[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More
Experts Exchange Solution brought to you by
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
You can enable logging to help identify the source of inbound traffic and to provide details on what traffic is being blocked. %Windir%\pfirewall.log is the default log file.
Some anomalous activities to watch on the wire can include
- some exfiltration traffic to get out this "loot" so look for odd hours or connections made at unusual times,
- unusual high outbound port, surge in traffic payload,
- unexpected changes in network performance such as variations in traffic load at specified times and it can be hogging transaction eating the bandwidth,
- brute force attempts which can include attempts (either failed or successful) to gain unauthorized access to a system or its data, and repeated, failed connection attempts
- beacons to certain "country" that has no dealing with the businesses, or traffic coming from or going to unexpected locations
- non legit attempts such as remote access or IRC attempts, unwanted disruption or denial of service, unauthorized scans and probes
- non-standard or malformed packets (protocol violations) that can also include
multiple secure shortlived channel that can be non SSL standard based
A) Checking for anomalous process running:
-summary of every running process on a machine, run: C:\> wmic process list brief
-showing name, process ID and priority of each running process, as well as other less-interesting attributes.
C:\> wmic process list full
-programs that start when the system boots up or a user logs on, which could be defined by an auto-start registry key or folder: C:\> wmic startup list full
-pull a process summary every 5 seconds, run: C:\> wmic process list brief /every:1
B) Checking for anomalous account service
-the "net user" command shows all user accounts defined locally on the machine.
-the "net localgroup" command shows groups,
-the "net localgroup administrators" shows membership of the administrators group
-the "net start" command shows running services.
C) Checking for anomalous network activity
-for unusual and unexpected connections in the output of netstat, run : C:\> netstat -nao
-besides TCP and UDP, interested in ICMP, netstat run : C:\> netstat –s –p icmp
-list the TCP and UDP ports in use on a machine every 2 seconds, run: C:\> netstat –na 2
D) Checking out for any other "interest"
-look at information every second e.g. cmd.exe, run : C:\> wmic process list brief /every:1 | find "cmd.exe"
-autostart programs are associated with the registry hive HKLM, run: C:\> wmic startup list brief | find /i "hklm"
-see with one-second accuracy TCP port 2222 (example) starts being used with PID, run: C:\> netstat –nao 1 | find "2222"
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
From novice to tech pro — start learning today.
Premium members can enroll in this course at no extra cost.