Correlates running processes to point-in-time network traffic for triage analysis of Windows hosts.
- Extract and correlate process metadata to ingress and egress network traffic on the Windows host.
- Provide relevant data for security-relevant analysis, manually or via SIEM.
- Parse all the things.
- Python3
NetProc.py gathers network traffic and affiliated process information for quick security analysis. This data is gathered and captured in a CSV file saved in the execution directory. Headers for this dataset are as follows:
- Hostname
- Process Time Creation
- Username
- Parent Process ID
- Parent Process Name
- Process ID
- Process Name
- SHA256 Hash
- Command Line
- Connection Status
- Source IP
- Source Port
- Destination IP
- Destination Port
- Country Code
- ASN
- WHOIS Description
- With Python3 installed, run the following command from a Windows terminal with Administrative privileges.
pip install -r .\requirements.txt
python .\netproc.py