| My Own Story -Part 1|
Alright, here’s what I discovered today while studying the TryHackMe room. If you’ve noticed from my previous posts, I’ve been focusing on Windows PowerShell, and I came across this room under the name: Windows Network Analysis
As usual, I started studying and preparing to write another write-up on it. During my research on the internet and with ChatGPT to add some interesting commands to my notes, I stumbled upon a specific command.
Before writing about it, I decided to test it on my main Windows system.
I won’t lie — I knew I’d find some fascinating results. To be honest, yes, I did buy a second-hand laptop, and I also use some pirated software. Yeah, I know it sounds a bit strange, but I consider myself like Alice in Wonderland.
I just have to experiment with things, even if it means risking my Blacklist series and Chainsaw Man anime getting leaked! LOL.
After running this command, I found a bunch of intriguing IP addresses.
Get-NetTCPConnection | Where-Object { $_.State -eq 'Established' } | Format-Table -Property LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcessAs someone who enjoys digging deep, even before becoming a SOC analyst, I started researching these addresses. Most of them were related to services from Google, Amazon, and Microsoft.
I discovered that they fall under something called “MICROSOFT-CORP-MSN-AS-BLOCK,” which refers to a network block associated with Microsoft’s network, specifically MSN (Microsoft Network).
Here are some key points about MICROSOFT-CORP-MSN-AS-BLOCK:
- Autonomous System Number (ASN): Microsoft manages several ASNs to help allocate IP addresses and manage routing.
- MSN: Historically, this refers to Microsoft’s online services, which include a range of services.
- Network Infrastructure: Microsoft has a massive global network to support its services like Azure and Office 365.
Honestly, I still don’t understand what these IPs are doing on my system or why they’re linked to flagged files! Nonetheless, I checked them on threat intelligence platforms like:
- VirusTotal
2. Cisco Talos
3. urlscan.io
One of the IPs that caught my attention is:”20.199.120.151" and later while digging I found “20.199.120.85” and all of them are related to Microsoft and is hosted in France. As you can see from both urlscan.io and Cisco Talos, there wasn’t anything too alarming at first. However, when I checked its “relationships” on VirusTotal, I was shocked! (At this stage I want to thanks my friend jink ;))
This IP, which initially seems legitimate, is linked to several dangerous and malicious files. These files didn’t show up on the first page of VirusTotal results but were found through the connections to this IP. By clicking on any suspicious file associated with this IP, you can see that many threat detection systems and antivirus tools have flagged them as either Trojans, backdoors, etc.
What’s even more puzzling is that, as shown in the PDF linked to this IP, there’s nothing suspicious or malicious about it when you search for it separately. So, what’s going on here?
I continued investigating to learn more about this strange IP — when it first appeared, and its most recent activity. That’s when I got another shock from the platform AbuseIPDB. As seen in the screenshot below, this IP has been reported 46 times by 11 different sources, with the latest report being just a month ago.
Even more confusing, several IPs within the same network range are performing similar tasks! I also found people asking the same questions as me on platforms like GlassWire and OPNSense, with images provided for reference.
Finally, I came across the website EmailVeritas, which provided some answers, but they weren’t entirely satisfying since I’m very cautious with spam emails. Still, nobody’s perfect!
And as you can see, in April, this IP was analyzed and flagged as a phishing site.
To add to the mystery, the platform nmap.online also had an Nmap command showing that someone else was meticulously investigating this IP to find out what’s going on.
So far, I’m still confused about where this IP came from and when it showed up on my system. Am I the reason, or is it because I bought a used device? (And yes, if you’re wondering why I haven’t reinstalled a new version of Windows or Linux — sorry, I have my reasons. I bought this laptop specifically for training and digital forensics wink).
So, what do you think? Have you encountered something like this before, and if so, what did you do?
And no, I’m not finished yet! but I will continue on Part 2 stay tuned and happy hacking :)
#windowsanalysis #windowsnewtowkanalysis #blueteam #redteam #tryhackme #powershell #tips #missrobot #msrobot #MSR0B0T
