Ask Your Question
0

How to find the program that was executed to compromise the user?

asked 2020-10-08 03:15:11 +0000

datasciencedal gravatar image

Hi! I am quite new to wireshark so still trying to find my way around things. My task is to find the name of the program that was executed to compromise the user (i.e. a program that was carried out to give the attacker root privileges). My first instinct was to go through the HTTP requests, however I am still having trouble identifying which programs were the ones that allowed the hacker to gain root access.

Could I please have some assistance?

Thanks!

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2020-10-08 09:41:30 +0000

hugo.vanderkooij gravatar image

Wireshark is not the tool you are looking for. Check out https://docs.microsoft.com/en-us/sysi...

edit flag offensive delete link more

Comments

I suspect this is an academic exercise with the capture files provided so no opportunity to analyse the compromise as it happens.

grahamb gravatar imagegrahamb ( 2020-10-08 10:19:42 +0000 )edit
0

answered 2020-10-08 21:14:36 +0000

Kire gravatar image

As correctly pointed out a pcap does not contain process information. Although if the network capture is made on a Windows system using the netsh command you would get an ETL trace file (not a pcap) that does contain this information and using the right tools you would get a pcap.

If you only have a pcap to go on, the first step is to look at which protocols where captured. This can be found in the statistics > protocol hierarchy.

Small question, please point out if it is an academic exercise or not. It is not that we don't want to help you. I just don't want to make your homework and if you are really having a security incident let us know and we will try to help you further but you will need things like sysmon logs on the system and a bit of command line kung fu to start with.

edit flag offensive delete link more
0

answered 2020-10-08 08:56:04 +0000

grahamb gravatar image

In general, traffic captures don't have any direct information on the processes used to send traffic, although on some platforms some information can be obtained.

Examining the traffic can lead one to infer such things, e.g. seeing the filename in an FTP download for instance.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-10-08 03:15:11 +0000

Seen: 2,444 times

Last updated: Oct 08 '20

Related questions