F043Inconclusivevalidator: blocked
Multiple established connections to 172.16.4.10:8080 in CLOSE_WAIT state (Lateral Movement / C2 Staging)
Network connections to 172.16.4.10:8080
Analyst narrative
Nine network connections from 172.16.6.11 to external IP 172.16.4.10 on port 8080, with six in CLOSE_WAIT state and two in ESTABLISHED state. Indicator of repeated HTTP/web service communication with external system. Fact_ids: network_connection_fact-0000009, network_connection_fact-0000014 through network_connection_fact-0000019.
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
vol_netscan