4,659 questions
Port Sweep on port 445 and 5986 from ntoskrnl.exe
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 25%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Aasik Ali
0
Reputation points
I noticed a port sweep connection by ntkrnlmp.exe. Alerts are getting generated everyday in SIEM Sentinel. We discovered an internal source IP (private) attempting to connect to numerous internal private IP addresses over port 445 and port 5986(WinRM).
_Im_NetworkSession table in sentinel capturing these logs under DeviceNeworkEvents. Initiating process is 'ntkrnlmp.exe' It's likely that some system-level processes or services are utilizing network resources, possibly for legitimate purposes like system management, updates, or communication with other systems. But not sure what is causing this issue.
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Windows for business | Windows Server | User experience | Other
20,219 questions
{count} votes
-
StephanG 846 Reputation points2024-04-23T13:14:17.51+00:00 Same here - i am at the task to disconnect our servers from the internet and these IP adresses came up. Happens from both our DCs.
We have Defender for Identity installed on the DCs which might be responsible as it uses 445, 135, 137, 3389 to "get information"
You can see the process tree here:
But what is this 100.x.x.x i cannot find any information about that.
--
100er subnet is something bout NAT and stuff. So i do not bother :) Keep digging through
Sign in to comment
Sign in to answer