I've been using the Sysinternals Suite from the Microsoft Store, and recently I noticed that tools like Autoruns, Process Explorer, and TCPView are connecting to some unusual external IP addresses. I'm a bit uneasy about this since I couldn't find any WHOIS information on those IPs—they only stayed visible for about 5 seconds. I've never encountered this before, so I'm curious if anyone else has experienced the same thing with these tools. I should mention that I don't use the VirusTotal integration, so that's not a factor here.
3 Answers
Are you using the live version of Sysinternals from the Microsoft Store? I usually grab mine directly from the Sysinternals website instead.
You might be seeing Microsoft SmartScreen in action. It checks if the apps are legitimate when they connect to the internet. Just a heads-up, that could be what you're noticing.
I get that, but it was definitely the tools themselves making those connections, not regular Windows processes. Thanks for the input!
As a penetration tester, your concerns are totally valid. Attackers often use built-in tools to contact external hosts. Make sure to compare your connections against known threats on sites like the LOLBins project, as they highlight how tools can be misused.
Yep, it’s all the tools from the Microsoft Store; they were connecting outbound for sure.