Wednesday, April 16, 2025

Suspicious Network & Endpoint Activity Investigation Guide


Suspicious Network & Endpoint Activity Investigation Guide

This guide combines a structured documentation checklist with an actionable toolkit in PowerShell and Python to help rapidly investigate and respod to suspicious activity on a Windows-based endpoint. It includes tutorials for all tools and programs mentioned.

Documentation, Triage/Remediation & Reporting Structure


1. Initial Triage & Observation

Symptoms Observed: 

  • Unexpected outbound connections
  • CPU/disk spikes
  • Unknown open ports
  • Software behaving erratically
  • System slowdown
  • Time & Date Logged
  • System(s) Affected: IP address / Hostname
  • Alert Source Verficication/Review:
    • User report
    • SIEM
    • EDR alert
    • IDS/IPS
    • Valid Security Alert (OS/AV)
    • Etc.

2. Baseline Network Mapping

Document Normal Behavior:

Identify & Log:
  • Local IP & MAC addresses
  • Default Gateway / DNS servers
  • Network layout: flat, segmented, mesh, or home


3. Active Connection Review

Tools: netstat -abno, TCPView, Wireshark
Flag Suspicious Entries:
  • Unknown local listeners (8733, 5357, 1462, etc.)
  • Frequent or unusual outbound connections
  • High TIME_WAIT or FINWAIT2 socket states

4. Remote IP & Domain Analysis

Tools: whois, VirusTotal, AbuseIPDB
Note Common Legitimate Infrastructure:
  • 1e100.net (Google)
  • *.cloudflare.com (CDNs)
  • Microsoft / AWS / Azure IPs
*These are well-known trusted infrastructure domains or IPs and are usually not malicious.

5. Service, Process & Registry Enumeration

Tools: tasklist, Get-Process, Sysinternals: Process Explorer, Process Monitor, Autoruns
Indicators of Concern:
  • Unsigned or unknown executables
  • Unusual memory usage or privilege elevation
  • Processes running from temp or user profile directories
  • Registry changes or suspicious autoruns

6. Firewall & Port Scan Review

Tools: pfirewall.log, Suricata, Zeek
Check For:
  • Unexpected inbound/outbound traffic
  • Use of known threat-related ports: 3389, 4444, 8733, etc.

7. Malware Scanning

Windows Defender/Defender Offline Scan:
powershellCopyEditStart-Process -FilePath "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 2" -Wait

Third-party Tools:


8. Persistence Mechanism Review

Areas to Check:

9. Log Collection & Preservation

Collect Logs From:

10. Take Action

Using the data collected, proceed with cleaning and sanitizing any/all devices and networks.

  • Create Firewall and Network traffic rules to block activity/traffic via Port or IP Address, and bring a stop to any suspicious or malicious activity on a network or system.
  • Full malware scans with removal of any/all findings. If any persistent, or High Risk infections (such as Rootkits) are identified, a reinstallation of the system’s Operating System may be the only method of guaranteeing a system is full clean and secure.
  • Suspicious processes or binaries (terminated/quarantined/removed)
  • Persistence mechanisms if found are fully removed
  • The bottom-line: Block, remove, quarantine any findings and continue to monitor everything AFTER completing any clean-up remediation work.
    "Rinse and repeat" until all systems/networks are clean and STAY clean and continue monitoring devices and networks for several months after the incident (s).

11. Reporting & Response Summary

Include in Your Report:
  • Flagged IPs, domains, and ports
  • Suspicious processes or binaries (terminated/quarantined)
  • Persistence mechanisms found and removed
  • Final verdict: Benign / Suspicious / Confirmed Malicious
  • Actions Taken: Blocked, removed, quarantined, or monitored

Tools Mentioned:

Process Monitor:

Run as Administrator. Set filters by process name or operation. Watch for file, registry, and network events like writes to temp folders or suspicious outbound connections.

TCPView:

Shows active network connections and listening ports. Use to quickly identify unknown outbound connections and unusual port bindings.

Autoruns:

Enumerates all autostart items. Focus on Logon, Services, and Drivers tabs. Look for unsigned or unknown entries.

Process Explorer:

Advanced task manager. Inspect parent/child process chains, executable signatures, and command lines.

Wireshark:

Capture and analyze network traffic. Filter with terms like:
  1. ip.addr == x.x.x.x
  2. http.request
  3. dns.qry.name contains "example.com"

Suricata:

Signature-based IDS. Use Emerging Threats (ET) ruleset. Monitor alerts in eve.json.

Zeek:

Network metadata logging tool. Review conn.log, dns.log, and notice.log for anomalies.

Whois / VirusTotal / AbuseIPDB:

Look up ownership, registration, and threat reputation for IPs/domains. Confirm if traffic is malicious or legitimate.


Last/Final Steps To Take:

  1. Archive logs, IOCs, and findings
  2. Submit IOCs to threat intel platforms (if applicable)
  3. Implement continuous monitoring and alerting
  4. Update internal documentation, improve detection logic, and revise PowerShell/Python scripts


Optional: Modular Incident Response Toolkit

PowerShell Functions:

function Get-NetworkConnections {
    netstat -abno | Out-File "networkconnections.txt"
    Write-Output "[*] Network connections exported."
}

function Get-RunningProcesses {
    Get-WmiObject Win32_Process | Select Name, ProcessId, CommandLine | Out-File "processes.txt"
}

function Get-OpenPorts {
    Get-NetTCPConnection -State Listen | Select LocalAddress, LocalPort, OwningProcess | Out-File "openports.txt"
}

function Start-DefenderScan {
    Start-Process -FilePath "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 2" -Wait
}

function Export-EventLogs {
    wevtutil epl System SystemLog.evtx
    wevtutil epl Security SecurityLog.evtx
}

function List-StartupItems {
    Get-CimInstance Win32_StartupCommand | Select Name, Command, Location | Out-File "startupitems.txt"
}

function Block-MaliciousIP {
    param($ip)
    New-NetFirewallRule -DisplayName "Block_$ip" -Direction Outbound -RemoteAddress $ip -Action Block
}

Python Functions:

import socket, requests, whois
from ipwhois import IPWhois

def resolve_domain(ip):
    try:
        return socket.gethostbyaddr(ip)[0]
    except:
        return "Unknown"

def get_ip_info(ip):
    info = {"ip": ip, "domain": resolve_domain(ip)}
    try:
        whois_data = whois.whois(ip)
        info["org"] = whois_data.org
        info["country"] = whois_data.country
    except:
        info["org"] = "N/A"
        info["country"] = "N/A"
    return info

def check_abuseipdb(ip, api_key):
    url = f"https://api.abuseipdb.com/api/v2/check?ipAddress={ip}&maxAgeInDays=90"
    headers = {"Key": api_key, "Accept": "application/json"}
    r = requests.get(url, headers=headers)
    return r.json() if r.status_code == 200 else {"error": r.text}

# Sample Run Block
if __name__ == "__main__":
    suspicious_ips = ["104.18.32.47", "20.59.87.226"]
    api_key = "<YourAbuseIPDBKey>"
    for ip in suspicious_ips:
        print("Checking:", ip)
        print("Info:", get_ip_info(ip))
        print("AbuseIPDB:", check_abuseipdb(ip, api_key))

 

Optional PowerShell Front End:

########################################################

# Incident Response Front-End Menu - PowerShell Script #

########################################################

function Show-Menu {

Clear-Host

Write-Host "\n* Suspicious Activity Response Toolkit *" -ForegroundColor Cyan

Write-Host "1. Export Active Network Connections"

Write-Host "2. Export Running Processes"

Write-Host "3. Export Listening Ports"

Write-Host "4. Run Windows Defender Full Scan"

Write-Host "5. Export System & Security Event Logs"

Write-Host "6. Run Full Investigation Workflow"

Write-Host "7. Exit\n"

function Export-NetworkConnections {

netstat -abno | Out-File -FilePath "networkconnections.txt"

Write-Host "[*] Network connections saved to networkconnections.txt" -ForegroundColor Green

function Export-RunningProcesses {

Get-WmiObject Win32_Process | Select-Object Name, ProcessId, CommandLine | Out-File "processes.txt"

Write-Host "[*] Process list saved to processes.txt" -ForegroundColor Green

function Export-OpenPorts {

Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess | Out-File "openports.txt"

Write-Host "[*] Listening ports saved to openports.txt" -ForegroundColor Green

function Run-WindowsDefenderScan {

Start-Process -FilePath "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 2" -Wait

Write-Host "[*] Windows Defender scan initiated." -ForegroundColor Yellow

function Export-EventLogs {

wevtutil epl System SystemLog.evtx

wevtutil epl Security SecurityLog.evtx

Write-Host "[*] Event logs exported: SystemLog.evtx, SecurityLog.evtx" -ForegroundColor Green

function Run-FullWorkflow {

Export-NetworkConnections

Export-RunningProcesses

Export-OpenPorts

Export-EventLogs

Run-WindowsDefenderScan

Write-Host "[*] Full investigation workflow completed." -ForegroundColor Cyan

# Menu Loop

Do {

Show-Menu

$choice = Read-Host "Select an option (1-7)"

Switch ($choice) {

"1" { Export-NetworkConnections }

"2" { Export-RunningProcesses }

"3" { Export-OpenPorts }

"4" { Run-WindowsDefenderScan }

"5" { Export-EventLogs }

"6" { Run-FullWorkflow }

"7" { Write-Host "[*] Exiting..." -ForegroundColor DarkGray }

default { Write-Host "[!] Invalid selection. Try again." -ForegroundColor Red }

if ($choice -ne "7") {

Read-Host "Press Enter to return to menu"

} While ($choice -ne "7")


Created & Maintained by Pacific Northwest Computers


Pacific NW Computers

Posted by at
Labels: , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)