Another way to see application communications

Good afternoon, colleagues. As you know, there is a very useful utility - sysmon . In a nutshell, it allows you to collect and "log" events that occur in Windows. One such event is an attempt to establish a network connection. Thus, you can try to find out where your applications go. For this we need:

• sysmon itself
• configuration to it, I prefer to use this one
• PSQuickGraph module
• and a little imagination

In principle, we need a little fantasy. Sysmon writes events to the Microsoft-Windows-Sysmon/Operational log. So we need to get them out, disassemble and display. Like this:

 $ids = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | ? {$_.id -eq 3} $commObjects = $ids | % { New-Object psobject -Property @{ RuleName = $_.Properties[0].value UtcTime = $_.Properties[1].value ProcessGuid = $_.Properties[2].value ProcessId = $_.Properties[3].value Image = $_.Properties[4].value User = $_.Properties[5].value Protocol = $_.Properties[6].value Initiated = $_.Properties[7].value SourceIsIpv6 = $_.Properties[8].value SourceIp = $_.Properties[9].value SourceHostname = $_.Properties[10].value SourcePort = $_.Properties[11].value SourcePortName = $_.Properties[12].value DestinationIsIpv6 = $_.Properties[13].value DestinationIp = $_.Properties[14].value DestinationHostname = $_.Properties[15].value DestinationPort = $_.Properties[16].value DestinationPortName = $_.Properties[17].value SourceString = "$($_.Properties[4].value)`:$($_.Properties[3].value)" DestinationString = "$($_.Properties[14].value)`:$($_.Properties[16].value)" } } $g = New-Graph -Type BidirectionalGraph $commObjects | % { Add-Edge -From $_.SourceString -To $_.DestinationString -Graph $g | Out-Null } Show-GraphLayout -Graph $g 

Unfortunately, the values ​​in the Properties property are in the form of a list, just values, without keys. Therefore, in order to bind them, I had to act rudely. Ultimately, we simply take these values ​​from each log entry, convert them to objects, and then add them to the graph as vertices and display.

It is important to remember that a process with the same "path" can be started many times. On the other hand, a vertex with the same name is not added twice. Therefore, in order to uniquely represent each process on a graph, we slightly modify the original set of values ​​by adding two new ones. This enables us to accurately identify the process, since its identifier is a relatively unique value.

  SourceString = "$($_.Properties[4].value)`:$($_.Properties[3].value)" DestinationString = "$($_.Properties[14].value)`:$($_.Properties[16].value)" 

This is how it may look like in the end.

I hope it will be useful to someone.