![]() Primarily we want to capture events with an operation of IRP_MJ_CREATE, but to clean things up a bit more we also want to only include events beginning with \\ or C:\Windows\CSC\v2.0.6\namespace\. Using Process Monitor to find SMB processesĪs unfiltered Process Monitor output can be overwhelming, we’ll want to begin by configuring filters to only display events we’re interested in. Ultimately the answer was found using Sysinternals Process Monitor. ![]() One of my first thoughts was to leverage Sysmon with network connection logging, but this too only shows the System process, not the underlying process that requested the SMB connection. We can further verify this behavior by looking at TCP/IP connections for the System process in Process Explorer. PS C:\> Get-Process -PID 4 | Select -ExpandProperty ProcessName I have an open SMB connection to a local resource via a PowerShell process, what does Get-NetTCPConnection and netstat tell us? Is it malware or a misconfiguration? The first step is working out what is making those connections, and this is where the aforementioned behaviour becomes a hinderance. This can be an issue when, for instance, we’re investigating firewall logs which are telling us that a local PC is trying to make Internet bound SMB requests. The problem with this approach is that all SMB client traffic goes through the System process (PID 4), running under the SYSTEM user account. ![]() These are the commands I reach for whenever I needed to link a process to a network connection, but the case isn’t so simple for SMB. How would you go about finding what process was making SMB requests on a Windows PC? If you’re like me you probably answered either netstat or PowerShell’s Get-NetTCPConnection. Determining Which Process Is Making SMB Requests On Windows
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |