Notifications
Clear all
Topic starter
16/09/2019 6:51 pm
Hi,
I see that some SOURCE_HOST has multiple failed accesses to DESTINATION_HOST\D$. The offending user is DOMAIN\SOURCE_HOST$ which points to a process running as NT AUTHORITY/SYSTEM (I can't find the article where I got that from, but it's in my notebook).
I want to track the culprit. Looking at events on SOURCE_HOST I see the process is SYSTEM PID 4 is making the network connections to DESTINATION_HOST.
I am thinking about dumping SOURCE_HOST memory then search for Strings (using strings or Volatility's yarascan) containing DEST_IP. But I am not sure this will yield much valuable info.
Any other ideas? I can't find good pointer anywhere.