{"id":8949,"date":"2025-06-10T02:24:49","date_gmt":"2025-06-10T02:24:49","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=8949"},"modified":"2025-06-10T02:24:50","modified_gmt":"2025-06-10T02:24:50","slug":"excessive-number-of-failed-connections-from-127-0-0-1","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/excessive-number-of-failed-connections-from-127-0-0-1","title":{"rendered":"Excessive number of failed connections from 127.0.0.1"},"content":{"rendered":"\n

Ran the following Advanced Hunting KQL<\/p>\n\n\n\n

_Im_NetworkSession(eventresult='Failure')\n| take 100<\/code><\/pre>\n\n\n\n
Was due to Labtech upgrades<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
SrcIpAddr<\/p>\n\n\n\n
127.0.0.1?<\/em><\/p>\n\n\n\n
SrcPortNumber<\/p>\n\n\n\n
59615?<\/em><\/p>\n\n\n\n
DstIpAddr<\/p>\n\n\n\n
127.0.0.1?<\/em><\/p>\n\n\n\n
DstPortNumber<\/p>\n\n\n\n
42013?<\/em><\/p>\n\n\n\n
SrcDvcId<\/p>\n\n\n\n
7<\/p>\n\n\n\n
SrcUsername<\/p>\n\n\n\n
nt authority\\system<\/p>\n\n\n\n
NetworkProtocol<\/p>\n\n\n\n
TCP?<\/em><\/p>\n\n\n\n
EventOriginalResultDetails<\/p>\n\n\n\n
ConnectionFailed<\/p>\n\n\n\n
ASimMatchingIpAddr<\/p>\n\n\n\n
?<\/em><\/p>\n\n\n\n
SrcDvcIdType<\/p>\n\n\n\n
MDEid<\/p>\n\n\n\n
SrcUsernameType<\/p>\n\n\n\n
Windows<\/p>\n\n\n\n
EventCount<\/p>\n\n\n\n
1<\/p>\n\n\n\n
7<\/p>\n\n\n\n
EventSchema<\/p>\n\n\n\n
NetworkSession<\/p>\n\n\n\n
EventSchemaVersion<\/p>\n\n\n\n
0.2.3<\/p>\n\n\n\n
EventVendor<\/p>\n\n\n\n
Microsoft<\/p>\n\n\n\n
EventProduct<\/p>\n\n\n\n
M365 Defender for Endpoint<\/p>\n\n\n\n
EventType<\/p>\n\n\n\n
NetworkSession<\/p>\n\n\n\n
NetworkDirection<\/p>\n\n\n\n
Outbound<\/p>\n\n\n\n
Src<\/p>\n\n\n\n
127.0.0.1<\/p>\n\n\n\n
Dst<\/p>\n\n\n\n
127.0.0.1<\/p>\n\n\n\n
7<\/p>\n\n\n\n
IpAddr<\/p>\n\n\n\n
127.0.0.1<\/p>\n\n\n\n
DvcId<\/p>\n\n\n\n
<\/p>\n\n\n\n
SrcAppName<\/p>\n\n\n\n
ltsvc.exe<\/p>\n\n\n\n
Type<\/p>\n\n\n\n
DeviceNetworkEvents?<\/em><\/p>\n\n\n\n
SrcAppType<\/p>\n\n\n\n
Process<\/p>\n\n\n\n
DvcIdType<\/p>\n\n\n\n
MDEid<\/p>\n\n\n\n
DvcIpAddr<\/p>\n\n\n\n
127.0.0.1?<\/em><\/p>\n\n\n\n
<\/p>\n\n\n\n
User<\/p>\n\n\n\n
nt authority\\system<\/p>\n\n\n\n
ASimMatchingHostname<\/p>\n\n\n\n
–<\/p>\n\n\n\n
<\/p>\n\n\n\n
SrcUserIdType<\/p>\n\n\n\n
SID?<\/em><\/p>\n\n\n\n
TenantId<\/p>\n\n\n\n
InitiatingProcessAccountDomain<\/p>\n\n\n\n
nt authority<\/p>\n\n\n\n
InitiatingProcessAccountName<\/p>\n\n\n\n
system<\/p>\n\n\n\n
InitiatingProcessFolderPath<\/p>\n\n\n\n
c:\\windows\\ltsvc\\ltsvc.exe<\/p>\n\n\n\n
InitiatingProcessId<\/p>\n\n\n\n
19272<\/p>\n\n\n\n
InitiatingProcessMD5<\/p>\n\n\n\n
<\/p>\n\n\n\n
ParentProcessName<\/p>\n\n\n\n
services.exe<\/p>\n\n\n\n
InitiatingProcessParentId<\/p>\n\n\n\n
1124<\/p>\n\n\n\n
InitiatingProcessSHA1<\/p>\n\n\n\n
<\/p>\n\n\n\n
?<\/em>?<\/em><\/p>\n\n\n\n
InitiatingProcessSHA256<\/p>\n\n\n\n
<\/p>\n\n\n\n
?<\/em>?<\/em><\/p>\n\n\n\n
InitiatingProcessFileSize<\/p>\n\n\n\n
1623832<\/p>\n\n\n\n
InitiatingProcessVersionInfoCompanyName<\/p>\n\n\n\n
LabTech Software<\/p>\n\n\n\n
InitiatingProcessVersionInfoProductName<\/p>\n\n\n\n
LabTech MSP?<\/em><\/p>\n\n\n\n
InitiatingProcessVersionInfoProductVersion<\/p>\n\n\n\n
3.0?<\/em><\/p>\n\n\n\n
InitiatingProcessVersionInfoInternalFileName<\/p>\n\n\n\n
LTSVC.exe?<\/em><\/p>\n\n\n\n
InitiatingProcessVersionInfoOriginalFileName<\/p>\n\n\n\n
LTSVC.exe?<\/em><\/p>\n\n\n\n
InitiatingProcessVersionInfoFileDescription<\/p>\n\n\n\n
LabTech Service?<\/em><\/p>\n\n\n\n
<\/p>\n\n\n\n
InitiatingProcessSessionId<\/p>\n\n\n\n
0?<\/em><\/p>\n\n\n\n
IsInitiatingProcessRemoteSession<\/p>\n\n\n\n
false?<\/em><\/p>\n\n\n\n
InitiatingProcessUniqueId<\/p>\n\n\n\n
<\/p>\n\n\n\n
ParentProcessId<\/p>\n\n\n\n
<\/p>\n\n\n\n
Process<\/p>\n\n\n\n
ltsvc.exe<\/p>\n\n\n\n
SrcProcessCommandLine<\/p>\n\n\n\n
LTSVC.exe -sLTService -nLabTech<\/p>\n\n\n\n
SrcProcessName<\/p>\n\n\n\n
ltsvc.exe<\/p>\n\n\n\n
SrcProcessIntegrityLevel<\/p>\n\n\n\n
System<\/p>\n\n\n\n
SrcProcessTokenElevation<\/p>\n\n\n\n
TokenElevationTypeDefault?<\/em><\/p>\n\n\n\n
SrcProcessCreationTime<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Ran the following Advanced Hunting KQL Was due to Labtech upgrades SrcIpAddr 127.0.0.1? SrcPortNumber 59615? DstIpAddr 127.0.0.1? DstPortNumber 42013? SrcDvcId 7 SrcUsername nt authority\\system NetworkProtocol TCP? EventOriginalResultDetails […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8949","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=8949"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8949\/revisions"}],"predecessor-version":[{"id":8950,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/8949\/revisions\/8950"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=8949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=8949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=8949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}