Remotely Capture Traffic from a Domain Controller and Analyze It Locally

This blog post will walk you through the steps of remotely capturing traffic from a domain controller and then analyzing it locally. This can be useful for troubleshooting network issues or investigating security incidents.

Requirements

  • A Windows computer with PowerShell
  • The NetEventPacketCapture PowerShell module
  • The etl2pcapng PowerShell module
  • A domain controller that you have administrative privileges on

Steps

  1. Create a CIM session.
New-CimSession -ComputerName DC1.ad.bitsadmin.com
  1. Start a network event session on the domain controller.
New-NetEventSession -Name sess -CimSession $s -LocalFilePath "C:\Windows\Temp\Trace.etl" -CaptureMode SaveToFile
  1. Add a network event packet capture provider to the session.
Add-NetEventPacketCaptureProvider -SessionName sess -CimSession $s -Level 4 -CaptureType Physical
  1. Start the network event session.
Start-NetEventSession -Name sess -CimSession $s
  1. Capture traffic for a while.

The amount of time you need to capture traffic will depend on what you are trying to investigate. Once you have captured enough traffic, you can stop the session.

  1. Stop the network event session.
Stop-NetEventSession -Name sess -CimSession $s
  1. Copy the .etl file from the domain controller to your local computer.
Move-Item \\DC1.ad.bitsadmin.com\C$\Windows\Temp\Trace.etl C:\tmp
  1. Convert the .etl file to a .pcapng file.
etl2pcapng C:\tmp\Trace.etl C:\tmp\trace.pcapng
  1. Analyze the .pcapng file with your favorite network traffic analyzer.

There are many different network traffic analyzers available, such as Wireshark and Microsoft Network Monitor. Once you have opened the .pcapng file in your analyzer, you can start to investigate the traffic that you captured.

Tips

  • You can use the Get-NetEventSession cmdlet to view information about the network event sessions that are currently running.
  • You can use the Remove-NetEventSession cmdlet to remove a network event session.
  • If you are having trouble capturing traffic, you can try increasing the capture level.
  • You can also use the NetEventPacketCapture PowerShell module to capture traffic from other sources, such as network adapters and virtual machines.

Briefly all commands:

New-NetEventSession -Name sess -CimSession $s -LocalFilePath "C:\Windows\Temp\Trace.etl" -CaptureMode SaveToFile
Add-NetEventPacketCaptureProvider -SessionName sess -CimSession $s -Level 4 -CaptureType Physical
Start-NetEventSession -Name sess -CimSession $s
Get-NetEventSession -Name sess -CimSession $s

Stop-NetEventSession -Name sess -CimSession $s
Remove-NetEventSession -Name sess -CimSession $s
Move-Item \\DC1.ad.bitsadmin.com\C$\Windows\Temp\Trace.etl C:\tmp

About Mahyar

OrcID: 0000-0001-8875-3362 ​PhD Candidate (National Academy of Sciences of Ukraine - Institute for Telecommunications and Global Information) MCP - MCSA - MCSE - MCTS Azure Security Engineer Associate MCITP: Enterprise Administrator CCNA, CCNP (R&S , Security) ISO/IEC 27001 Lead Auditor CHFI v10 ECIH v2

Check Also

NTLMRelay2Self over HTTP (Webdav)

Just a walkthrough of how to escalate privileges locally by forcing the system you landed …