F046Suspiciousvalidator: blocked
Outbound WinRM (5985) connection to 172.16.5.21
WinRM lateral movement to 172.16.5.21:5985
Analyst narrative
vol_netscan shows host 172.16.6.11 connecting to 172.16.5.21:5985 (WinRM) - remote management/lateral movement channel.
Claims asserted
path172.16.5.21:5985
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
get_amcacheparse_event_logsvol_netscan