F040Suspiciousvalidator: blocked

Outbound SMB to internal hosts (lateral movement)

SMB connections to 172.16.4.5:445 and 172.16.7.15:445

Analyst narrative

Established SMB (445) connections from 172.16.6.11 to 172.16.4.5 and 172.16.7.15, plus multiple RDP (3389) attempts to 172.16.4.5, consistent with lateral movement reconnaissance. Corroborates PsExec staging.

Claims asserted

path172.16.4.5:445

Proof chain · 0 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

Source tools

vol_netscan