Hunting A Process Making Network Connections

Monitoring your network traffic and sniffing packets for rouge connections is an important step to determine if data-ex filtration is happening on your network.  Monitoring traffic can also uncover legitimate processes that are broadcasting or poking around your network.  Wireshark, tshark, or tcpdump can monitor network traffic  and a more robust Network Intrusion detection System (NIDS) can attempt to detect and parse out anomaly traffic.  If the process is legitimate, you may want to simply disable it, and if its not legitimate, initiate an incident response process . But how to determine what process is initiating the network traffic?  Wireshark does provide any process ID (PID) or name.

This following examples show how to get the process ID and name on a client that has open connections and is also attempting to make a remote connections to two different servers on the local network. You can see that the processes attempting to make connections resolve into one process called AirPlayXPCHelper and another called malicious.py. The first is a normal MacOs system process, however, the second (on the same port) is not a normal system process. This second process represents and control process looking for a response from a server in order to exfiltrate data.

The instruction are included for both mac and Linux since the netstat command works a little differently, and also because Linux has IPtables and MacOs does not.

MacOs

Netstat to find established connections and the process name

The following netstat flags are used:

  • -a : show all sockets
  • -n : show network addresses as numbers (IP addresses) instead of resolved into hosts
  • -v : show verbose output to see the PID
  • -t : tcp connections
Netstat to see connection attempts and the process name
lsof to see established connections with PID and process name

The -i flag is used to specify only network connections otherwise lsof will return open files.

  • -i [i] selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified,
    this option selects the listing of all Internet and x.25 (HP-UX) network files.
lsof to see connection attempts with PID and process name

Linux

Netstat to see established connections with PID

In Linux when using netstat use the following flags:

  • -p : lists the name of the process that owns the socket.
  • -a : show all sockets
  • -n : show network addresses as numbers (IP addresses) instead of resolved into hosts
Netstat to see a connection attempt with PID

Leave a comment

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.