F020Suspiciousvalidator: blocked
Outbound RDP (3389) and WinRM (5985) to internal hosts
RDP/WinRM/SMB connections to internal hosts
Analyst narrative
vol_netscan shows numerous connections from 172.16.6.11 to 172.16.4.5:3389 (RDP) and 172.16.5.21:5985 (WinRM), and SMB 445 to 172.16.7.15/172.16.4.5, consistent with lateral movement from this host.
Claims asserted
pathnetwork_connection_fact-0000037
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logsvol_netscan