F025MEDIUMInconclusivevalidator: passed
Network connections to external IPs from unnamed/orphaned processes
network_connection:172.16.4.10:8080
Analyst narrative
Multiple ESTABLISHED and CLOSE_WAIT TCP connections to external IP 172.16.4.10 on port 8080 detected in vol_netscan with no owning process identified (Owner=null, PID=null). Indicates potential C2 or data exfiltration.
Claims asserted
connection-vol_netscan
Proof chain · 15 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
•network connection factnet:172.16.6.11:49788-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49788-172.16.4.10:8080vol_netscan
Raw tool output · 45d4b7c2f777e9f81d108fdb0c35dcb3cd371886
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49788, "Offset": 154518679887024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}•network connection factnet:172.16.6.11:52703-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:52703-172.16.4.10:8080vol_netscan
Raw tool output · fe28080ea5e105743a465f19a1aa8bc81315c5ff
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 52703, "Offset": 154518690153728, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50253-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50253-172.16.4.10:8080vol_netscan
Raw tool output · eb2d424706139a55a1b8caf8f665d269ca9e42bc
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50253, "Offset": 154518692227712, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50263-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50263-172.16.4.10:8080vol_netscan
Raw tool output · 8240d15b6f90596d65d9ce49eb06acabf6e2a8aa
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50263, "Offset": 154518692506208, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50259-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50259-172.16.4.10:8080vol_netscan
Raw tool output · 73371a820927922ddc29f6f811bae01b09352b55
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50259, "Offset": 154518694399152, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:49774-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49774-172.16.4.10:8080vol_netscan
Raw tool output · 52eb5529a86798cbf807b242ba07f4e4be093f65
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49774, "Offset": 154518715368640, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50257-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50257-172.16.4.10:8080vol_netscan
Raw tool output · d2c17272872caf1e215e31b676a6baa675c8e639
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50257, "Offset": 154518720063824, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50254-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50254-172.16.4.10:8080vol_netscan
Raw tool output · 21d0b079670960346cbf62318b356b9b83230116
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50254, "Offset": 154518766804144, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:50258-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:50258-172.16.4.10:8080vol_netscan
Raw tool output · 063cb3cd2c0c96a76efc4bb37108c4b4bc2cca8d
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 50258, "Offset": 154518774604992, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSE_WAIT", "TreeDepth": 0}•network connection factnet:172.16.6.11:63931-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:63931-172.16.4.10:8080vol_netscan
Raw tool output · b952b56ef64df8581e1aa604faaacb30bb3f85bd
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 63931, "Offset": 154518826270736, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49790-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49790-172.16.4.10:8080vol_netscan
Raw tool output · 3f36c971b486b7ff307956461dd2d61654777753
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49790, "Offset": 154518828363792, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49787-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49787-172.16.4.10:8080vol_netscan
Raw tool output · e392f5b73c6f58acd8bcfbe3d21a21608a73493a
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49787, "Offset": 154518829561024, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49735-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49735-172.16.4.10:8080vol_netscan
Raw tool output · a3d6adec60488c187a6d12c31139174433984f05
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49735, "Offset": 154518833790992, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49786-172.16.4.10:8080vol_netscan›
network connection fact
net:172.16.6.11:49786-172.16.4.10:8080vol_netscan
Raw tool output · 0cc280c297fb251385dbd928ce5126267bb989f9
{"Created": null, "ForeignAddr": "172.16.4.10", "ForeignPort": 8080, "LocalAddr": "172.16.6.11", "LocalPort": 49786, "Offset": 154518847709200, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "ESTABLISHED", "TreeDepth": 0}•network ioc fact172.16.4.10extract_network_iocs›
network ioc fact
172.16.4.10extract_network_iocs
Raw tool output · 873817081c5f805c6f18650e24b958cedf6ee685
{"type": "ipv4", "value": "172.16.4.10", "original_value": "172.16.4.10", "classification": "private", "port": null, "source_tools": ["vol_netscan"], "sources": [{"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 9, "source_path": "vol_netscan.output[9].ForeignAddr", "context": "172.16.4.10", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 13, "source_path": "vol_netscan.output[13].ForeignAddr", "context": "172.16.4.10", "offset": 0}, {"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 14, "source_Source tools
vol_netscan