Tuesday, August 11, 2020

Continuing mapping process - ProcDot

In this previous post and from content related to my book Hack and Detect, I demonstrated how you can map an attackers' TTPs from a visual perspective. This mapping immediately gives you visible insights into the attackers activity.

This post focuses on ProcDOT which was produced by the Austria Cert team.

The tool processes both Sysinternals Process Monitor log files along with PCAP files which are produced by tools such as Tcpdump, TShark, Wireshark, etc.

Without further ado let's get going. While there is both a Windows and a Linux version for this post, I will download and use the Windows.

Once we download and extract the file contents, I then executed Procdot by running "procdot.exe".

You are then asked to ensure the path of your plugins are properly configured. Specifically the website insists you read the "readme.txt". They asked nicely so you should ensure you read it. Once you read it you will see you need to have windump.exe and graphiviz on your system.

While I took the time to do that configuration above, it must be noted that I am unable to run Windump on my Windows 10 VM.

Let's now get logs from Process Monitor to see what we can learn about the process on our system.

In the interest of time and to keep it simple, I will focus on cmd.exe as the parent process. 

Upon opening Process Monitor, I then went to the "File" -> "Capture Events" to disabling the capturing of events before I cleared the screen.

Next up, I created a filter for "Process Name is cmd.exe"

Now that the filter is set I then went back to "File" -> "Capture Events" to begin the capturing of events.

After executing a few commands in "cmd.exe", I then stopped capturing events. Next up save the file for input to ProcDOT by going to "File" -> "Save".

Next we see ProcDOT produced some information for our cmd.exe process and the threads. We do not see the children this process spawned. This is more than likely due to the filter we used with Process Monitor. 

Let's now take a file where we have not set any specific filter and which was capturing for 1 minutes to see what we get. - 

Looks a lot more interesting. However, there is also lots more data for us to analyze. That is where your analysis skills now come in.


No comments:

Post a Comment