- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
This process requires that the remote computer has Windows 7 or higher and that you can run PSEXEC.exe on it (available at Sysinternals). You could do the same with PowerShell remoting as well. Anything that can launch a process on the remote computer will do.
First, we need to start the trace on the remote computer. We will do this with the following command:
PSEXEC -d \\DEMOCLIENT1 netsh trace start capture=yes tracefile=c:\temp\capture.etl maxsize=512 filemode=circular overwrite=yes report=no correlation=no IPv4.SourceAddress=(192.168.0.10,192.168.0.11) IPv4.DestinationAddress=(192.168.0.10,192.168.0.11) Ethernet.Type=IPv4
You can alter what gets captured and how much data can be captured. In this example, we trace between two IP addresses, only on IPv4 and using a circular log with a maximum size of 512 MB.
Next, we will just generate some traffic to fill our trace using Ping.exe.
Next, we need to stop the trace on the remote computer with:
PSEXEC -d \\DEMOCLIENT1 netsh trace stop
Now we need to copy over the trace file with a command such as this, for example:
XCOPY \\DEMOCLIENT1\C$\Temp\capture.etl c:\temp
If you still have Message Analyzer (it's been deprecated), you can now open the trace file locally. If you don't or you just prefer to use Wireshark, follow along.
If you have Message Analyzer but prefer to use Wireshark, you can export the file to another format.
And then you can open it in Wireshark.
If you don't have Message Analyzer, you should head for the conversion tool on Github.
The syntax is simple:
Etl2pcapng.exe c:\temp\capture.etl c:\temp\capture.pcapng
Now you can open it again in Wireshark.