Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,170 questions
Port Sweep on port 445 and 5986 from ntoskrnl.exe
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 17%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
NetHunt
0
Reputation points
I noticed a port sweep connection by ntkrnlmp.exe. Alerts are getting generated everyday in SIEM Sentinel. We discovered an internal source IP (private) attempting to connect to numerous internal private IP addresses over port 445 and port 5986(WinRM).
_Im_NetworkSession table in sentinel capturing these logs under DeviceNeworkEvents. Initiating process is 'ntkrnlmp.exe' It's likely that some system-level processes or services are utilizing network resources, possibly for legitimate purposes like system management, updates, or communication with other systems. But not sure what is causing this issue.
Windows Server
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
653 questions
{count} votes
-
StephanG 811 Reputation points2024-04-23T13:14:17.51+00:00 Same here - i am at the task to disconnect our servers from the internet and these IP adresses came up. Happens from both our DCs.
We have Defender for Identity installed on the DCs which might be responsible as it uses 445, 135, 137, 3389 to "get information"
You can see the process tree here:
But what is this 100.x.x.x i cannot find any information about that.
--
100er subnet is something bout NAT and stuff. So i do not bother :) Keep digging through
Sign in to comment