1

I have the following predicament. I am tasked with making sure our client's workstations are squeaky clean from a Malware point of view. We have been blessed with Websense as a malicious outbound traffic identifying tool.

Let's say for a given host I see some suspicious traffic and I want to identify what's the process that is causing it (the workstations are Win 7 32 bit).

Also netstat helps only if the process is always running. For scarce traffic the offending process is not always obvious.

The pain comes from the following: we only have a pseudo - administrator account with which we have only remote command line access. No powershell, no ability to run programs with GUI (i. e. Process explorer), and we are required to minimally interrupt the users during their work.

Because of this I am trying to master the hidden art of netsh trace. But for longer periods of time, even though I add filters for ethernet type, protocol and ip, the logs get huge with entries for Windows kernel, and it's taking forever to download them from the host for analysis.

Until now I have not found any way to cut those out. I figured there must be a way with scenarios and/or providers, but could not find a description for those anywhere.

I also did not find a way to do this using any SysInternals tool just from the CLI.

Any suggestions for tools or methods to accomplish the task?

user137684
  • 13
  • 2
  • Requests for product suggestions are against the rules, but I do know that [Tanium](https://en.wikipedia.org/wiki/Tanium) is a product designed to do exactly what you want, to provide insight into your endpoints. – gowenfawr Jan 29 '17 at 18:09

1 Answers1

1

From your description, it looks like all you need is the timestamp, process name and the source port (since you identify the malicious traffic externally and have access to the timestamp and ports used). This can simplify things tremendously.

Run netstat with a grep every second and capture the processes and source ports to a log (export log to central logging server). Log contents are smaller this way, although you risk missing a short-running process if it fires in between your capture times. A little hacky, but effective, and I've done it.

You can also try logging aggregators or endpoint protection programs that log into the workstations to poll for this info. The performance, cost, and complexity will depend on the number of workstations in play, though.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks for the suggestion. I was hoping for a more elegant solution. The part with the installation of other programs is not acceptable although any ready to run CLI programs could go a long way. – user137684 Jan 29 '17 at 13:16
  • Log aggregators do not install anything - they login remotely – schroeder Jan 29 '17 at 13:18
  • Any example of those? – user137684 Jan 29 '17 at 13:19
  • Nevermind. Google cleared things out! Still hoping for some netsh magic though. – user137684 Jan 29 '17 at 13:28
  • 1
    What info would you like to get from netsh? – J.A.K. Jan 29 '17 at 15:17
  • Nothing more than the process, but it has the persistent switch which helps during reboots, and is 100% guaranteed to catch the traffic, unlike the solution with netstat | findstr which has a slight chance of missing the traffic. – user137684 Jan 29 '17 at 21:39