Windows Network Analysis
Introduction
Network analysis is the process of capturing and examining both historical and active network activity on a host, which can provide a wealth of information, such as:
IP Addresses (such as source and destination)
Ports
URLs
Correlating processes and network traffic.
This room will introduce you to the network artefacts present on a Windows host and how these can be analysed using tooling already provided on Windows. Often in the initial stages of an incident, you may not be able to install all of your fancy tooling. It's essential to know how to work with the Operating System to capture the evidence you need, as well as build a picture of the host's activity.
Finally, you will come on to practice what you have learnt in this room by analysing a Windows machine that has been infected with a C2 agent that keeps real-time communication with the host.
Pre-requisites
This room recommends that you have either completed or are familiar with the following content:
Learning Objectives
How to benefit from network artefacts present on Windows using internal tooling
Auditing network logs on a Windows host
Determining a process' network activity
Triage a host using PowerShell for some "quick wins"
Windows Network Analysis
Viewing Named-Pipes
Named-pipes are a method used by the Operating System to perform inter-process communication. Named-pipes can be either local or network-based. This task will show you how to list network-based Named-pipes, which can indicate processes communicating with another host (I.e. a file share or file upload).
System Resource Usage Monitor (SRUM)
The SRUM is a Windows feature that tracks the last 30 to 60 days of resource usage, such as:
Application and service activity
Network activity, such as packets sent and received
User activity (I.e. launching services or processes).
In a database (SRUDB.dat) on the host, this can be found at C:\Windows\System32\sru\SRUDB.dat.
However, we will need to use external tooling to process this database as there is no built-in utility that can be used to gather the information that we need. It should be noted that, during a live acquisition, this file is locked by Windows, so we will need to export it to our own machine. We can use utilities such as FTK Imager or KAPE to retrieve this.
C:\Users\CMNatic\Desktop\kape>.\kape.exe --tsource C:\Windows\System32\sru --tdest C:\Users\CMNatic\Desktop\SRUM --tflush --mdest C:\Users\CMNatic\Desktop\MODULE --mflush --module SRUMDump --target SRUM
KAPE version 1.3.0.2, Author: Eric Zimmerman, Contact: https://www.kroll.com/kape (kape@kroll.com)
Creating module destination directory C:\Users\CMNatic\Desktop\MODULE
Found processor Executable: srum_dump_csv.exe, Cmd line: -i %sourceDirectory%\WINDOWS\System32\sru\SRUDB.dat -t SRUM_TEMPLATE.xlsx -r %sourceDirectory%\WINDOWS\System32\config\SOFTWARE -o %destinationDirectory% -q, Export: csv, Append: False!
Total execution time: 13.3242 secondsOnce we have retrieved the SRUDB.dat file, we can use the srum-dump utility to analyse this database. After downloading the srum-dump executable and SRUM template from the repo, launch the executable and fill out the pop-up with the relevant information:
Path to the exported SRUMDB.dat on our other analyst machine
Path to the srum-dump template
Path to output the srum-dump analysis file
We can leave the registry boxes blank for now.
And now let srum-dump analyse. This may take a couple of minutes. Feel free to grab a glass of water and stretch your legs.
After a few minutes, the analysis will be complete. We can go to our output directory and open the Excel file.
Windows Firewall Logs
Before proceeding, check if logging is enabled. By default, Windows Firewall will log to C:\Windows\System32\LogFiles\Firewall.
After a few minutes, we can open the pfirewall.log located in C:\Windows\System32\LogFiles\Firewall. Here, we can see connections that Windows Firewall has allowed or dropped.
You can, of course, view this using the gc (Get-Content) cmdlet in PowerShell:
PS C:\Users\Administrator\Desktop> gc C:\Windows\System32\LogFiles\Firewall\pfirewall.log | more
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2024-03-19 11:24:43 ALLOW UDP 192.168.0.202 192.168.0.255 137 137 0 - - - - - - - RECEIVE
2024-03-19 11:24:47 ALLOW UDP 192.168.0.231 239.255.255.250 63913 1900 0 - - - - - - - SEND
2024-03-19 11:24:47 ALLOW 2 192.168.1.1 224.0.0.1 - - 0 - - - - - - - RECEIVE
2024-03-19 11:24:47 ALLOW 2 192.168.0.231 224.0.0.22 - - 0 - - - - - - - SEND
2024-03-19 11:24:48 ALLOW UDP 192.168.0.231 194.168.4.100 55048 53 0 - - - - - - - SEND
2024-03-19 11:24:48 ALLOW UDP 192.168.0.231 194.168.4.100 49369 53 0 - - - - - - - SEND
2024-03-19 11:24:50 ALLOW TCP 192.168.0.231 192.168.0.250 49736 80 0 - 0 0 0 - - - SEND
2024-03-19 11:24:50 ALLOW TCP 192.168.0.231 192.168.0.250 49737 80 0 - 0 0 0 - - - SEND
2024-03-19 11:24:51 ALLOW TCP 192.168.0.202 192.168.0.231 58427 3389 0 - 0 0 0 - - - RECEIVE
2024-03-19 11:24:53 ALLOW TCP 192.168.0.202 192.168.0.231 58428 3389 0 - 0 0 0 - - - RECEIVE
2024-03-19 11:24:53 ALLOW UDP 192.168.0.202 192.168.0.231 63842 3389 0 - - - - - - - RECEIVE
2024-03-19 11:24:55 ALLOW UDP 192.168.0.231 194.168.4.100 54343 53 0 - - - - - - - SENDQ & A
1) What is the full name of the Windows feature that tracks the last 30 to 60 days of system statistics?
Answer: System Resource Usage Monitor
2) What is the full path to the directory that Windows will output Firewall logs to?
Answer: C:\Windows\System32\LogFiles\Firewall
Network Analysis via PowerShell
PowerShell is an extremely powerful and extensive command shell for Windows with its own scripting language. It can be used to automate tasks, audit and configure the Windows operating system, and it is already provided on the machine.
We can use PowerShell to retrieve a lot of the same information that other tools can. Knowing how to retrieve network activity using PowerShell is a great "first step" in triaging a machine, especially when you can't immediately throw your toolset at it. This task is going to show you some example commands for PowerShell.
Show TCP Connections and Associated Processes
This snippet can be a nice "quick win" to see what processes are making TCP connections and the IP addresses, where you can quickly find anomalies for further investigation.
PS C:\Users\Administrator Get-NetTCPConnection | select
LocalAddress,localport,remoteaddress,remoteport,state,@{name="process";
Expression={(get-process -id $_.OwningProcess).ProcessName}},
@{Name="cmdline";Expression={(Get-WmiObject Win32_Process -filter
"ProcessId = $($_.OwningProcess)").commandline}} | sort Remoteaddress -Descending
| ft -wrap -autosize
192.168.0.101 50109 23.208.241.199 443 Established OUTLOOK "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE"
192.168.0.101 50131 51.15.43.212 443 Established msedge "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
192.168.0.101 50132 51.15.43.212 443 Established msedge "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"Show UDP Connections
The following snippet will display all UDP connections. Whilst the majority of applications will be using TCP, viewing the UDP connections are helpful in building a picture of the activity of the machine. Additionally, hosts who are infected with joining a botnet, may use UDP to communicate, such as in the case of flood attacks.
PS C:\Users\Administrator Get-NetUDPEndpoint | select local*,creationtime, remote* | ft -autosize
LocalAddress LocalPort creationtime remote*
------------ --------- ------------ -------
:: 64698 21/02/2024 11:54:02
:: 5355 21/02/2024 11:54:01
:: 5353 21/02/2024 11:54:01
0.0.0.0 64697 21/02/2024 11:54:02
127.0.0.1 58110 21/02/2024 11:54:02
0.0.0.0 5355 21/02/2024 11:54:01
0.0.0.0 5353 21/02/2024 11:54:01
0.0.0.0 4500 21/02/2024 11:54:01
0.0.0.0 3702 21/02/2024 11:54:02
0.0.0.0 3389 21/02/2024 11:54:01
0.0.0.0 500 21/02/2024 11:54:01
192.168.0.101 138 21/02/2024 11:54:01
192.168.0.17 3389 21/02/2024 10:26:39
192.168.0.200 4444 21/02/2024 09:32:05
0.0.0.0 123 21/02/2024 11:54:02Sort and Unique Remote IPs
This snippet can be used to list the IP addresses associated with ongoing TCP connections on the host, where they are then sorted in numerical order and uniqued (removing duplicates). The -Unique filter on Sort-Object is important because IP addresses can make multiple connections (I.e. a browser). The output from this snippet can be exported, where the IP addresses can be compared to threat intelligence or any possible events from security applications such as an IDS.
PS C:\Users\Administrator (Get-NetTCPConnection).remoteaddress | Sort-Object -Unique
::
::1
0.0.0.0
127.0.0.1
13.107.21.200
172.166.86.133
192.168.0.111
192.168.0.202
192.168.0.236
20.90.156.32
204.79.197.239
213.105.19.97Investigate an IP Address
If we wish to drill down into an IP address, we can use the following snippet to gain some more insight. For example, in the snippet below, we can see the connection status, the date and time it was initiated, the local port (local host) and a remote port (remote host), and the process causing that connection. This could be an excellent way to discover connections that an IP is making to a process. For example, a process from payload.exe connecting to port 4444 on an IP address.
PS C:\Users\Administrator> Get-NetTCPConnection -remoteaddress 51.15.43.212 | select state, creationtime, localport,remoteport | ft -autosize
State creationtime localport remoteport
----- ------------ --------- ----------
CloseWait 21/02/2024 13:43:36 50151 443
CloseWait 21/02/2024 13:43:36 50150 443Retrieve DNS Cache
The DNS cache on a host is a locally stored "database" of DNS records and their corresponding host stored on the host, used to remember what domains match up to what IP address, improving performance (i.e, the host already knows where the domain points to). Reviewing the cache can be used to indicate what domains have recently been contacted.
PS C:\Users\Administrator Get-DnsClientCache | ? Entry -NotMatch "workst|servst|memes|kerb|ws|ocsp" | out-string -width 1000
attacker.thm AAAA NoRecords
attacker.thm A Success Answer 598005 4 10.10.182.37View Hosts File
The hosts file contains "override" domains and the associated IP address on the host. You will be familiar with this concept if you have completed challenges on TryHackMe. It is a useful method of mapping a domain to an IP without relying on a DNS server.
Attackers use the hosts file to redirect traffic to something they control, as the host will take preference from the hosts file before reaching out to a DNS server. For example, an attacker may be able to tell the host to send all traffic destined to http://exampledomain.com (which is owned by the business) to the attacker's servers instead...whilst all the user will see is http://exampledomain.com.
There are numerous examples of this being used in banking trojans, phishing attacks, etc, where the user thinks they're logging into the correct page because the URL matches up. Meanwhilst, the traffic is being sent to the attacker's servers instead.
PS C:\Users\Administrator> gc -tail 4 "C:\Windows\System32\Drivers\etc\hosts"
# ::1 localhost
192.168.0.200 attacker.thmQuerying WinRM Sessions
Windows Remote Management (WinRM) administers a system over the command line. This is useful for automated scripts (and the such) by the network administrators. However, Attackers can abuse this same functionality in a stealthier way than connecting to a device over, say, RDP, to execute PowerShell commands remotely.
Querying WindowsRM sessions is essential, especially as sessions can persist (i.e. backdoors).
Querying RDP Logs
Querying active and recent RDP connections is another "quick win" to understand the current activity on the host. The qwinsta command will show the user status, as well as source of the connection.
PS C:\Users\Administrator qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
console 1 Conn
rdp-tcp#2 Attacker 2 Active
rdp-tcp 65536 Listen
PS C:\Users\AdministratorQuerying SMB Shares
PS C:\Users\Administrator Get-SmbConnection
ServerName ShareName UserName Credential Dialect NumOpens
---------- --------- -------- ---------- ------- --------
10.10.124.230 c THM-Analyst\Administrator THM-Analyst\Administrator 3.1.1 5
10.10.124.230 c$ THM-Analyst\Administrator THM-Analyst\Administrator 3.1.1 1
10.10.124.230 IPC$ THM-Analyst\Administrator THM-Analyst\Administrator 3.1.1 0Q & A
1) What cmdlet can be used to display active TCP connections?
Answer: Get-NetTCPConnection
2) What cmdlet can be used to display the DNS cache on the host?
Answer: Get-DnsClientCache
3) What command can be used to list all active RDP sessions on the host?
Answer: qwinsta
Packet Monitor (Pktmon)
Packet Monitor is a Microsoft-developed packet sniffing tool provided with Windows 10, Windows Server 2022 and Server 2019 that works on the network stack. A "cheatsheet" of the commands has been provided in the table below:
pktmon start
Start a PacketMonitor capture.
pktmon stop
Stop a PacketMonitor capture.
pktmon reset
Reset the count of packets that PacketMonitor has captured.
pktmon counters
View the amount of packets PacketMonitor has captured across the interfaces.
pktmon etl2txt
Convert a PacketMonitor capture file to a text file.
pktmon etl2pcap
Convert a PacketMonitor capture file to a pcap.
C:\Windows\system32>pktmon start -c
Logger Parameters:
Logger name: PktMon
Logging mode: Circular
Log file: C:\Windows\system32\PktMon.etl
Max file size: 512 MB
Memory used: 768 MB
Collected Data:
Packet counters, packet capture
Capture Type:
All packets
Monitored Components:
All
Packet Filters:
NoneNetstat
Netstat is another Microsoft-developed utility that can be used to review TCP/UDP connections on the machine. Similar to Packet Monitor, this utility is already provided on Windows.
To begin, we can launch a new cmd and enter netstat -a. This will instruct Netstat to list all active connections.
C:\Users\tryhackme:~$ netstat -a
TCP 127.0.0.1:143 mail:49725 ESTABLISHED
TCP 127.0.0.1:49725 mail:imap ESTABLISHED
TCP 192.168.0.101:139 thm-monikerlink:0 LISTENING
TCP 192.168.0.101:3389 DESKTOP-IS0280F:50792 ESTABLISHED
TCP 192.168.0.101:49682 20.90.156.32:https ESTABLISHED
TCP 192.168.0.101:49723 52.123.242.73:https TIME_WAIT
TCP 192.168.0.101:49728 192.229.221.95:http TIME_WAIT
TCP 192.168.0.101:49738 a23-37-2-8:https ESTABLISHED
TCP 192.168.0.101:49740 a23-37-1-150:http TIME_WAITHowever, as you'll come to notice, this generates a lot of noise. Netstat can be configured to dive deeper into some of these connections as well as filter out some of this noise. A cheatsheet of some options has been provided in the table below.
netstat -a
Display all currently active TCP connections and TCP/UDP ports.
netstat -b
Display the executable responsible for the connection (i.e. payload.exe).
netstat -o
Display all TCP connections and include the process ID.
netstat -p
Display connections by protocol. Options include TCP, UDP, ICMP, and the IPV6 iterations.
It is worth noting that these options can be combined together. An example of this is in the snippet below, where -a and -b are used to show active TCP connections and the executable responsible for them.
Viewing Network Connections With PID
C:\Users\tryhackme~$ netstat -a -o
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 thm-c2:0 LISTENING 1608
TCP 0.0.0.0:445 thm-c2:0 LISTENING 4
TCP 0.0.0.0:903 thm-c2:0 LISTENING 6052
TCP 0.0.0.0:913 thm-c2:0 LISTENING 6052
TCP 0.0.0.0:2869 thm-c2:0 LISTENING 4
TCP 0.0.0.0:5040 thm-c2:0 LISTENING 8656
TCP 0.0.0.0:5357 thm-c2:0 LISTENING 4
TCP 0.0.0.0:7070 thm-c2:0 LISTENING 5856
TCP 0.0.0.0:7396 thm-c2:0 LISTENING 23368
TCP 0.0.0.0:7680 thm-c2:0 LISTENING 56648
TCP 0.0.0.0:9993 thm-c2:0 LISTENING 6120We can then use resources such as Task Manager or pmon to look for the process' PID.
Exporting Netstat
The output of Netstat can also be exported by using a redirection (C:\Users\tryhackme:~$ netstat -a -o > netstat.txt). This is extremely helpful when we export or search the logs.
Q & A
1) What netstat flag can we use to display the executable responsible for a connection?
Answer: -b
2) If we wanted to display all TCP connections and the associated process ID using netstat, what flag would we use?
Answer: -o
3) What special character can we use to save the output of netstat to a text file?
Answer: >
Practical
This practical will get you hands-on with analysing a Windows host infected with a C2 agent in real time. You will utilise what you have learnt in the tasks above to answer the questions within this task.
For the practical element of this room, you will be deploying two machines across two rooms. It is important that you read the following instructions thoroughly.
First, you will need to deploy the machine attached to this task by pressing the green "Start Machine" button at the top-right of this task. Consider this your "Analyst" machine. The machine will start in Split-Screen view. In case the VM is not visible, use the blue Show Split View button at the top of the page.
Take note of the IP address of this machine (10.10.90.130). You will need this shortly. While this machine boots up, proceed with the steps below.
Next, open the following room in another tab of your browser (keeping this one open) and deploy the machine attached to the first task. Take note of that IP address. Consider this the "C2" machine and return to this room.
Wait for the desktop to show on both machines.
Open up Microsoft Edge using either the shortcut on the desktop or the toolbar on the machine in this room and enter the Analyst IP address with port 5000 (10.10.90.130:5000) in the first tab, once the web page has loaded, open another tab and enter the C2 server IP (with port 5000).
Once both machines are marked as "Ready", you can begin to investigate the "Analyst" machine in this room. Please note that you may need to refresh the first tab for the "Ready" status to show.
The whole process should take 8-9 minutes if done correctly. If any of the machines display as "Error", terminate both machines and proceed through the instructions above again.
Q & A
1) Use the Get-NetTCPConnection PowerShell cmdlet to list the connections currently active.
A popular port for reverse shells is currently active. What is the port number?
If nothing sticks out, wait a few minutes and run the command again.
Get-NetTCPConnectionAnswer: 4444
2) What is the name of the process that is connecting to the C2 server?
Answer: pythonw.exe
3) What is the domain that has been added to the workstation's host file?
gc -Tail 2 "C:\Windows\System32\drivers\etc\hosts"Answer: attackerc2.thm
4) Analyse the SRUM database. There is another process that has sent a large amount of bytes, indicating data exfil. What is the full path to the process (as listed in SRUM)?
Answer: \device\harddiskvolume3\program files\updater\exfil.exe
5) Finally, analyse the SMB shares present on the analyst machine. What is the name of the share that stands out?
Get-SmbShareAnswer: confidential
Last updated