F044Suspiciousvalidator: blocked

Repeated outbound connections to 172.16.4.10:8080 (beacon-like)

Established C2-like connections to 172.16.4.10:8080

Analyst narrative

candidate cand-0041 fact_ids=network_connection_fact-0000024,network_connection_fact-0000096. Host 172.16.6.11 has numerous ESTABLISHED/CLOSE_WAIT TCP connections to 172.16.4.10:8080 indicative of HTTP-proxy beaconing.

Claims asserted

path172.16.4.10:8080

Proof chain · 0 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

Source tools

extract_network_iocsvol_netscan