This week on our blog, we have a guest post from Terrence Lillard, Senior Incident Response Analyst at NTT Security.
Three questions which always comes up when conducting an intrusion investigation are "what applications are connecting to the internet? Are they legitimate applications or malicious? And where does the application reside on my local system?" The ability to identify local applications connecting to the internet, especially rogue or malicious applications, is critical for any intrusion investigation.
When local and remote systems establish a bi-directional network connection, seven different components exist on both systems. The seven components shown make up the 7-Ps:
- The first component is Source IP Platform, each system has a unique IP Address
- The second component, Protocol, is used to establish a network connection between the local and remote system. For example, TCP or UDP
- The third component, Port Number, which are numeric values on both the local system and the remote system
- The fourth Component, the Process Identifier or PID, is used by each system’s operating system to track executable processes and threads on both systems separately.
- The fifth Component is Person, which represents the User or System account used by the executable or application
- The sixth Component, Path, represents the folder or directory where the application or executable resides
- The seventh Component, the final component, is the Program or executable name that establishes the network connection
While it would be nice to have access to the remote system to apply the procedure outlined in this blog post, the odds of having access to that remote system is nil. As a result, I will focus on the local system to which you should have access during an intrusion investigation. Though I am using Windows Operating System commands, similar commands exist for other operating systems (e.g. Linux, MAC OS). To the initial questions posed, I am going to use the Microsoft netstat command and Windows Task Manager program to identify active connections on the local system to determine if they are benign or nefarious.
Using the netstat command
To determine the application or malicious software running, only two Windows Operating system programs are required. The first program, netstat (known as network statistics), is a command-line network utility tool used to display both incoming and outgoing TCP and UDP network connections. This command will provide the first four Ps (Protocol, Platform IP Address, Port, and PID).
To obtain a listing of all the parameters available for the netstat command, enter netstat -?. This option enumerates all the parameters associated with the netstat command. The image below presents a description of each of the optional parameters. We will be using the –a, -n, -o, and –p parameters.
Note: The -b parameter can also be used, but it requires elevated privileges.
To identify the incoming and outgoing TCP network connections, enter the following netstat –ano –p tcp command. The output will be a listing of network-based connections made with the local system.
The netstat command will display a number of TCP/IP network sessions and the respective local address/ports and associated destination address/ports, along with the TCP connection state and Microsoft Windows OS Process Identification (PID).
While the approach can be applied to each netstat line item, I will focus only on the IP addresses with established active connections to remote IP addresses (e.g. 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11) and a destination port of 443. Since the remote IP addresses all mapped pack to the same PID (1548), four of the seven Ps are extracted for this PID for further intrusion investigation are presented here.
The Windows Task Manager Command
To determine the remaining three Ps (e.g., Person, Path, Program) of the 7-Ps, I will use Microsoft Windows Task Manager to identity them. The Task Manager program is a Graphic User Interface (GUI) used to provide system monitoring and performance information. The Windows Task Manager opens as a GUI with multiple tabs. For the 7-Ps analysis, the Details sub-tab is used with a few column modifications. The Details sub-tab columns selected are Name, PID, Status, Command Line, and Description). Your Task Manager sub-tab columns may look slightly different depending on the version of Windows OS you have implemented, and the update patches applied. The PID values are the glue which connects the netstat command results and the Windows Task Manager program output together. We can take the PID of 1548 from the output of the netstat command and check the Windows Task Managers Details sub-tab results for that PID, as displayed below. The final image presents the detailed row results for the selected PID (1548) and displays the remaining three values for the 7-Ps.
In summary, this post provides procedures to determine the seven critical components on a local system which are used to establish an external connection to a remote system. The example presented here indicates the Google Chrome application was used to establish a secure (https) port 443 connection from the local system (192.168.214.145) to multiple remote IP addresses (18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11) using the same PID (1548). The Google Chrome application was used by the local Intrusion Analyst (IntrusionAnalyst) account to establish the connection to the Google site.
While this represents a benign example, the ability to determine “what legitimate local application or malicious software is connecting to a remote system via the internet and where the application or malicious software resides on local system?” is a critical step in any intrusion investigation.
Had this been a malicious application and IP address, additional malware analysis (e.g. static, dynamic, behavior) can be performed to determine the nefarious intent of the malware and the external remote IP address(s) could be block by network perimeter ingress/egress firewall and/or proxy rules.
1. C. (n.d.). Netstat. Retrieved from https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat