whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added network forensics

This commit is contained in:
gurkenhabicht 2024-05-09 21:34:26 +02:00
parent 6734e25c2d
commit d54dc0daf9
1 changed files with 99 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
Forensics/Windows Network.md Normal file
View File

@ -0,0 +1,99 @@
# Windows Network
## Windows Firewall
Logfiles of the Windows Firewall can be found under `C:\Windows\System32\LogFiles\firewall`.
```sh
Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log
```
## SRUB.dat
Use kape.exe to extract a dump of used system resources from `C:\Windows\System32\sru`
```sh
./kape.exe --tsource C:\Windows\System32\sru --tdest C:\Windows\Temp\sru --tflush --mdest C:\Windows\Temp\module --mflush --moduel SRUMDmp --target SRUM
```
Use [MarkBaggett's srum-dump](https://github.com/MarkBaggett/scrum-dump) to
take a look at the extracted files.
## Network Connections
Take a look at current connections through the following line.
```sh
netstat -a -o
```
See the name of the portable executable that initiated the connection via the
following command.
```sh
netstat -b
```
Take a look at the current TCP connections via the following powershell one-liner.
```sh
Get-NetTCPConnection | select localAddress,localPort,remoteAddress,remotePort,state,@{name="process";Expression={(get-process -id $_.owningProcess).ProcessName}}, @{Name="cmdLine";Expression={(Get-WmiObject win32_Process -filter "ProcessID = $($_.owningProcess)").commandline}} | sort remoteAddress
-Descending | ft -wrap -autosize
```
Take a look at the current UDP connections via the following powershell one-liner.
```sh
Get-NetUDPEndpoint | select local*,creationTime,remote* | ft -autosize
```
There is something similar to TCPDump for catching network packets on windows.
Start the packet gathering via `pktmon start -c`. Convert the stored file, so
Wireshark is able to read it via `pktmon etl2pcap`.
### IP Addresses
List unqiue IP addresses through the following one-liner.
```sh
(Get-NetTCPConnection).remoteAddress | Sort-Object -unique
```
List connections of an IP address through the following one-liner.
```sh
Get-NetTCPConnection -remoteAddress <IP-Address> | select state,creationTime,localPort,remotePort | ft -autosize
```
### DNS Cache
Gather information about the DNS cache through the following one-liner.
```sh
Get-DNSClientCache | ? Entry -noMatch "workst|servst|kerb|ws|oscp" | out-string -width 1000
```
### Hostnames
Take a look at the set hosts inside the hosts file.
```sh
Get-Content C:\Windows\System32\Drivers\etc\hosts
```
### Network Services
Current RDP connections can be found through the following one-liner.
```sh
qwinsta
```
Current SMB shares and connections can be found through the following lines.
```sh
Get-SmbShare
Get-SmbConnection
```