Mastering Network Filter Drivers: Unraveling the Mystery
In this article, we'll dive into the world of network filter drivers, exploring their significance in monitoring network activities and how they can be employed effectively using Windows Defender and Velociraptor. We'll discuss different types of network activities, such as TCP and UDP connections, URL access, DNS queries, and file downloads, and provide examples of how network filter drivers can be utilised for enhanced monitoring and security. Additionally, we'll explore how to detect malicious traffic on NetBIOS, SMB, RDP, and NTLM network traffic, and enable advanced detection in Windows Defender for networks.
Tip 1: Grasping the Concept of Network Filter Drivers
Network filter drivers are kernel-mode drivers that monitor, intercept, and modify network traffic in real-time. They play an essential role in monitoring network activities like TCP and UDP connections, URL access, DNS queries, and file downloads. You can use Windows Defender and Velociraptor to analyse the data captured by these drivers for any suspicious or unauthorised activities.
Tip 2: Monitoring TCP Connections with Velociraptor
To monitor TCP connections, you can use Velociraptor's VQL query to intercept and analyze the traffic for any suspicious or unauthorised connections:
SELECT * FROM network_connections WHERE family = 2 AND protocol = 6
VQL query to identify potentially malicious TCP connections, you can narrow down the results based on specific criteria such as connections to known malicious IP addresses, non-standard ports, or suspicious connection durations. Here's an example of a refined query:
javaCopy code
SELECT * FROM network_connections
WHERE family = 2 AND protocol = 6
AND (
remote_address IN ('<malicious_IP_1>', '<malicious_IP_2>', '<malicious_IP_3>') OR
remote_port NOT IN (80, 443) OR
duration > <suspicious_duration_threshold>
)
Replace <malicious_IP_1>, <malicious_IP_2>, <malicious_IP_3> with known malicious IP addresses that you want to monitor. Replace <suspicious_duration_threshold> with a value (in seconds) that you consider suspicious for connection duration.
Adjust the list of remote ports as needed, depending on the standard ports you want to exclude from the results.
Keep in mind that these refinements are just examples and should be tailored to your specific environment and threat intelligence sources.
Book your free IR consultation now!
Tip 3: Keeping an Eye on UDP Connections
Velociraptor Similarly, Velociraptor can be employed to track and inspect UDP connections, helping you identify any unusual or malicious traffic patterns. Use the following VQL query to monitor UDP connections:
SELECT * FROM network_connections WHERE family = 2 AND protocol = 17
Tip 4: Analyzing URL Access with Windows Defender
Windows Defender can be configured to monitor and log URL access, allowing you to identify any potentially harmful websites being accessed by users or applications on your network. To enable URL access monitoring in Windows Defender, follow these steps:
Open Windows Security.
Click on "Virus & threat protection."
Click on "Manage settings" under "Virus & threat protection settings."
Turn on "Block potentially unwanted apps."
Tip 5: Inspecting DNS Queries with Velociraptor
By using Velociraptor, you can examine DNS queries and detect any attempts to access malicious domains or perform DNS-based attacks. Use the following VQL query to monitor DNS queries:
SELECT * FROM dns_cache
Tip 6: Tracking File Downloads with Windows Defender
To monitor file downloads, you can configure Windows Defender to log and inspect any files being downloaded, ensuring that only legitimate and safe files are being transferred. Follow these steps to enable file download monitoring in Windows Defender:
Open Windows Security.
Click on "App & browser control."
Click on "Reputation-based protection settings."
Turn on "Check apps and files" and "SmartScreen for Microsoft Edge."
Tip #7: Detecting Malicious Traffic on NetBIOS, SMB, RDP, and NTLM Network Traffic with Velociraptor
Velociraptor can be utilized to monitor and analyze network traffic for NetBIOS, SMB, RDP, and NTLM protocols, helping you identify any suspicious or unauthorized activities. Use the following VQL queries to monitor these protocols:
- NetBIOS:
SELECT * FROM network_connections WHERE remote_address LIKE '139.%' OR remote_address LIKE '137.%'
- SMB:
SELECT * FROM network_connections WHERE remote_address LIKE '445.%'
- RDP:
SELECT * FROM network_connections WHERE remote_address LIKE '3389.%'
- NTLM:
SELECT * FROM windows_events WHERE event_id = 4624 AND logon_type = 3
Tip 8: Enabling Advanced Detection on Windows Defender for Networks
To enable advanced detection capabilities in Windows Defender for network traffic, follow these steps:
1. Open Windows Security.
2. Click on "Firewall & network protection."
3. Click on "Advanced settings."
4. In the Windows Defender Firewall with Advanced Security window, click on "Inbound Rules" and "Outbound Rules" to create and configure custom rules for monitoring network traffic based on specific protocols, ports, or IP addresses.
Conclusion:
Network filter drivers play a critical role in monitoring network activities and ensuring the security of your systems. By understanding their capabilities and employing them effectively using Windows Defender and Velociraptor, you can gain greater visibility and control over your network traffic, ultimately enhancing your security posture.
Meta Description: Uncover the power of network filter drivers in monitoring network activities like TCP, UDP, NetBIOS, SMB, RDP, and NTLM traffic using Windows Defender and Velociraptor.
Hope you liked the article about how to discover the potential of network filter drivers for monitoring network activities, including advanced protocols, with Windows Defender and Velociraptor! đđđ.