63835-172.16.4.5:3389
vol_netscan
Raw tool output · e86027055d20ad56a1baecd5f41c330f26ba1e69
{"Created": null, "ForeignAddr": "172.16.4.5", "ForeignPort": 3389, "LocalAddr": "172.16.6.11", "LocalPort": 63835, "Offset": 154518820071680, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}
network connection factnet:172.16.6.11:445-172.16.6.14:65368
vol_netscan
Raw tool output · a19cc14d223a05f1dda6f207bfdb770e5df5bbf8
{"Created": null, "ForeignAddr": "172.16.6.14", "ForeignPort": 65368, "LocalAddr": "172.16.6.11", "LocalPort": 445, "Offset": 154518820254832, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}
network ioc fact172.16.4.5
extract_network_iocs
Raw tool output · f84874d0852c27d777f18ba517d4df25ef31c342
{"type": "ipv4", "value": "172.16.4.5", "original_value": "172.16.4.5", "classification": "private", "port": null, "source_tools": ["vol_netscan"], "sources": [{"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 16, "source_path": "vol_netscan.output[16].ForeignAddr", "context": "172.16.4.5", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 52, "source_path": "vol_netscan.output[52].ForeignAddr", "context": "172.16.4.5", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 70, "source_pa
network ioc fact172.16.7.15
extract_network_iocs
Raw tool output · 92bc2ed81ceb2c19ff919fbae507572ad4addbe7
{"type": "ipv4", "value": "172.16.7.15", "original_value": "172.16.7.15", "classification": "private", "port": null, "source_tools": ["vol_netscan", "vol_handles", "vol_filescan"], "sources": [{"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 19, "source_path": "vol_netscan.output[19].ForeignAddr", "context": "172.16.7.15", "offset": 0}, {"source_tool": "vol_handles", "source_field": "Name", "source_index": 59226, "source_path": "vol_handles.output[59226].Name", "context": "\\Device\\Mup\\172.16.7.15\\pipe\\fhsvc-b378", "offset": 12}, {"source_tool": "vol_filescan",

Source tools

vol_netscan