Information Security News
Already youre thinking, did I read that right? The answer is nope, you absolutely can capture by Windows Process, just not with Windump or Wireshark. A while back I wrote a short diary about using NETSH to capture packets ( https://isc.sans.edu/diary/19409 ), and this story builds on that one.
A quick recap - to capture packets using NETSH, for a basic capture youd do something like:
netsh trace start capture=yes tracefile=c:\temp\trace.etl
Then to stop the capture, execute:
netsh trace stop
Before we proceed, get the process details for the app you are trying to track. Some thing as simple as:
will give you the list of windows processes and the process numbers.
You can get much more detail from sysinternals tools like Process Monitor, or better yet, Process Explorer. width:856px" />
In this case Im chasing the packets from Ciscos AnyConnect VPN client. In the Process Explorer screeshot above, the associated processes are mixed in with those from the legacy IPSEC VPN client. This is easy enough to filter out in Wireshark if you know what the process does, but what you are looking for in a lot of cases is what *else the process is doing? Is it phoning home for updates? Is it phoning home to share information that you dont want shared? For a VPN client you know what you are connecting to (so that part is easy to filter if you were using Wireshark), but what else is it doing?
On to analyzing the captured data by application or process. Instead of exporting the whole works to pcap format, open the NETSH output in Microsoft Message Analyzer, Microsoft width:900px" />
The right had pane looks pretty familiar, complete with a network tuple style filter at the top. The left hand pane however is where were looking today. Thats what I call the filter by other stuff window. Lets trim the criteria down to the Process Name and Process ID (or you could just pick one or the other, it comes to the same thing since each process name has a unique process number).
Now, pick the target application, and the associated messages will appear in the right hand pane. Wait, messages? Yes, what youll see in the right hand pane is a mix of packets in and out of the application, as well as the Windows Events that are generated by the application - bet you weren width:1114px" />
If you click on a message, you width:820px" />
You see in the screenshot below that each packet is broken up heirarchally like youd expect - my VPN traffic is fully represented, right down to the 802.11 wireless frames that are associated with the application. In OSI speak, as you click on each layer in the packet or frame, you width:1176px" />
And as youd expect, clicking any of the layers width:866px" />
Want to export to pcap format? You can write a filter for the display window, or simply highlight a number of records, then choose File / Save As / Export. I found that it was pretty easy to confuse the export process - a few null content files got me past this, it does work nicely. Just don width:487px" />
Then simply open the resulting CAP file in Wireshark or whatever analyze the pcap width:1030px" />
This is a very basic example - Im just starting with Message Analyzer. There seems to be no end to how deep you can dig into the data with this tool though, and the interface is pretty straightforward - call me crazy, but for some things I might end up preferring it over Wireshark! Though my CLI bias is still firmly in place - TCPDump and other CLI/scripting tools are still my solid go-to once theres more than a few thousand packets.
Next chance I get Im digging into how PowerShell can be used to work some automation goodness into this process. More on this here:
Lots of MS Message Analyzer tid-bits can be found at: https://blogs.technet.microsoft.com/messageanalyzer
Have you done something way cool with Message Analyzer? Please, share using our comment form!
A critical Microsoft Word zero-day that was actively exploited for months connected two strange bedfellows, including government-sponsored hackers spying on Russian targets and financially motivated crooks pushing crimeware.
That assessment, made Wednesday with "moderate confidence" from researchers at security firm FireEye, is all the more intriguing because the payload delivered to the Russian targets was developed by Gamma Group, the controversial UK-based seller of so-called "lawful intercept" spyware to governments around the world. The company suffered a major setback in 2014 when a hack of its servers exposed more than 40 gigabytes of highly proprietary data showing that its software was used to spy on computers in the United States, Germany, Russia, Iran, and Bahrain. Gamma Group has continued to operate since then, as evidenced by Wednesday's report showing that its software, known as Finspy, was installed as early as January using what until Tuesday was the zero-day vulnerability in Word.
Adding even more intrigue, the Word exploit used to install Finspy on Russian computers shares some of the same digital fingerprints as an exploit used in March to install crimeware. Known as Latenbot, the malware boasted a variety of capabilities, including credential theft, hard drive and data wiping, security software disabling, and remote desktop functions. The shared artifacts found by FireEye—which are documented in the image at the top of this post—strongly suggest the exploits used by both government spies and criminal hackers originated with the same source. That finding draws a connection between state-sponsored hacking and financially motivated online crime.