F039Suspiciousvalidator: blocked
Admin-share lateral movement to 172.16.5.26
Lateral movement via admin share to 172.16.5.26
Analyst narrative
Event log and network IOC facts show admin-share access toward 172.16.5.26, consistent with lateral movement (TA0008). cand-0010 (event_log_fact-0026891 et al).
Claims asserted
connection172.16.5.26
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
extract_network_iocsget_amcacheparse_event_logs