Veritas
F042MEDIUMSuspiciousvalidator: passed

lateral movement admin share: ip:172.16.5.26

Analyst narrative

Deterministic detection — access to a remote administrative share (SMB) — a lateral-movement behaviour. Observed for 172.16.5.26 directly from forensic tool output: this is a structural behavioural signal, not an LLM assertion, surfaced by construction so a strong signal is never lost to model under-generation.

Claims asserted

event_log-extract_network_iocsparse_event_logs
typed_fact5140extract_network_iocsparse_event_logs

Proof chain · 19 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

event log fact5140
parse_event_logs
Raw tool output · 021a3b973d0010745a92f00eb8b708b7ef9ecdd4
{"EventID": 5140, "TimeCreated": "2018-08-07 15:45:43.010037+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x2681a73f | File | 172.16.5.26 | 49204 | \\\\*\\srl-ftp | \\??\\C:\\srl-ftp | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 8c32aeb5cd8fdd211e80c00aea017024c26056fc
{"EventID": 5140, "TimeCreated": "2018-08-07 15:45:38.025330+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x2681a73f | File | 172.16.5.26 | 49204 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · d2cbdfec18463fcdfcfb1df0393b83f546477b48
{"EventID": 5140, "TimeCreated": "2018-08-07 15:33:40.233913+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1005 | rsydow-a | DMZ-FTP | 0x268095e7 | File | 172.16.5.26 | 65490 | \\\\*\\C$ | \\??\\C:\\ | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 2f99e38321134f736825e25555cdead8050b6aad
{"EventID": 5140, "TimeCreated": "2018-08-07 15:33:40.218309+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1005 | rsydow-a | DMZ-FTP | 0x268095e7 | File | 172.16.5.26 | 65490 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 37512098e5fa8dd236fd363ecab039620bca1039
{"EventID": 5140, "TimeCreated": "2018-08-07 15:28:50.273619+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x267ff059 | File | 172.16.5.26 | 65448 | \\\\*\\C$ | \\??\\C:\\ | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · d1273a96ca63d347d1def5e4456c4020c70fe741
{"EventID": 5140, "TimeCreated": "2018-08-07 15:28:23.677452+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x267fe994 | File | 172.16.5.26 | 65446 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · b9b25c9ff6af340afac6a276904345af6425e95c
{"EventID": 5140, "TimeCreated": "2018-08-07 15:28:23.677452+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x267fe994 | File | 172.16.5.26 | 65446 | \\\\*\\C$ | \\??\\C:\\ | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 653afb01cb0c62d9c6b9e3584f43ffe8c0590227
{"EventID": 5140, "TimeCreated": "2018-08-07 14:59:03.195002+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x2678f082 | File | 172.16.5.26 | 65081 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 5d70fe8e24d8157a27154b84c071edc9fc536f12
{"EventID": 5140, "TimeCreated": "2018-08-07 14:42:01.396064+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 172.16.10.12 | 59717 | \\\\*\\srl-ftp | \\??\\C:\\srl-ftp | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 5ae8571c82d6df1b709830b8307e475463558a28
{"EventID": 5140, "TimeCreated": "2018-08-07 14:41:57.723872+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 172.16.10.12 | 59717 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 8fce4704b23dbaf3d75ff80495940b0912cad44a
{"EventID": 5140, "TimeCreated": "2018-08-07 14:38:39.880237+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 172.16.10.12 | 59714 | \\\\*\\srl-ftp | \\??\\C:\\srl-ftp | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 808183c4340e79dd1cdd8f944f0b00130fbeb31f
{"EventID": 5140, "TimeCreated": "2018-08-07 14:38:22.394446+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 172.16.10.12 | 59713 | \\\\*\\srl-ftp | \\??\\C:\\srl-ftp | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 43ee2f507366605a01e9d2bc6de6b7e2ecfaebcc
{"EventID": 5140, "TimeCreated": "2018-08-07 14:37:55.751801+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x2678f082 | File | 172.16.5.26 | 65081 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 42ebec514f9d84c8664f5619d76e48f7dc9fcc62
{"EventID": 5140, "TimeCreated": "2018-08-07 14:34:35.392183+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x2678f082 | File | 172.16.5.26 | 65081 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 73d6c71b5c733e3aff6c4a1319ff5c970aea4e0e
{"EventID": 5140, "TimeCreated": "2018-08-07 14:34:35.392183+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x2678f082 | File | 172.16.5.26 | 65081 | \\\\*\\srl-ftp | \\??\\C:\\srl-ftp | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 2d123d174074e1b7d5a7e5d5d40a0c54034a65db
{"EventID": 5140, "TimeCreated": "2018-08-07 14:32:18.948674+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 172.16.10.12 | 59709 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 88728c386fc5f41a0e2593fdb47c75f49160eb4b
{"EventID": 5140, "TimeCreated": "2018-08-07 14:32:18.948674+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 172.16.10.12 | 59709 | \\\\*\\srl-ftp | \\??\\C:\\srl-ftp | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 825bcdd4f2a24313f44ae0eb1c8e859d8433756d
{"EventID": 5140, "TimeCreated": "2018-08-06 16:18:09.241069+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 127.0.0.1 | 59438 | \\\\*\\IPC$ |  | 0x1 | %%4416\r\n\t\t\t\t"}
event log fact5140
parse_event_logs
Raw tool output · 59e763464ae9813aa8f06d734805878ac608a539
{"EventID": 5140, "TimeCreated": "2018-08-06 16:18:09.241069+00:00", "Provider": "Microsoft-Windows-Security-Auditing", "Channel": "Security", "Computer": "dmz-ftp", "Message": "S-1-5-21-572887454-1858499753-1978773125-1003 | rsydow | DMZ-FTP | 0x93cb084 | File | 127.0.0.1 | 59438 | \\\\*\\C$ | \\??\\C:\\ | 0x1 | %%4416\r\n\t\t\t\t"}

Source tools

extract_network_iocsparse_event_logs