Hunting A Process Making Network Connections

Monitoring your network traffic and sniffing packets for rouge connections is an important step to determine if data-ex filtration is happening on your network. Monitoring traffic can also uncover legitimate processes that are broadcasting or poking around your network. Wireshark, tshark, or tcpdump can monitor network traffic and a more robust Network Intrusion detection System (NIDS) can attempt to detect and parse out anomaly traffic. If the process is legitimate, you may want to simply disable it, and if its not legitimate, initiate an incident response process . But how to determine what process is initiating the network traffic? Wireshark does provide any process ID (PID) or name.

This following examples show how to get the process ID and name on a client that has open connections and is also attempting to make a remote connections to two different servers on the local network. You can see that the processes attempting to make connections resolve into one process called AirPlayXPCHelper and another called malicious.py. The first is a normal MacOs system process, however, the second (on the same port) is not a normal system process. This second process represents and control process looking for a response from a server in order to exfiltrate data.

The instruction are included for both mac and Linux since the netstat command works a little differently, and also because Linux has IPtables and MacOs does not.

MacOs

Netstat to find established connections and the process name

The following netstat flags are used:

-a : show all sockets
-n : show network addresses as numbers (IP addresses) instead of resolved into hosts
-v : show verbose output to see the PID
-t : tcp connections

~$ netstat -anvt | grep ESTABLISHED
tcp4 0 0 192.168.5.11.55508 54.225.128.26.443 ESTABLISHED 131072 132480 902 0
tcp4 0 0 192.168.5.11.55507 54.225.128.26.443 ESTABLISHED 131072 132480 902 0
tcp4 0 0 192.168.5.11.55506 54.225.128.26.443 ESTABLISHED 131538 132480 902 0
tcp4 0 0 192.168.5.11.55505 54.225.128.26.443 ESTABLISHED 131567 132480 902 0
tcp4 0 0 192.168.5.11.55503 107.22.189.191.443 ESTABLISHED 131072 132480 902 0
tcp4 0 0 192.168.5.11.55502 107.22.189.191.443 ESTABLISHED 131072 132480 902 0
tcp4 0 0 192.168.5.11.55488 192.0.73.2.443 ESTABLISHED 262144 132132 902 0
tcp4 0 0 127.0.0.1.53366 127.0.0.1.3306 ESTABLISHED 393337 146988 733 0
tcp4 0 0 127.0.0.1.3306 127.0.0.1.53365 ESTABLISHED 405548 409132 76 0
tcp4 0 0 127.0.0.1.53365 127.0.0.1.3306 ESTABLISHED 687400 146988 733 0
tcp4 0 0 192.168.5.11.50460 178.128.238.71.3306 ESTABLISHED 131072 1048576 733 0
tcp4 0 0 192.168.5.11.50459 178.128.238.71.3306 ESTABLISHED 131072 131072 733 0
tcp4 0 0 192.168.5.11.49428 136.143.191.56.443 ESTABLISHED 131072 1048576 902 0
tcp4 0 0 192.168.5.11.49344 34.216.82.69.443 ESTABLISHED 131072 132480 902 0
tcp4 0 0 192.168.5.11.49174 17.57.144.68.5223 ESTABLISHED 131072 1048576 60 0

$ ps -ax | grep 902
902 ?? 196:27.63 /Applications/Firefox.app/Contents/MacOS/firefox

~$ ps -ax | grep 733
733 ?? 0:34.70 /Applications/Sequel Pro.app/Contents/MacOS/Sequel Pro -psn_0_114716

~$ ps -ax | grep 76
76 ?? 0:57.20 /usr/local/mysql/bin/mysqld --user=_mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --plugin-dir=/usr/local/mysql/lib/

~$ ps -ax | grep 60
60 ?? 0:06.61 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd

Netstat to see connection attempts and the process name

~$ netstat -anvt | grep SYN_SENT
tcp4 0 0 192.168.5.11.52100 192.168.86.173.7000 SYN_SENT 131072 131072 86 0
tcp4 0 0 192.168.5.11.55696 192.168.86.173.7000 SYN_SENT 131072 131072 25594 0

~$ ps -ax | grep 86
86 ?? 0:02.63 /usr/libexec/AirPlayXPCHelper

~$ ps -ax | grep 25594
25617 ttys000 0:00.05 python malicious.py

lsof to see established connections with PID and process name

The -i flag is used to specify only network connections otherwise lsof will return open files.

-i [i] selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified,
this option selects the listing of all Internet and x.25 (HP-UX) network files.

~$ lsof -i | grep ESTABLISHED
Sequel 733 development 9u IPv4 0x5bf08319742382fb 0t0 TCP 192.168.5.11:50459->178.128.238.71:mysql (ESTABLISHED)
Sequel 733 development 12u IPv4 0x5bf083197422d2fb 0t0 TCP 192.168.5.11:50460->178.128.238.71:mysql (ESTABLISHED)
Sequel 733 development 16u IPv4 0x5bf08319688055cb 0t0 TCP localhost:53365->localhost:mysql (ESTABLISHED)
Sequel 733 development 17u IPv4 0x5bf08319687f45cb 0t0 TCP localhost:53366->localhost:mysql (ESTABLISHED)
firefox 902 development 65u IPv4 0x5bf0831967f65c63 0t0 TCP 192.168.5.11:55632->ord37s18-in-f4.1e100.net:https (ESTABLISHED)
firefox 902 development 66u IPv4 0x5bf08319675f7c63 0t0 TCP 192.168.5.11:55227->136.143.191.197:https (ESTABLISHED)
firefox 902 development 70u IPv4 0x5bf0831974238c63 0t0 TCP 192.168.5.11:55644->ec2-54-213-230-180.us-west-2.compute.amazonaws.com:https (ESTABLISHED)
firefox 902 development 71u IPv4 0x5bf0831974239f33 0t0 TCP 192.168.5.11:55291->ord38s01-in-f3.1e100.net:https (ESTABLISHED)
firefox 902 development 72u IPv4 0x5bf083196111d5cb 0t0 TCP 192.168.5.11:55636->lga15s48-in-f202.1e100.net:https (ESTABLISHED)
firefox 902 development 74u IPv4 0x5bf0831954458c63 0t0 TCP 192.168.5.11:53762->104.16.248.249:https (ESTABLISHED)
firefox 902 development 76u IPv4 0x5bf083195abef2fb 0t0 TCP 192.168.5.11:55065->stackoverflow.com:https (ESTABLISHED)

lsof to see connection attempts with PID and process name

~$ lsof -i | grep SYN_SENT
Python 25594 development 3u IPv4 0x5bf083196859cf33 0t0 TCP 192.168.5.11:55667->192.168.12.117:afs3-fileserver (SYN_SENT)

Linux

Netstat to see established connections with PID

In Linux when using netstat use the following flags:

-p : lists the name of the process that owns the socket.
-a : show all sockets
-n : show network addresses as numbers (IP addresses) instead of resolved into hosts

netstat -anp | grep ESTABLISHED

Netstat to see a connection attempt with PID

netstat -anp | grep SYN_SENT