This post is about remotely enumerating established TCP connections via WMI and importing that data into a Neo4j database. Neo4j is a graph database application which is great for graphically displaying relationships between data. If the name sounds familiar it might be because you have leveraged it while using BloodHound. Nowhere near the same level, this post will be using the built-in Neo4j desktop to display relationships in a simple way. Below is example output of a Neo4j query to determine clients connecting to a WSUS server over TCP/8530.
Enumerating network communications can provide valuable information regardless if you’re on the offensive or defensive side. Offensively, enumerating dataflows can uncover new networks outside initial visibility or establish critical systems as wedge points into other networks. Defensively, enumerating dataflows is good practice to identify all sorts of malicious traffic; however, I would imagine defenders have much more advanced tools than this.
In the past I’ve seen netstat performed remotely using something like PsExec. In my opinion, this is a bit overkill and generates quite a bit of noise, so I tried to take an alternative route. ThunderQuery, is a C# application that will continuously enumerate established TCP connections via WMI. ThunderQuery will poll the provided list of targets and generate two CSV files (locally, so beware): profiles.csv and networkconnections.csv. Profiles.csv has system information of each polled target while networkconnections.csv has established TCP connections and is continuously appended to. See the github page for further details … I wrote a README this time!
Example run of ThunderQuery from Cobalt Strike using execute-assembly.