First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to find the program that was executed to compromise the user?

Hi! I am quite new to wireshark so still trying to find my way around things. My task is to find the name of the program that was executed to compromise the user (i.e. a program that was carried out to give the attacker root privileges). My first instinct was to go through the HTTP requests, however I am still having trouble identifying which programs were the ones that allowed the hacker to gain root access.

Could I please have some assistance?

Thanks!

datasciencedal's avatar
3
datasciencedal
asked 2020-10-08 03:15:11 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

In general, traffic captures don't have any direct information on the processes used to send traffic, although on some platforms some information can be obtained.

Examining the traffic can lead one to infer such things, e.g. seeing the filename in an FTP download for instance.

grahamb's avatar
23.8k
grahamb
answered 2020-10-08 08:56:04 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

Wireshark is not the tool you are looking for. Check out https://docs.microsoft.com/en-us/sysi...

hugo.vanderkooij's avatar
76
hugo.vanderkooij
answered 2020-10-08 09:41:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I suspect this is an academic exercise with the capture files provided so no opportunity to analyse the compromise as it happens.

grahamb's avatar grahamb (2020-10-08 10:19:42 +0000) edit
more
  • delete
add a comment see more comments
0

As correctly pointed out a pcap does not contain process information. Although if the network capture is made on a Windows system using the netsh command you would get an ETL trace file (not a pcap) that does contain this information and using the right tools you would get a pcap.

If you only have a pcap to go on, the first step is to look at which protocols where captured. This can be found in the statistics > protocol hierarchy.

Small question, please point out if it is an academic exercise or not. It is not that we don't want to help you. I just don't want to make your homework and if you are really having a security incident let us know and we will try to help you further but you will need things like sysmon logs on the system and a bit of command line kung fu to start with.

Kire's avatar
1
Kire
answered 2020-10-08 21:14:36 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer