Last active
January 13, 2020 09:38
-
-
Save rgl/0afc8034383746b7496cef9e0d18914d to your computer and use it in GitHub Desktop.
use packedbeat to capture which processes are opening tls connections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Set-StrictMode -Version Latest | |
$ProgressPreference = 'SilentlyContinue' | |
$ErrorActionPreference = 'Stop' | |
trap { | |
Write-Host | |
Write-Host "ERROR: $_" | |
Write-Host (($_.ScriptStackTrace -split '\r?\n') -replace '^(.*)$','ERROR: $1') | |
Write-Host (($_.Exception.ToString() -split '\r?\n') -replace '^(.*)$','ERROR EXCEPTION: $1') | |
Write-Host | |
throw | |
} | |
Add-Type -AssemblyName System.IO.Compression.FileSystem | |
function Install-ZippedApplication($destinationPath, $name, $url, $expectedHash, $expectedHashAlgorithm='SHA256') { | |
$localZipPath = "$env:TEMP\$name.zip" | |
(New-Object System.Net.WebClient).DownloadFile($url, $localZipPath) | |
$actualHash = (Get-FileHash $localZipPath -Algorithm $expectedHashAlgorithm).Hash | |
if ($actualHash -ne $expectedHash) { | |
throw "$name downloaded from $url to $localZipPath has $actualHash hash that does not match the expected $expectedHash" | |
} | |
[IO.Compression.ZipFile]::ExtractToDirectory($localZipPath, $destinationPath) | |
Remove-Item $localZipPath | |
} | |
# | |
# enable TLS 1.1 and 1.2. | |
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol ` | |
-bor [Net.SecurityProtocolType]::Tls11 ` | |
-bor [Net.SecurityProtocolType]::Tls12 | |
# | |
# download npcap. | |
# NB you must install it manually. | |
$npcapUrl = 'https://nmap.org/npcap/dist/npcap-0.9986.exe' | |
$npcapSetupPath = "$PWD\$(Split-Path -Leaf $npcapUrl)" | |
(New-Object System.Net.WebClient).DownloadFile($npcapUrl, $npcapSetupPath) | |
# | |
# install packetbeat. | |
# NB you must install npcap from https://nmap.org/npcap/ first. | |
Install-ZippedApplication ` | |
"$PWD\packetbeat-tmp" ` | |
packetbeat ` | |
'https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.5.1-windows-x86_64.zip' ` | |
'2fea65c6175b4f0f1e075b3d8f66eab7a1ed9c7dc9a61b6d51bab0165e47a7051bf36a792320366593b0c7407e1001caa688080fe185d54a1f5098b660e43764' ` | |
'SHA512' | |
Rename-Item (Resolve-Path packetbeat-tmp\packetbeat-*) packetbeat | |
Move-Item packetbeat-tmp\packetbeat . | |
Remove-Item packetbeat-tmp | |
# run with a default configuration that outputs data to stdout. | |
cd packetbeat | |
.\packetbeat.exe devices | |
Set-Content -Encoding ascii packetbeat.yml @' | |
# Available log levels are: error, warning, info (default), debug | |
logging.level: info | |
packetbeat.flows: | |
timeout: 1m | |
period: 10s | |
# also add the process name that created the socket. | |
# see https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-processes.html | |
packetbeat.procs.enabled: true | |
# set the index to one of the interface returned by .\packetbeat.exe devices | |
packetbeat.interfaces.device: 0 | |
# see https://www.elastic.co/guide/en/beats/packetbeat/master/configuration-interfaces.html#_bpf_filter | |
packetbeat.interfaces.bpf_filter: 'port 443' | |
# see https://www.elastic.co/guide/en/beats/packetbeat/master/configuration-tls.html | |
# NB even thou we are configuring all of the documented protocols, the default bfp_filter is | |
# not good because non-443 ports still being captured... so we force bpf_filter to only | |
# capture port 443. | |
packetbeat.protocols: | |
- type: tls | |
enabled: true | |
send_certificates: false | |
ports: [443] | |
- type: http | |
enabled: false | |
- type: amqp | |
enabled: false | |
- type: memcache | |
enabled: false | |
- type: mysql | |
enabled: false | |
- type: pgsql | |
enabled: false | |
- type: redis | |
enabled: false | |
- type: thrift | |
enabled: false | |
- type: mongodb | |
enabled: false | |
- type: nfs | |
enabled: false | |
output.file: | |
enabled: true | |
path: . | |
filename: flows | |
rotate_every_kb: 10000 | |
number_of_files: 100 | |
output.console: | |
enabled: false | |
pretty: true | |
'@ | |
.\packetbeat.exe -c packetbeat.yml | |
# you can show a summary with: | |
jq '{exe:.process.executable,source_ip:.source.ip,source_port:.source.port,destination_ip:.destination.ip,destination_port:.destination.port}' flows | |
jq -r '"\(.process.executable) \(.source.ip):\(.source.port) \(.destination.ip):\(.destination.port)"' flows | |
jq -r '[.process.executable, .source.ip, .source.port, .destination.ip, .destination.port] | @csv' flows |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment