F035MEDIUMBenign / FPvalidator: passed
Established connections to external IPs (13.89.220.65, 52.16.55.11) with CLOSED state
TCP connections to 13.89.220.65:443 and 52.16.55.11:443
Analyst narrative
vol_netscan shows CLOSED state TCP connections to public IPs 13.89.220.65:443 and 52.16.55.11:443 from victim 172.16.6.11. CLOSED state suggests reconnaissance, failed C2, or exfiltration attempt.
Claims asserted
connection-vol_netscan
Proof chain · 6 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
•network connection factnet:172.16.6.11:49782-13.89.220.65:443vol_netscan›
network connection fact
net:172.16.6.11:49782-13.89.220.65:443vol_netscan
Raw tool output · 8d5932d9b0576f65f07029e72d9e4ef5e644b20c
{"Created": null, "ForeignAddr": "13.89.220.65", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 49782, "Offset": 154518715500448, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:49360-52.16.55.11:443vol_netscan›
network connection fact
net:172.16.6.11:49360-52.16.55.11:443vol_netscan
Raw tool output · 0970c338a07a54d32016c46c5470dfb476d0b791
{"Created": null, "ForeignAddr": "52.16.55.11", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 49360, "Offset": 154518829570624, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network connection factnet:172.16.6.11:65294-172.16.5.20:443vol_netscan›
network connection fact
net:172.16.6.11:65294-172.16.5.20:443vol_netscan
Raw tool output · 23d50e5d62f96012434d891394333cb91e3ec70d
{"Created": null, "ForeignAddr": "172.16.5.20", "ForeignPort": 443, "LocalAddr": "172.16.6.11", "LocalPort": 65294, "Offset": 154518834879664, "Owner": null, "PID": null, "Proto": "TCPv4", "State": "CLOSED", "TreeDepth": 0}•network ioc fact13.89.220.65extract_network_iocs›
network ioc fact
13.89.220.65extract_network_iocs
Raw tool output · 2f0a9db7cddbb7486a84ba9a0d309f64a046aaf1
{"type": "ipv4", "value": "13.89.220.65", "original_value": "13.89.220.65", "classification": "public", "port": null, "source_tools": ["vol_netscan"], "sources": [{"source_tool": "vol_netscan", "source_field": "ForeignAddr", "source_index": 25, "source_path": "vol_netscan.output[25].ForeignAddr", "context": "13.89.220.65", "offset": 0}], "count": 1, "evidence_type": "network_ioc_candidate"}•network ioc fact0.0.0.0:443extract_network_iocs›
network ioc fact
0.0.0.0:443extract_network_iocs
Raw tool output · 5fcb69fdbb41486cc9ceab781e3be0c4e28b6f72
{"type": "host_port", "value": "0.0.0.0:443", "original_value": "0.0.0.0:443", "classification": "unspecified", "port": 443, "source_tools": ["parse_event_logs"], "sources": [{"source_tool": "parse_event_logs", "source_field": "Message", "source_index": 44516, "source_path": "parse_event_logs.output[44516].Message", "context": "\\Device\\Http\\ReqQueue | 0.0.0.0:443", "offset": 24}], "count": 1, "evidence_type": "network_ioc_candidate"}•network ioc fact443extract_network_iocs›
network ioc fact
443extract_network_iocs
Raw tool output · f130c3298753c44f6fd6f0f0d8afcd80b7d14a88
{"type": "port", "value": "443", "original_value": "443", "classification": "unknown", "port": 443, "source_tools": ["parse_event_logs"], "sources": [{"source_tool": "parse_event_logs", "source_field": "Message", "source_index": 44516, "source_path": "parse_event_logs.output[44516].Message", "context": "\\Device\\Http\\ReqQueue | 0.0.0.0:443", "offset": 32}], "count": 1, "evidence_type": "network_ioc_candidate"}Source tools
vol_netscan