Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 191.111.223.159Malicious

IP Address: 191.111.223.159Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

Service Creation Access Suspicious Domain Successful SMB Login CMD Service Deletion MSRPC Service Start Outgoing Connection SMB

Associated Attack Servers

nexlinx.net.pk

116.58.10.59 117.203.243.133 132.145.23.155 223.210.48.4

Basic Information

IP Address

191.111.223.159

Domain

-

ISP

-

Country

Colombia

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2024-04-01

Last seen in Akamai Guardicore Segmentation

2024-04-01

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC06 under service group None

Service Start Service Creation

Service MSIServer was started

Service Start

Process c:\windows\system32\msiexec.exe generated outgoing network traffic to: 116.58.10.59:16778, 117.203.243.133:12687, 132.145.23.155:14689 and 223.210.48.4:10746

Outgoing Connection

Process c:\windows\system32\msiexec.exe attempted to access suspicious domains: nexlinx.net.pk

Access Suspicious Domain Outgoing Connection

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC02 under service group None

Service Start Service Creation

Connection was closed due to user inactivity