Add artifacts to monitor network communication on clients #875
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mgreen27
reviewed
Jul 10, 2024
content/exchange/artifacts/Server.Alerts.TrackNetworkConnections.yaml
Outdated
Show resolved
Hide resolved
mgreen27
approved these changes
Jul 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi all,
we created artifacts to complement Process Tracking for Windows with network connection tracking.
The artifact was tested on Windows and Linux. Due to using built-in functions only, it should work on all supported OSs.
network connections are tracked by periodically diffing the netstat info. Added or removed connections are identified by combining Pid, layer 3 protocol, layer 4 protocol, local address used, local port used, remote address used, remote address used. Based on the PID, network information is enriched with process information.
The client monitoring is complemented with a server alerting artifact. That artifact allows sending messages via webhook about the tracked network connections. Connections can be filtered on the client that emitted the connection, the name of the process that started the network connection, the remote ip being contacted and the remote port being contacted. Those filters should also be used, as it is easy to spam the webhook (lots of network activity by default :D)
There will be a blog post by SEC Consult soon about our though process behind creating these artifacts and some recommendations based on our tests.
I wish the community much fun with this contribution. :)