Remotely Capture Traffic from a Domain Controller and Analyze It Locally

Mahyar January 1, 2024 Forensics and Security, Microsoft Related, Penetration, Powershell Comments Off on Remotely Capture Traffic from a Domain Controller and Analyze It Locally 377 Views

This blog post will walk you through the steps of remotely capturing traffic from a domain controller and then analyzing it locally. This can be useful for troubleshooting network issues or investigating security incidents.

Requirements

  • A Windows computer with PowerShell
  • The NetEventPacketCapture PowerShell module
  • The etl2pcapng PowerShell module
  • A domain controller that you have administrative privileges on

Steps

  1. Create a CIM session.
New-CimSession -ComputerName DC1.ad.bitsadmin.com
  1. Start a network event session on the domain controller.
New-NetEventSession -Name sess -CimSession $s -LocalFilePath "C:\Windows\Temp\Trace.etl" -CaptureMode SaveToFile
  1. Add a network event packet capture provider to the session.
Add-NetEventPacketCaptureProvider -SessionName sess -CimSession $s -Level 4 -CaptureType Physical
  1. Start the network event session.
Start-NetEventSession -Name sess -CimSession $s
  1. Capture traffic for a while.

The amount of time you need to capture traffic will depend on what you are trying to investigate. Once you have captured enough traffic, you can stop the session.

  1. Stop the network event session.
Stop-NetEventSession -Name sess -CimSession $s
  1. Copy the .etl file from the domain controller to your local computer.
Move-Item \\DC1.ad.bitsadmin.com\C$\Windows\Temp\Trace.etl C:\tmp
  1. Convert the .etl file to a .pcapng file.
etl2pcapng C:\tmp\Trace.etl C:\tmp\trace.pcapng
  1. Analyze the .pcapng file with your favorite network traffic analyzer.

There are many different network traffic analyzers available, such as Wireshark and Microsoft Network Monitor. Once you have opened the .pcapng file in your analyzer, you can start to investigate the traffic that you captured.

Tips

  • You can use the Get-NetEventSession cmdlet to view information about the network event sessions that are currently running.
  • You can use the Remove-NetEventSession cmdlet to remove a network event session.
  • If you are having trouble capturing traffic, you can try increasing the capture level.
  • You can also use the NetEventPacketCapture PowerShell module to capture traffic from other sources, such as network adapters and virtual machines.

Briefly all commands:

New-NetEventSession -Name sess -CimSession $s -LocalFilePath "C:\Windows\Temp\Trace.etl" -CaptureMode SaveToFile
Add-NetEventPacketCaptureProvider -SessionName sess -CimSession $s -Level 4 -CaptureType Physical
Start-NetEventSession -Name sess -CimSession $s
Get-NetEventSession -Name sess -CimSession $s

Stop-NetEventSession -Name sess -CimSession $s
Remove-NetEventSession -Name sess -CimSession $s
Move-Item \\DC1.ad.bitsadmin.com\C$\Windows\Temp\Trace.etl C:\tmp

Tags

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Check Also

Inspect RDP traffic in Wireshark

Wireshark RDP resources Looking for a way to capture and inspect RDP traffic in Wireshark? …

Powered by Knowledge | Designed by Mahyar Tajdini
© Copyright 2024, All Rights Reserved