SYSTEM PID 4 - Netw...
 
Notifications
Clear all

SYSTEM PID 4 - Network Access

1 Posts
1 Users
0 Likes
538 Views
(@mabel)
Posts: 3
New Member
Topic starter
 

Hi,

I see that some SOURCE_HOST has multiple failed accesses to DESTINATION_HOST\D$. The offending user is DOMAIN\SOURCE_HOST$ which points to a process running as NT AUTHORITY/SYSTEM (I can't find the article where I got that from, but it's in my notebook).

I want to track the culprit. Looking at events on SOURCE_HOST I see the process is SYSTEM PID 4 is making the network connections to DESTINATION_HOST.

I am thinking about dumping SOURCE_HOST memory then search for Strings (using strings or Volatility's yarascan) containing DEST_IP. But I am not sure this will yield much valuable info.

Any other ideas? I can't find good pointer anywhere.

 
Posted : 16/09/2019 5:51 pm
Share: