CFW Monitoring Windows Process Connections

[AtlBo]

Started last night setting up some rules for good times sake for monitoring Windows connections via the CFW log. An example is that CFW can monitor svchost connections between home network PCs with an IPv6 rule set to Allow and then Log each event. This traffic is auto-allowed with the original Windows System Applications allow rule, but logging all of these events leads to DNS event spam in the log, basically rendering it useless.

The idea is working very well so far, albeit just for observation purposes at this point. I think it may lead to some nice rules for logging connection attempts from remote PCs (another neighborhood network or via the internet).

Wannacry gave me some initiative for experimenting with monitoring Windows allows by using Comodo to log processes like rundll32.exe, lsass.exe, dllhost.exe, svchost.exe, services.exe, taskhost.exe (or taskengine not sure which or both?), dwm.exe, and winlogon.exe. Then I was thinking of monitoring the script engines. From a security standpoint, anyone know of a comprehensive list of Windows processes that a developer/malware writer can use to achieve an internet connection?

 

[shmu26]

You could try Glasswire -- it is the best source of info on processes connecting to the internet, and it is free. If you have a third-party firewall, such as Comodo, you won't be able to allow/block internet connection, but you will still be able to watch what's happening.

 

[509322]

From a security standpoint, anyone know of a comprehensive list of Windows processes that a developer/malware writer can use to achieve an internet connection?

Just about any process can be made to connect out.

 

[AtlBo]

If you have a third-party firewall, such as COMODO, you won't be able to allow/block internet connection, but you will still be able to watch what's happening.

Interesting. Noticed some Akamai Technologies connections in the CFW log last PM, so I reresearched some things about Akamai. From previous research on the company I had the impression that MS hosted updates or other downloads on Akamai servers (among its other clients), but I decided to see how many domains the company owns. Turns out Akamai owns from 23.0.0.0 to 23.79.255.255. By my math that is over 5 million IP addresses . Sure seems like we should know more about this company. Anyway, I decided to block the connections with Comodo Firewall so I created a global rule blocking the IP range. Haven't noticed any issues yet, but this is actually just an experiment anyway. By the way, literally just below Akamai in the 22.x.x.x range is the DoD (22.255.255.255 is DoD). Seems a little bit cozy I guess.

At any rate, it is possible to block connections based on IP/IP range in/out or port in/out using Comodo. This isn't very practical o/c. For now, I am just attempting to get into MS' head with the network connections and how they are routed, etc. I enabled logging for System rules in the firewall rules, and that is showing all the attempts of PCs to connect via "Neighbor Solicitation". That's all on the home router network so far that I can telll, but maybe there is some discovery of available connections in the area in there. I plan to look over the logs more when I get some time.

Glasswire is good, but it credits too much traffic with svchost.exe and Windows processes. There isn't a good breakdown of what is 100% system/Windows related traffic vs what is just using Windows. Yeah, you will see the legit apps in there just not the sketchy ones. If there were any rogue internet activity happening beneath the surface somehow via a wrongly trusted .tmp or something, chances are it would show up as a Windows process like svchost in G/W or at least that was my impression when I was using it up until about 6 months ago. G/W is also a little bit heavy on resources with all the data it collects. Not that it's a heavy application just sitting there in the tray, but it does some amount of data compiling and does do a fair amount of system monitoring.

Just about any process can be made to connect out.

Thanks that's kind of the impression I had. I am getting a kick out of randomly allowing things and then logging though. If there were a bouncer type app for internet connections that would be perfect for me...easy to config and easy to see traffic.

 

[shmu26]

@Lockdown, are there any particular processes that a user should keep his eye on?

 

[509322]

@Lockdown, are there any particular processes that a user should keep his eye on?

• cmd
• rundll32
• regsvr32
• cscript
• wscript
• wmic
• reg
• at
• powershell
• powershell_ise
• schtasks
• NET Framework objects (e.g. RegAsm, vbc, etc)

There's lists of often abused processes here at MT and over at Wilders

It's good idea for users who have the inclination to educate themselves on "vulnerable" processes

Awareness goes a long way

 

[509322]

Thanks that's kind of the impression I had. I am getting a kick out of randomly allowing things and then logging though. If there were a bouncer type app for internet connections that would be perfect for me...easy to config and easy to see traffic.

Wireshark but it is pretty much used on an on-demand basis

You might be able to setup extended logging and specify output

You can probably use SysInternals' TCPView to specify an output file (log) via command line switch - but I am not 100 % sure on that detail

Perhaps the same can be done with NirSoft CurrPorts - and there is a companion utility for it too

 

[AtlBo]

Wireshark but it is pretty much used on an on-demand basis

Good idea. I have Wireshark on another computer here, so I have some experience monitoring that way. I'll take a look and see if I can come up with some useful monitoring rules that don't create a whole pile of data. Maybe I can get some ideas for some Comodo log rules and maybe even some ask rules in the process.

Myself not being experienced enough to say, is it true that the Comodo firewall element is crude compared to the rest of the program at this point? Only saying so because HIPs has the Protected Objects and HIPs Groups, along with all of the rules options and rules and exceptions. Firewall seems like the wild frontier in comparison with options there but not much in the way of suggestions from Comodo when it comes to what to consider blocking or to consider for "ask" rules.

 

[509322]

Good idea. I have Wireshark on another computer here, so I have some experience monitoring that way. I'll take a look and see if I can come up with some useful monitoring rules that don't create a whole pile of data. Maybe I can get some ideas for some COMODO log rules and maybe even some ask rules in the process.

Myself not being experienced enough to say, is it true that the COMODO firewall element is crude compared to the rest of the program at this point? Only saying so because HIPs has the Protected Objects and HIPs Groups, along with all of the rules options and rules and exceptions. Firewall seems like the wild frontier in comparison with options there but not much in the way of suggestions from COMODO when it comes to what to consider blocking or to consider for "ask" rules.

I think COMODO's logging is some of the best. There is fairly extensive filtering. It is learning how to use the logging\filtering that throws users into state of frustration.

 

[AtlBo]

The logging is OK imo. Maybe compared to others it stacks up well or very well. What I meant mostly was the rules creation canvas in Comodo Firewall etc. doesn't seem all that powerful for the firewall module. The best a-v suites with their firewalls have alot of activity behind the scenes with unusual activity being monitored and the like. For those, if malware gets on your system and attempts to contact out, smart walling hopefully will block any transactions. On the other hand the Comodo firewall is in comparison a "dumb" wall. At any rate I like the idea of monitoring for behaviors that are sketchy, not just malicious one, and I don't require/want a smart wall. Actually, I think I would just like Comodo to be at least to a small degree somehow on the record with their firewall about what should be accepted practice or policy for achieving non-chaotic internet activity.

Anyway, with Comodo HIPs, you have a template and then options you can work with to build on the defaults if you want to do so. With the firewall the options are far less. OK with this type of firewall, noone is going to create a smart rule that links with heuristics to block an outbound connection, so I'm not expecting that. It's just that it would be nice to see what Comodo considers policy to adhere to, be it from MS based connections or otherwise. I mean, I've been uncomfortable with connection practices of responsible developers in the past. Should a service be allowed to connect in or out that isn't MS? imo it's bad policy to mix svchost and standard applications...registered security maybe but not every old whitelisted app.

 

[509322]

The logging is OK imo. Maybe compared to others it stacks up well or very well. What I meant mostly was the rules creation canvas in COMODO Firewall etc. doesn't seem all that powerful for the firewall module. The best a-v suites with their firewalls have alot of activity behind the scenes with unusual activity being monitored and the like. For those, if malware gets on your system and attempts to contact out, smart walling hopefully will block any transactions. On the other hand the COMODO firewall is in comparison a "dumb" wall. At any rate I like the idea of monitoring for behaviors that are sketchy, not just malicious one, and I don't require/want a smart wall. Actually, I think I would just like COMODO to be at least to a small degree somehow on the record with their firewall about what should be accepted practice or policy for achieving non-chaotic internet activity.

Anyway, with COMODO HIPs, you have a template and then options you can work with to build on the defaults if you want to do so. With the firewall the options are far less. OK with this type of firewall, noone is going to create a smart rule that links with heuristics to block an outbound connection, so I'm not expecting that. It's just that it would be nice to see what COMODO considers policy to adhere to, be it from MS based connections or otherwise. I mean, I've been uncomfortable with connection practices of responsible developers in the past. Should a service be allowed to connect in or out that isn't MS? imo it's bad policy to mix svchost and standard applications...registered security maybe but not every old whitelisted app.

Each publisher has their own philosophy.

I am not sure COMODO would go on the record other than what they have published in their help files.

You can engage Alpengreis over at the Wilders Windows Firewall Control thread. He is really into firewall stuff - big time. I'd bet he'd have all kinds of points to infos.

 

[AtlBo]

I'm running ReHips with Private Firewall (firewall only) on a W7 system I don't use much at the present time. I thought about WFC, but the one time I looked it was a similar situation for me with building rules. I'll look and see at Wilder's and thanks very much for the advice and input.

 

[SHvFl]

I'm running ReHips with Private Firewall (firewall only) on a W7 system I don't use much at the present time. I thought about WFC, but the one time I looked it was a similar situation for me with building rules. I'll look and see at Wilder's and thanks very much for the advice and input.

WFC paid is pretty simple. Something NEW tries to connect you will get an alert to allow it. So if you stop new processes from taking control of already allowed processes by other means(assuming you isolate frequently exploited applications with rehips and you download from safe locations you mostly cover it), WFC is a pretty solid layer of protection.

 

[AtlBo]

@SHvFl Ill take your word for it, you have the knowledge on these apps (and alot of others). Is there any way to monitor everything for a while that isn't Microsoft? I block all the updaters of non-security apps.

Appreciate the help, but I have yet to see an alert even though I have notifications set to display. Rules->Outbound Fitering->Low. Have to admit for me it's hard to let go and trust anything MS, in this case the firewall.

 

[509322]

@SHvFl I block all the updaters of non-security apps.

Then you are blocking program security updates that might include vulnerability\exploit patches.

 

[AtlBo]

Sometimes, but ive worked with so much software over the years, I can sense really pretty well when I need to update a program. I can also sense when a developer has checked out of the building on good policy. Anyway, it's a balance. If the updated version is still insecure, for me it's not worth the frontage involved in allowing the connection. It's a case by case choice for me, not a blanket policy. Most of them get blocked.

 

[shmu26]

• cmd
• rundll32
• regsvr32
• cscript
• wscript
• wmic
• reg
• at
• powershell
• powershell_ise
• schtasks
• NET Framework objects (e.g. RegAsm, vbc, etc)

So a user should keep his eye also on the internet connections of these vulnerable processes, or just generally speaking? I know that powershell is a great way to download a payload, but some of the other processes surprised me.

 

[SHvFl]

@SHvFl Ill take your word for it, you have the knowledge on these apps (and alot of others). Is there any way to monitor everything for a while that isn't Microsoft? I block all the updaters of non-security apps.

Appreciate the help, but I have yet to see an alert even though I have notifications set to display. Rules->Outbound Fitering->Low. Have to admit for me it's hard to let go and trust anything MS, in this case the firewall.

Change the protection level to medium. Low doesn't filter anything not already in rules.

Btw i agree with @Lockdown. It's better to do updates than use a security product. Consider allowing them because you lose nothing by doing that. You can only gain security wise(in most cases).

As for WF and not trusting it i can see your point but WF is a solid product. With WFC that gives you a way to monitor things it has nothing less than any other firewall and it will never use resources(WFC does).

 

[509322]

So a user should keep his eye also on the internet connections of these vulnerable processes, or just generally speaking? I know that powershell is a great way to download a payload, but some of the other processes surprised me.

Just about any process can be made to connect out - even something like notepad.exe.

As far as connecting out for malicious purposes it is good to be aware of the most abused - cmd, rundll32, regsvr32, cscript, wscript, powershell, msiexec, etc. However, these processes are used for legitimate purposes - such as msiexec will check on msi\msp and connect to Microsoft server. cscript\wscript or cmd aren't generally used by the OS to connect to anything in the background.

Users that have the inclination should develop an awareness of processes shipped with Windows that are often abused. There are the various vulnerable process lists and reports on the web. It is important to learn to differentiate between legitimate OS and malicious activity on the system.

One of the easiest and most instructive ways is to set up a proper test environment, put SpyShelter Firewall into it, set SpSFW to "Ask User" and practice on a clean OS. Keep deleting the rules every few days and that will ensure the same alerts will be generated. By paying attention to the details and repeated alerts a user will learn. There's a little bit more to it that, but it isn't complicated by any stretch of the imagination. For example, do not create permanent allow rules for interpreters. Now how hard is that ?

Then the same thing, but practice with malware. For example, weaponized documents. A user will learn a pattern that weaponized documents generally will request macros to be enabled. After that an interpreter will be launched - cmd, wscript, powershell - and in the SpSFW alert the command line arguments will be shown. The user will see very often the interpreter is attempting to connect out to download something.

 

[AtlBo]

Change the protection level to medium. Low doesn't filter anything not already in rules.

@SHvFl OK didn't understand why how it works until the alerts started. Thanks.