Udostępnij za pośrednictwem


Generating netstat output and scenario based tracing using netsh when a specific event occurs in the eventlog-using Powershell

I was working on a case, where I needed to get netstat outpiut to understand certain connections  behavior and I needed to do that for a particular event in the event log. It was really difficult to get this output exactly at the time this event was occuring. So I started working on it in my lab. I used my previous blog post about nmcap and eventmon and idea of powershell, which is a amazing tool and technology.

for event id I did not have to do much, i used the same script mentioned in my previous blog post where i had reference: https://blogs.technet.com/b/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx

I simplified that in my blog post : https://blogs.technet.com/b/sooraj-sec/archive/2011/12/23/using-eventmon-and-nmcap-to-take-network-monitor-trace-when-a-particular-event-is-generated.aspx Now  i m trying to modify it further to get netstat output when an event occurs.

Step1 :Copy the contents of the script given in above post shown below in a notepad and save it as EvtMon.vbs and put this in a folder lets call it netstat and in my lab i put it in c:\netstat location

 

'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.

Public Sub PrintHelp
    Wscript.Echo "Usage:"
    Wscript.Echo " EvtMon EventNumber [LogFileDisplayName]"
    Wscript.Echo " LogFile is optional. If used, the eventlog name"
    Wscript.Echo " file ie, application, system, security, etc..."
End Sub

' Get the arguments. Check for event nubmer and log file as arugments
Set objArgs = WScript.Arguments

' See how many arguments we have and colect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
    PrintHelp
ElseIf objArgs.Count > 1 Then
    EventNumber = objArgs(0)
    LogFile = objArgs(1)
Else
    EventNumber = objArgs(0)
    LogFile = ""
End If

If EventNumber <> "" Then

    strComputer = "."

    ' Attatch to the WMI Service
    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
            strComputer & "\root\cimv2")

    ' if the LogFile is populated add this to our query. Create a
    ' Event Log monitoring object and send it a query.
    If LogFile = "" Then
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber & "'")
    Else
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _   
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber _
                    & "' and TargetInstance.LogFile = '" _
                    & LogFile & "'")
    End If

    ' Create an object which returns when the next event occurs.
    Set objLatestEvent = colMonitoredEvents.NextEvent
   
    ' Print some info based on the event log we encountered.
    Wscript.Echo objLatestEvent.TargetInstance.User
    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
    Wscript.Echo objLatestEvent.TargetInstance.Message
    WScript.Echo objLatestEvent.TargetInstance.Logfile
    Wscript.Echo
End If

 

Step2 : Copy the contents of the batch file below in a notepad and save it as netstat.bat in same folder

@echo off

cscript //NoLogo EvtMon.vbs %2 %3
powershell.exe -command "&  netstat -ano | Out-file c:\netstat\netstat.txt
ping -n 1 4.3.2.1
goto :EOF

 

 

Note: You can see that I m taking output of the file at location c:\netstat\netstat.txt

Usage : After saving the two files at c:\netstat folder, Open up a elevated command prompt and then go to the folder, where we have saved these two files and then run command(this is an example command here,  1502 is the event id) -> netstat ports 1502 

reference snapshots below

 

Note : once you run this command it just waits for the event to occur

 

This event "1502 "gets generated when you update the group policy , I used this event in my lab, for a quick repro as whenever you run gpupdate/force this event will be generated, so I ran gpupdate /force as shown below

 

after this I got 1502 event and got my netstat output as well as you can see in my snapshot below

 

 

for people who like to experiment, the batch file can be modified to get a filtered out put as shown below, in following batch file i filtered the output for filtered connections, similarly we can filter for other connection stated , even more specificaly the attacks e.g. half open connections, which show up as "Syn_received"

***********************************************

@echo off

cscript //NoLogo EvtMon.vbs %2 %3

powershell.exe -command "&  netstat -aonp TCP | select-string "ESTABLISHED" | Out-file c:\netstat\netstat.txt

ping -n 1 4.3.2.1
goto :EOF

***********************************************

 

Collecting Scenario based tracing using netsh when an event occurs

 

 Following section is about a scenario if you want to collect netsh scenario based trace to look at various networking components when a particular event occurs.

So instructions about the eventmon.vbs and contents remain the same , You modify the contents of batch file as below and let us say save it as netsh1.bat

*******************************************************************

@echo off
cscript //NoLogo EvtMon.vbs %2 %3
netsh trace start scenario=netconnection capture=yes tracefile=c:\netconnect.etl
ping -n 30 4.3.2.1
netsh trace stop

goto :EOF

 *******************************************************************

and run it like

 

here netsh1 is your file name, ports is just a place holder , 1704 is your event id.

 

in the batch file i have introduced delay of few minutes by pinging 4.3.2.1 ,30 times so that we can get good amount of trace collected at the time of issue. we can vary this number as per amount of delay we want.

so once the event will occur netsh tracing would start and after 30 pings tracing will stop and file will be located at c:\netconnect.etl.

so after event occurs , you will see this at the end explaining the data has been captured with its location and that tracing was stopped.