Suspicious Network & Endpoint Activity Investigation Guide
This guide combines a structured documentation checklist with an actionable toolkit in PowerShell and Python to help rapidly investigate and respod to suspicious activity on a Windows-based endpoint. It includes tutorials for all tools and programs mentioned.Documentation, Triage/Remediation & Reporting Structure
1. Initial Triage & Observation
Symptoms Observed:
- Unexpected outbound connections
- CPU/disk spikes
- Unknown open ports
- Software behaving erratically
- System slowdown
- Time & Date Logged
- System(s) Affected: IP address / Hostname
- Alert Source Verficication/Review:
- User report
- SIEM
- EDR alert
- IDS/IPS
- Valid Security Alert (OS/AV)
- Etc.
2. Baseline Network Mapping
Document Normal Behavior:- Expected services and open ports
- Authorized domains or IPs
Identify & Log:
- Local IP & MAC addresses
- Default Gateway / DNS servers
- Network layout: flat, segmented, mesh, or home
3. Active Connection Review
Tools: netstat -abno, TCPView, Wireshark- Unknown local listeners (8733, 5357, 1462, etc.)
- Frequent or unusual outbound connections
- High TIME_WAIT or FINWAIT2 socket states
4. Remote IP & Domain Analysis
Tools: whois, VirusTotal, AbuseIPDB- 1e100.net (Google)
- *.cloudflare.com (CDNs)
- Microsoft / AWS / Azure IPs
5. Service, Process & Registry Enumeration
Tools: tasklist, Get-Process, Sysinternals: Process Explorer, Process Monitor, Autoruns- Unsigned or unknown executables
- Unusual memory usage or privilege elevation
- Processes running from temp or user profile directories
- Registry changes or suspicious autoruns
6. Firewall & Port Scan Review
Tools: pfirewall.log, Suricata, Zeek- Unexpected inbound/outbound traffic
- Use of known threat-related ports: 3389, 4444, 8733, etc.
7. Malware Scanning
powershellCopyEditStart-Process -FilePath "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 2" -Wait
Third-party Tools:
- Malwarebytes (CLI/UI)
- ESET
- Sophos
- HitManPro
8. Persistence Mechanism Review
Areas to Check:- Startup Entries: msconfig, Task Manager, Autoruns
- Scheduled Tasks: schtasks /query
- WMI Event Subscriptions
- Services: Look for newly added and/or suspicious services
9. Log Collection & Preservation
Collect Logs From:- Event Viewer: Application, System, Security
- Windows Firewall logs: pfirewall.log
- Suricata / Zeek alerts (eve.json)
- PCAP/PCAPNG (from Wireshark)
- Sysinternals: Process Monitor & Autoruns
- netstat / TCPView outputs
10. Take Action
Using the data collected, proceed with cleaning and sanitizing any/all devices and networks.
- Create Firewall and Network traffic rules to block activity/traffic via Port or IP Address, and bring a stop to any suspicious or malicious activity on a network or system.
- Full malware scans with removal of any/all findings. If any persistent, or High Risk infections (such as Rootkits) are identified, a reinstallation of the system’s Operating System may be the only method of guaranteeing a system is full clean and secure.
- Suspicious processes or binaries (terminated/quarantined/removed)
- Persistence mechanisms if found are fully removed
- The bottom-line: Block, remove, quarantine any findings and continue to monitor everything AFTER completing any clean-up remediation work.
"Rinse and repeat" until all systems/networks are clean and STAY clean and continue monitoring devices and networks for several months after the incident (s).
11. Reporting & Response Summary
Include in Your Report:- Flagged IPs, domains, and ports
- Suspicious processes or binaries (terminated/quarantined)
- Persistence mechanisms found and removed
- Final verdict: Benign / Suspicious / Confirmed Malicious
- Actions Taken: Blocked, removed, quarantined, or monitored
Tools Mentioned:
Process Monitor:
Run as Administrator. Set filters by process name or operation. Watch for file, registry, and network events like writes to temp folders or suspicious outbound connections.TCPView:
Shows active network connections and listening ports. Use to quickly identify unknown outbound connections and unusual port bindings.Autoruns:
Enumerates all autostart items. Focus on Logon, Services, and Drivers tabs. Look for unsigned or unknown entries.Process Explorer:
Advanced task manager. Inspect parent/child process chains, executable signatures, and command lines.Wireshark:
Capture and analyze network traffic. Filter with terms like:- ip.addr == x.x.x.x
- http.request
- dns.qry.name contains "example.com"
Suricata:
Signature-based IDS. Use Emerging Threats (ET) ruleset. Monitor alerts in eve.json.Zeek:
Network metadata logging tool. Review conn.log, dns.log, and notice.log for anomalies.Whois / VirusTotal / AbuseIPDB:
Look up ownership, registration, and threat reputation for IPs/domains. Confirm if traffic is malicious or legitimate.Last/Final Steps To Take:
- Archive logs, IOCs, and findings
- Submit IOCs to threat intel platforms (if applicable)
- Implement continuous monitoring and alerting
- Update internal documentation, improve detection logic, and revise PowerShell/Python scripts
Optional: Modular Incident Response Toolkit
PowerShell Functions:
function Get-NetworkConnections {
netstat -abno | Out-File "networkconnections.txt"
Write-Output "[*] Network connections exported."
}
function Get-RunningProcesses {
Get-WmiObject Win32_Process | Select Name, ProcessId, CommandLine | Out-File "processes.txt"
}
function Get-OpenPorts {
Get-NetTCPConnection -State Listen | Select LocalAddress, LocalPort, OwningProcess | Out-File "openports.txt"
}
function Start-DefenderScan {
Start-Process -FilePath "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 2" -Wait
}
function Export-EventLogs {
wevtutil epl System SystemLog.evtx
wevtutil epl Security SecurityLog.evtx
}
function List-StartupItems {
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location | Out-File "startupitems.txt"
}
function Block-MaliciousIP {
param($ip)
New-NetFirewallRule -DisplayName "Block_$ip" -Direction Outbound -RemoteAddress $ip -Action Block
}
Python Functions:
import socket, requests, whois
from ipwhois import IPWhois
def resolve_domain(ip):
try:
return socket.gethostbyaddr(ip)[0]
except:
return "Unknown"
def get_ip_info(ip):
info = {"ip": ip, "domain": resolve_domain(ip)}
try:
whois_data = whois.whois(ip)
info["org"] = whois_data.org
info["country"] = whois_data.country
except:
info["org"] = "N/A"
info["country"] = "N/A"
return info
def check_abuseipdb(ip, api_key):
url = f"https://api.abuseipdb.com/api/v2/check?ipAddress={ip}&maxAgeInDays=90"
headers = {"Key": api_key, "Accept": "application/json"}
r = requests.get(url, headers=headers)
return r.json() if r.status_code == 200 else {"error": r.text}
# Sample Run Block
if __name__ == "__main__":
suspicious_ips = ["104.18.32.47", "20.59.87.226"]
api_key = "<YourAbuseIPDBKey>"
for ip in suspicious_ips:
print("Checking:", ip)
print("Info:", get_ip_info(ip))
print("AbuseIPDB:", check_abuseipdb(ip, api_key))
Optional PowerShell Front End:
########################################################
# Incident Response Front-End Menu - PowerShell Script #
########################################################
function Show-Menu {
Clear-Host
Write-Host "\n* Suspicious Activity Response Toolkit *" -ForegroundColor Cyan
Write-Host "1. Export Active Network Connections"
Write-Host "2. Export Running Processes"
Write-Host "3. Export Listening Ports"
Write-Host "4. Run Windows Defender Full Scan"
Write-Host "5. Export System & Security Event Logs"
Write-Host "6. Run Full Investigation Workflow"
Write-Host "7. Exit\n"
function Export-NetworkConnections {
netstat -abno | Out-File -FilePath "networkconnections.txt"
Write-Host "[*] Network connections saved to networkconnections.txt" -ForegroundColor Green
function Export-RunningProcesses {
Get-WmiObject Win32_Process | Select-Object Name, ProcessId, CommandLine | Out-File "processes.txt"
Write-Host "[*] Process list saved to processes.txt" -ForegroundColor Green
function Export-OpenPorts {
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess | Out-File "openports.txt"
Write-Host "[*] Listening ports saved to openports.txt" -ForegroundColor Green
function Run-WindowsDefenderScan {
Start-Process -FilePath "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 2" -Wait
Write-Host "[*] Windows Defender scan initiated." -ForegroundColor Yellow
function Export-EventLogs {
wevtutil epl System SystemLog.evtx
wevtutil epl Security SecurityLog.evtx
Write-Host "[*] Event logs exported: SystemLog.evtx, SecurityLog.evtx" -ForegroundColor Green
function Run-FullWorkflow {
Export-NetworkConnections
Export-RunningProcesses
Export-OpenPorts
Export-EventLogs
Run-WindowsDefenderScan
Write-Host "[*] Full investigation workflow completed." -ForegroundColor Cyan
# Menu Loop
Do {
Show-Menu
$choice = Read-Host "Select an option (1-7)"
Switch ($choice) {
"1" { Export-NetworkConnections }
"2" { Export-RunningProcesses }
"3" { Export-OpenPorts }
"4" { Run-WindowsDefenderScan }
"5" { Export-EventLogs }
"6" { Run-FullWorkflow }
"7" { Write-Host "[*] Exiting..." -ForegroundColor DarkGray }
default { Write-Host "[!] Invalid selection. Try again." -ForegroundColor Red }
if ($choice -ne "7") {
Read-Host "Press Enter to return to menu"
} While ($choice -ne "7")
No comments:
Post a Comment