List-Connections.ps1 will produce a listing comparable to netstat. However, I can't find the MIB table entry from the process to the socket (or the converse) in either 'ps' or 'gwmi win32_process'. My workaround is to use netstat from cmd.exe where gwmi_netstat_ano.cmd is:
for /f "tokens=1-6" %%a in ('netstat -ano ^| findstr TCP') do @echo %%e > ano.list.txt
for /f "tokens=1-6" %%a in ('netstat -ano ^| findstr UDP') do @echo %%d >> ano.list.txt
or where gwmi_tcpvcon_ano.cmd is:
@del /q ano.list.txt
@path C:\tools\SysinternalsSuite\;%path%
for /f "delims=, tokens=1-5" %%a in ('tcpvcon -acn ^| findstr TCP') do @echo %%c >> ano.list.txt
for /f "delims=, tokens=1-5" %%a in ('tcpvcon -acn ^| findstr UDP') do @echo %%c >> ano.list.txt
This powershell script runs the commands in 'gwmi_netstat_ano.cmd' and processes the 'netstat -ano' output with 'gwmi win32_process':
Microsoft.PowerShell.Management\Start-Process $pwd\gwmi_netstat_ano.cmd -argument /Q -nonewwindow
$ano_list = gc ano.list.txt | sort | get-unique
$ano_proc = foreach ($ano in $ano_list) {gwmi win32_process | Select Name,ProcessId,HandleCount,ThreadCount,WriteOperationCount,ReadOperationCount,CommandLine | ? {$_.ProcessID -eq "$ano"}}
write $ano_proc | sort -property ProcessID | ft -auto
# or alternatively
foreach ($id in $ano_list) {get-wmiObject win32_process -filter "ProcessID=$id" | Select Name,ProcessID,Commandline}
PS C:\ps1: .\gwmi_netstat_ano.ps1
C:\ps1: for /F "tokens=1-6" %a in ('netstat -ano | findstr TCP') do @echo %e > ano.list.txt
C:\ps1: for /F "tokens=1-6" %a in ('netstat -ano | findstr UDP') do @echo %d >> ano.list.txt
Name ProcessId HandleCount ThreadCount WriteOperationCount ReadOperationCount CommandLine
---- --------- ----------- ----------- ------------------- ------------------ -----------
System 4 5381 151 62649 2192
svchost.exe 1164 368 11 1902 2335 C:\Windows\system32\svchost.exe -k LocalService
svchost.exe 1304 700 27 398 2119 C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe 3168 1234 49 12312 42668 C:\Windows\system32\svchost.exe -k netsvcs
opera.exe 3684 849 39 112787 65814 "C:\Program Files (x86)\Opera\opera.exe"
ftp.exe 3796 128 1 4 5 ftp rmfdevelopment.com
Name ProcessID Commandline
---- --------- -----------
svchost.exe 1164 C:\Windows\system32\svchost.exe -k LocalService
svchost.exe 1304 C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe 3168 C:\Windows\system32\svchost.exe -k netsvcs
opera.exe 3684 "C:\Program Files (x86)\Opera\opera.exe"
ftp.exe 3796 ftp rmfdevelopment.com
System 4
( A script like Get-Svchost.ps1 can help open up the incantations of svchost.exe.) I find the cmd.exe workaround I use here unfortunate as a security professional, because it means I am unable to use Powershell to get the MIB table entry from GetOwnerModuleFromTcpEntry, information which is critical to understanding malware. Sure, I can parse this information from netstat, but this blows up any chance of scripting detection anywhere near real-time. Perhaps someone has an answer...
No comments:
Post a Comment