💪
YJ's Internship/Visualise "Normal" Use-Cases/9. Investigate what processes are able to do/
Connect to a network (NetworkConnect)

Connect to a network (NetworkConnect)

NetworkConnect events are logged when TCP/UDP connections are made on the machine. Each connection is linked to a process through the ProcessId and ProcessGUID fields. The event also contains the source and destination host names IP addresses, port numbers and IPv6 status.
Reference: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-3-network-connection
One important attribute in NetworkConnect event is the DestinationType. DestinationType tell us whether the connection made was internal or external. Internal means that the process is communicating within the network that the machine is connected to whereas external means that the process is communicating outside of the network. Examples of internal connections being made by svchost.exe & System:
notion image
As you can see under the attribute DestinationIp, the processes are communicating within the 192.168.1.0 network that the Windows VM is connected to. Internal connections are usually made by processes to system services such as llmnr (Link-local multicast name resolution), NetBIOS and DHCPv6 server.
 
Example of a external network connection made by OneDrive.exe:
notion image
notion image
When taking a look at external connections that were made, almost all the connections are https. https is used for secure communication over a computer network, and is widely used on the Internet. Only svchost.exe and OneDrive.exe were making external connections on the Windows VM.
Image of OneDrive.exe: C:\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Notice that the OneDrive.exe is stored in the Users\User\AppData folder. In Windows, each user account has its own AppData folder with its own contents. This allows Windows programs to store multiple sets of settings if a computer is used by multiple people. In this case, the folder is owned by User, which is the account that I am using on the Windows VM.

Why does knowing DestinationType matters?

An external connection could indicate that an external C2 is being used by the attacker to maintain connection.
An internal connection could indicate that the attacker is performing internal recon i.e. trying to gain more information about the network.
Â