F045Suspiciousvalidator: blocked
SMB admin-share access to 172.16.5.26
Lateral movement via SMB admin share 172.16.5.26
Analyst narrative
candidate cand-0010 fact_ids=event_log_fact-0026891,event_log_fact-0026905,event_log_fact-0026910,event_log_fact-0026941. Event logs and network IOCs show admin-share access to 172.16.5.26 from the host.
Claims asserted
connection172.16.5.26
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
extract_network_iocsget_amcacheparse_event_logs