Often when you examine network connections you can only see the IP address used by a remote visitor. The IP address frequently won’t resolve in DNS so you don’t really know who is connected to your machine.
If you’d like to find out who is owning an unknown IP address, you can use free RESTful webservices. This one-liner reveals the ownership of a particular IP address:
PS> Invoke-RestMethod -Uri 'http://ipinfo.io/51.107.59.180/json' ip : 51.107.59.180 city : Zürich region : Zurich country : CH loc : 47.3667,8.5500 org : AS8075 Microsoft Corporation postal : 8001 timezone : Europe/Zurich readme : https://ipinfo.io/missingauth
Combine this with other commands to find out who is communicating with your computer. For example, Get-NetTcpConnection lists your network connections, and you can now look up who really is the authority behind the IP address that you are connected to.
In the example below, Get-NetTcpConnection returns all currently active HTTPS connections (port 443). The remote IP is automatically resolved so you know which software is maintaining a connection, and to whom the software is talking to:
$Process = @{ Name='Process' Expression={ # return process path (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Path } } $IpOwner = @{ Name='RemoteAuthority' Expression={ $ip = $_.RemoteAddress $info = Invoke-RestMethod -Uri "http://ipinfo.io/$ip/json" '{0} ({1})' -f $info.Org, $info.City } } # get all connections to port 443 (HTTPS) Get-NetTCPConnection -RemotePort 443 -State Established | # where there is a remote address Where-Object RemoteAddress | # and resolve IP and Process ID Select-Object -Property $IPOwner, RemoteAddress, OwningProcess, $Process
The result may look similar to this:
RemoteAuthority RemoteAddress OwningProcess Process --------------- ------------- ------------- ------- AS8075 Microsoft Corporation (Amsterdam) 52.114.74.221 14204 C:\Users\tobia\AppData\Local\Microsoft\Teams\current\Teams.exe AS8075 Microsoft Corporation (Hampden Sydney) 52.114.133.169 13736 C:\Users\tobia\AppData\Local\Microsoft\Teams\current\Teams.exe AS36459 GitHub, Inc. (Ashburn) 140.82.113.26 21588 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe AS8068 Microsoft Corporation (Redmond) 13.107.42.12 9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE AS8075 Microsoft Corporation (Zürich) 51.107.59.180 14484 C:\Program Files\PowerShell\7\pwsh.exe AS8068 Microsoft Corporation (Redmond) 13.107.42.12 9432 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE AS8075 Microsoft Corporation (San Antonio) 52.113.206.137 13736 C:\Users\tobia\AppData\Local\Microsoft\Teams\current\Teams.exe AS8075 Microsoft Corporation (Paris) 51.103.5.186 12752 C:\Users\tobia\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Interesting, eh?
