172.172.170.199 — Microsoft Corporation, US — Very High (100%)

Check an IP Address, Domain Name, Subnet, or ASN

172.172.170.199 was found in our database!

Confidence Level

100%

Very High?

Geolocation

🇺🇸

United StatesWashington

ISPMicrosoft Corporation

ASNAS8075

Activity Timeline

First seenFeb 9, 2026, 06:05 AM

Last seen1h ago

104Sessions

106Events

Protocol Breakdown

SSH

104 / 106

172.172.170.199 has a very high threat confidence level of 100%, originating from Washington, United States, on the Microsoft Corporation network (8075). It has been observed across 104 sessions targeting SSH, with detected attack patterns including ssh authorized keys persistence established, ssh interactive environment profiling with access consolidation, First observed on February 9, 2026, most recently active March 5, 2026.

Behaviors

Classified behavioral patterns observed

Ssh Authorized Keys Persistence Established

very_high23x

Removal of filesystem attribute protections from the user’s .ssh directory followed by deletion and recreation of the directory and insertion of a new public key into authorized_keys. This pattern reflects deliberate modification of SSH trust configuration to establish persistent key-based access.

Ssh Interactive Environment Profiling With Access Consolidation

very_high1x

Identifies an SSH session performing multi-method system profiling (CPU model extraction, memory and disk inspection, active user/process monitoring), followed by SSH key replacement and password update indicative of interactive access validation and consolidation rather than single-shot automated takeover.

Primitives

Individual actions observed

Ssh Authorized Keys Replacement Home24 Unix Home Ssh Directory Attribute Modification Attempt24 Ssh Uname All1 Ssh Whoami User Identity1 Ssh Uname Basic Invocation1 Ssh Lscpu Model Field Filter1 Ssh Cpuinfo Name Count Via Wc1 Ssh Crontab List Current User1 Ssh Uname Machine Architecture1 Ssh Cpuinfo Model Name Line Count1 Ssh W Logged In Users Enumeration1 Ssh Free Mem Multi Field Extraction Mb1 Ssh Df Head Second Line Field Extraction1 Ssh Cpuinfo Model Field Subset Extraction1 Ssh Chpasswd Password Update Via Echo Pipe1 Ssh Top Interactive Process Monitor Invocation1 Ssh Ls Binary Path Resolution And Metadata Listing1 Ssh Script Cleanup Process Kill And Hosts Deny Clear1

Related Threats

Explore related threat intelligence

🇺🇸More threats fromUnited States ASMore threats fromMicrosoft Corporation SSHMore threats targetingSSH { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
20.46.45.121	47%	210
13.89.125.30	79%	161
172.202.118.18	71%	118
20.169.104.253	72%	119
20.64.105.152	61%	79

IP Address	Confidence	Events
198.199.90.123	65%	37
23.94.28.163	97%	1,025
92.118.39.63	100%	19,082
92.118.39.95	100%	75,606
70.166.167.59	43%	257