Hi,
I have a device on my network (still trying to find the port where the MAC goes through) that announces itself at random intervals, but always with sharp 60 minutes intervals at my DHCP with the fake MAC 88:88:88:88:87:88. It receives always the same IP, hence it's something that 'respects' leases and DHCP', or my OPNSense will always give it the same IP regardless of being a 'good DHCP client or not'.
The device always uses the hostname 'spare'. When I check the logs of my firewall for this internal IP I see one outgoing connection to an Azure IP at Microsoft in Paris (20.199.120.85) on port 443.
Whois does not tell me a lot, nor trying an HTTPS Connection to the mentioned IP on port 443.
Has anyone seen something similar ? Knows what this is ?
Can I 'program' a packet capture once it shows up again ? E.g. when this internal IP is given out by the DHCP for a next 'call home' ?
It seems to 'sleep' during the day, but will 'wake up' at night and do it's hourly polls....
Suggestions ? Tips ? Idea's ?
Much appreciated...
Willem