Already youre thinking, did I read that right? The answer is nope, you absolutely can capture by Windows Process, just not with Windump or Wireshark. A while back I wrote a short diary about using NETSH to capture packets ( ), and this story builds on that one.

A quick recap - to capture packets using NETSH, for a basic capture youd do something like:

netsh trace start capture=yes tracefile=c:\temp\trace.etl

Then to stop the capture, execute:

netsh trace stop

Before we proceed, get the process details for the app you are trying to track. Some thing as simple as:

tasklist tasklist.out

will give you the list of windows processes and the process numbers.

You can get much more detail from sysinternals tools like Process Monitor, or better yet, Process Explorer. width:856px" />

In this case Im chasing the packets from Ciscos AnyConnect VPN client. In the Process Explorer screeshot above, the associated processes are mixed in with those from the legacy IPSEC VPN client. This is easy enough to filter out in Wireshark if you know what the process does, but what you are looking for in a lot of cases is what *else the process is doing? Is it phoning home for updates? Is it phoning home to share information that you dont want shared? For a VPN client you know what you are connecting to (so that part is easy to filter if you were using Wireshark), but what else is it doing?

On to analyzing the captured data by application or process. Instead of exporting the whole works to pcap format, open the NETSH output in Microsoft Message Analyzer, Microsoft width:900px" />

The right had pane looks pretty familiar, complete with a network tuple style filter at the top. The left hand pane however is where were looking today. Thats what I call the filter by other stuff window. Lets trim the criteria down to the Process Name and Process ID (or you could just pick one or the other, it comes to the same thing since each process name has a unique process number).

Now, pick the target application, and the associated messages will appear in the right hand pane. Wait, messages? Yes, what youll see in the right hand pane is a mix of packets in and out of the application, as well as the Windows Events that are generated by the application - bet you weren width:1114px" />

If you click on a message, you width:820px" />

You see in the screenshot below that each packet is broken up heirarchally like youd expect - my VPN traffic is fully represented, right down to the 802.11 wireless frames that are associated with the application. In OSI speak, as you click on each layer in the packet or frame, you width:1176px" />

And as youd expect, clicking any of the layers width:866px" />

Want to export to pcap format? You can write a filter for the display window, or simply highlight a number of records, then choose File / Save As / Export. I found that it was pretty easy to confuse the export process - a few null content files got me past this, it does work nicely. Just don width:487px" />

Then simply open the resulting CAP file in Wireshark or whatever analyze the pcap width:1030px" />

This is a very basic example - Im just starting with Message Analyzer. There seems to be no end to how deep you can dig into the data with this tool though, and the interface is pretty straightforward - call me crazy, but for some things I might end up preferring it over Wireshark! Though my CLI bias is still firmly in place - TCPDump and other CLI/scripting tools are still my solid go-to once theres more than a few thousand packets.

Next chance I get Im digging into how PowerShell can be used to work some automation goodness into this process. More on this here:

Lots of MS Message Analyzer tid-bits can be found at:

Have you done something way cool with Message Analyzer? Please, share using our comment form!

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Wireshark 'packet-btl2cap.c' Denial of Service Vulnerability
Palo Alto Networks PAN-OS CVE-2017-7218 Local Privilege Escalation Vulnerability
Symphony CMS CVE-2017-7694 Remote Code Execution Vulnerability

Enlarge / An identical artifact in two exploits, one installing Finspy and the other Latenbot. (credit: FireEye)

A critical Microsoft Word zero-day that was actively exploited for months connected two strange bedfellows, including government-sponsored hackers spying on Russian targets and financially motivated crooks pushing crimeware.

That assessment, made Wednesday with "moderate confidence" from researchers at security firm FireEye, is all the more intriguing because the payload delivered to the Russian targets was developed by Gamma Group, the controversial UK-based seller of so-called "lawful intercept" spyware to governments around the world. The company suffered a major setback in 2014 when a hack of its servers exposed more than 40 gigabytes of highly proprietary data showing that its software was used to spy on computers in the United States, Germany, Russia, Iran, and Bahrain. Gamma Group has continued to operate since then, as evidenced by Wednesday's report showing that its software, known as Finspy, was installed as early as January using what until Tuesday was the zero-day vulnerability in Word.

Adding even more intrigue, the Word exploit used to install Finspy on Russian computers shares some of the same digital fingerprints as an exploit used in March to install crimeware. Known as Latenbot, the malware boasted a variety of capabilities, including credential theft, hard drive and data wiping, security software disabling, and remote desktop functions. The shared artifacts found by FireEye—which are documented in the image at the top of this post—strongly suggest the exploits used by both government spies and criminal hackers originated with the same source. That finding draws a connection between state-sponsored hacking and financially motivated online crime.

Read 5 remaining paragraphs | Comments

Lenovo CCSDK CVE-2016-8235 Local Privilege Escalation Vulnerability
SAP NetWeaver TREX and BWA Remote Code Execution Vulnerability
libsamplerate 'src_sinc.c' Local Buffer Overflow Vulnerability
Trend Micro Deep Discovery Email Inspector 'policy_setting' Arbitrary File Upload Vulnerability
Palo Alto Networks PAN-OS CVE-2017-7126 Information Disclosure Vulnerability
QEMU CVE-2017-6058 Denial of Service Vulnerability
CVE-2017-7457 Moxa MX AOPC-Server v1.5 XML External Entity Injection
CVE-2017-7455 Moxa MXview v2.8 Remote Private Key Disclosure
JasPer 'jpc_pi_nextcprl()' Function Local Integer Overflow Vulnerability
Apache CXF CVE-2016-6812 Cross Site Scripting Vulnerability
ImageWorsener 'src/imagew-miff.c' Remote Heap Buffer Overflow Vulnerability
swagger-ui CVE-2016-1000229 Cross Site Scripting Vulnerability
Apache CXF JAX-RS CVE-2016-8739 XML External Entity Injection Vulnerability
SAP Web Dynpro Flash Island XML External Entity Injection Vulnerability
SAP TranslationSupport Application XML External Entity Injection Vulnerability
Keycloak CVE-2017-2585 Security Bypass Vulnerability
Microsoft Windows Hyper-V CVE-2017-0179 Remote Denial of Service Vulnerability
Microsoft Windows Kernel 'Win32k.sys' CVE-2017-0189 Local Privilege Escalation Vulnerability
Multiple SAP Products Memory Corruption Vulnerability
SAP NetWeaver Java Archiving Framework Unspecified Cross Site Scripting Vulnerability
DBPOWER U818A CVE-2017-3209 Security Bypass Vulnerability
SAP BI LaunchPad Unspecified Cross Site Request Forgery Vulnerability
Schneider Electric Modicon Modbus Protocol Multiple Authentication Bypass Vulnerabilities
FreeBSD Security Advisory FreeBSD-SA-17:03.ntp
[SECURITY] [DSA 3829-1] bouncycastle security update
Internet Storm Center Infocon Status