We covered network analysis and forensics on Windows using Powershell and CMD. We analyzed an infected machine making network connections to C2 server and we discovered a malicious process masquerading as python and executing a python script that performs the C2 calls. We used Powershell cmdlets to uncover the network connections and related artifacts. We used TryHackMe Windows Network Analysis room for demonstration purposes.

Offensive Security Certified Professional Study Notes

Computer Forensics Study Notes

What is Network Forensics?

Network Forensics is a specific subdomain of the Forensics domain, and it focuses on network traffic investigation. Network Forensics discipline covers the work done to access information transmitted by listening and investigating live and recorded traffic, gathering evidence/artefacts and understanding potential problems. 
Briefly, it is the action of recording packets of network traffic and creating investigatable sources and establishing a root–cause analysis of an event. The ultimate goal is to provide sufficient information to detect malicious activities, security breaches, policy/regulation compliance, system health and user behaviour.
The investigation process identifies communicated hosts in terms of time, frequency, protocol, application and data.
The investigation tries to answer the 5W;

  • Who (Source IP and port)
  • What (Data/payload)
  • Where (Destination IP and port)
  • When (Time and data)
  • Why (How/What happened)

What is Network Analysis

Network analysis is the process of capturing and examining both historical and active network activity on a host, which can provide a wealth of information, such as:

  • IP Addresses (such as source and destination)
  • Ports
  • URLs
  • Correlating processes and network traffic.

PowerShell is an extremely powerful and extensive command shell for Windows with its own scripting language. It can be used to automate tasks, audit and configure the Windows operating system, and it is already provided on the machine.

We can use PowerShell to retrieve a lot of the same information that other tools can. Knowing how to retrieve network activity using PowerShell is a great “first step” in triaging a machine, especially when you can’t immediately throw your toolset at it.

Data Subject to Network Forensic Investigation

  • Live Traffic
  • Traffic Captures (full packet captures and network flows)
  • Log Files

Network Forensics with Powershell

Show TCP Connections and Associated Processes

Get-NetTCPConnection | select LocalAddress,localport,remoteaddress,remoteport,state,@{name="process";Expression={(get-process -id $_.OwningProcess).ProcessName}}, @{Name="cmdline";Expression={(Get-WmiObject Win32_Process -filter "ProcessId = $($_.OwningProcess)").commandline}} | sort Remoteaddress -Descending | ft -wrap -autosize

Show UDP Connections

Get-NetUDPEndpoint | select local*,creationtime, remote* | ft -autosize

Extract IPs with active connections

(Get-NetTCPConnection).remoteaddress | Sort-Object -Unique

Investigate specific IP address for information such as the connection status, the date and time it was initiated, the local port (local host) and a remote port (remote host), and the process causing that connection.

Get-NetTCPConnection -remoteaddress 51.15.43.212 | select state, creationtime, localport,remoteport | ft -autosize

Inspecting DNS cache

Get-DnsClientCache | ? Entry -NotMatch "workst|servst|memes|kerb|ws|ocsp" | out-string -width 1000

Inspecting the hosts file

gc -tail 4 "C:\Windows\System32\Drivers\etc\hosts"

Query RDP Logs

qwinsta

Inspecting SMB shares

Get-SmbConnection

Inspecting Windows firewall logs located at C:\Windows\System32\LogFiles\Firewall

gc C:\Windows\System32\LogFiles\Firewall\pfirewall.log | more

Room Answers | TryHackMe Windows Network Analysis

What is the full name of the Windows feature that tracks the last 30 to 60 days of system statistics?

System Resource Usage Monitor

What is the full path to the directory that Windows will output Firewall logs to?

C:\Windows\System32\LogFiles\Firewall

What cmdlet can be used to display active TCP connections?

Get-NetTCPConnection

What cmdlet can be used to display the DNS cache on the host?

Get-DnsClientCache

What command can be used to list all active RDP sessions on the host?

qwinsta

What netstat flag can we use to display the executable responsible for a connection?

-b

If we wanted to display all TCP connections and the associated process ID using netstat, what flag would we use?

-o

What special character can we use to save the output of netstat to a text file?

>

Use the Get-NetTCPConnection PowerShell cmdlet to list the connections currently active.

A popular port for reverse shells is currently active. What is the port number?

If nothing sticks out, wait a few minutes and run the command again.

4444

What is the name of the process that is connecting to the C2 server?

pythonw.exe

What is the domain that has been added to the workstation’s host file?

attackerc2.thm

Analyse the SRUM database. There is another process that has sent a large amount of bytes, indicating data exfil. What is the full path to the process (as listed in SRUM)?

\device\harddiskvolume3\program files\updater\exfil.exe

Finally, analyse the SMB shares present on the analyst machine. What is the name of the share that stands out?

confidential

Video Walkthrough | TryHackMe Windows Network Analysis

, , , ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles