Check an IP Address, Domain Name, Subnet, or ASN

13.86.115.177 was found in our database!

$ whois 13.86.115.177

country·🇺🇸 United States

city·Des Moines

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 13.86.115.177scoring →

confidence

89%Very High

first_seen·Jan 22, 2026

last_seen·1h ago

sessions·167

events·204

$ sikker protocols 13.86.115.177

HTTPS

48 / 57

HTTP

14 / 24

TELNET

16 / 22

FTP

8 / 16

SMB

13 / 15

SMTP

14 / 14

RDP

10 / 10

SSH

10 / 10

MONGODB

7 / 9

IMAP

8 / 8

ELASTICSEARCH

6 / 6

DOCKER

5 / 5

MSSQL

3 / 3

REDIS

3 / 3

SIP

2 / 2

$ sikker summary 13.86.115.177

13.86.115.177 has a threat confidence score of 89%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 167 honeypot sessions targeting HTTPS, HTTP, TELNET, FTP, SMB and 10 other protocols. Detected attack patterns include https autodiscover powershell probe. First observed on January 22, 2026, most recently active April 17, 2026.

$ sikker behaviors 13.86.115.177catalog →

highHttps Autodiscover Powershell Probe1x

HTTPS request to /autodiscover/autodiscover.json with a query string containing @zdi/Powershell.

mediumSip Call Id Token At Ip1x

SIP activity where the Call-ID follows a token@IP format, a pattern commonly generated by automated scanners and SIP tooling rather than standard client implementations, indicating non-human or enumeration-driven behavior.

infoHttp Root Path Request8x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttp Http Method Get3x

HTTP request using GET method.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 13.86.115.177

http_method_get9 elastic_http_get_request8 elastic_http_bad_request_path_probe6 docker_get_method5 smtp_ehlo_greeting2 ftp_auth_ssl1 ftp_auth_tls1 https_path_root1 redis_info_lowercase1 http_path_bad_request1 docker_bad_request_uri1 elastic_root_path_probe1 sip_call_id_token_at_ip1 https_autodiscover_json_path_probe1 redis_mglndd_client_identifier_tag1 https_query_powershell_reference_zdi1

$ sikker related 13.86.115.177

Report IP WHOIS Lookup →

IP Address	Confidence	Events
172.174.244.235	77%	190
135.233.112.94	84%	159
20.115.90.228	85%	214
20.65.202.2	83%	201
13.89.125.18	84%	203

IP Address	Confidence	Events
205.210.31.235	99%	427
157.230.209.253	99%	1,307
167.99.226.145	73%	297
142.248.80.104	99%	2,119
207.254.22.207	47%	407