Connartist: Sound an overweight end point network in Powershell

In the digital scene today, understanding what is happening behind the scenes on an individual machine can quickly be very important. presentation ConnartistIt is a simple, obvious PowerShell text designed specifically to monitor network connections at one end point – ideal for security tests or diagnostic tasks without the need for heavy tools like Wireshark.

What is Konarest?

Connartist is a simple and approved tool on PowerShell network based on PowerShell designed specifically for single finish points. Connartist helps you determine the unexpected or problematic network activity.

With Conntist, you can:

• Record the active TCP connections along with responsible operations.
• Optionally capture the DNS queries made by the end point.
• Local (private) IP traffic liquidation for brief records.
• Monitor and prevent frequent registration through repeated smart detection.

How does Conntist work?

Here’s how it works:

Preparation

The text program calls for two direct questions:

• Whether to liquidate local traffic (private IP).
• Whether to capture DNS inquiries.

Based on your responses, Connartist adjusts its monitoring appropriately.

Active monitoring

Connartist continuously:

• Active TCP connections records, including detailed descriptive data (time, process, distant address, distant host).
• Optionally records DNS inquiries, capturing query names and time tables.
• It avoids repeated entries by maintaining internal tracking.

Clear registration

The pictured data is accurately coordinated and stored locally:

• TCP calls have been registered tcp_log.txt.
• DNS inquiries stored in dns_log.txt.

Conartist implementation

Step 1: Preparation

• Keep the PowerShell text presented ConnArtist.ps1.
• Make sure you have permissions to write records (C:\Users\Public\).

Step 2: Implementation

• PowerShell run as an official.

• Implementation of the text program:

  powershell.exe -ExecutionPolicy Bypass -File "C:\Path\To\ConnArtist.ps1"
  

• You demand the answer regarding the liquidation of local traffic and DNS based on your use condition.

Step 3: Continuous monitoring

• Connartist monitors the network every 5 seconds, providing visions in actual time.
• Weaken Ctrl+C To stop monitoring at any time.

Example use cases

• Security checks: Specify the unexpected external communications that can indicate harmful programs or unauthorized activity.
• Diagnostic tasks: Explining and repairing errors by identifying problem communications or DNS decisions.

Connartist customization

Adjust the locations of the registry or time breaks as needed:

$tcpLogFile = "C:\Users\Public\tcp_log.txt"
$dnsLogFile = "C:\Users\Public\dns_log.txt"

# Modify monitoring interval as desired
Start-Sleep -Seconds 5

Adjust the liquidation of the local network

For fine filtering, you may need to customize your local IP ranges. Modify the following function to suit the eighties of your network:

function IsPrivateIP($ipAddress) {
    try {
        $ip = [System.Net.IPAddress]::Parse($ipAddress)
        if ($ip.AddressFamily -eq 'InterNetwork') { # IPv4
            return ($ipAddress -like '10.*' -or
                    $ipAddress -like '172.16.*' -or
                    $ipAddress -like '192.168.*') # Modify these octets to your local network range
        } elseif ($ip.AddressFamily -eq 'InterNetworkV6') { # IPv6
            return ($ip.IsIPv6LinkLocal -or $ip.IsIPv6SiteLocal)
        } else {
            return $false
        }
    } catch {
        return $false
    }
}

Why use Connartist?

• Lightweight: No complex installations or settings required.
• Clear visions: Clearly, readable records easily.
• Focus: Designed for PinPoint tests on one end points.
• Actual time monitoring: Rapid detection of unusual activities or communication issues.

Connartist simplifies the vision of the end point network, which quickly provides the potential security concerns or network problems to explore and repair errors quickly and effectively.

Happy observation!

#Another        /\_[]_/\
#    fine      |] _||_ [|
#       ___     \/ || \/
#      /___\       ||
#     (|0 0|)      ||
#   __/{\U/}\_ ___/vvv
#  / \  {~}   / _|_P|
#  | /\  ~   /_/   []
#  |_| (____)        
#  \_]/______\  Barberion  
#     _\_||_/_     Production      
#    (_,_||_,_)
#
# Define log file paths for TCP and DNS logs
$tcpLogFile = "C:\Users\Public\tcp_log.txt"
$dnsLogFile = "C:\Users\Public\dns_log.txt"

# Function to check if an IP address is private
function IsPrivateIP($ipAddress) {
    try {
        $ip = [System.Net.IPAddress]::Parse($ipAddress)
        if ($ip.AddressFamily -eq 'InterNetwork') { # IPv4
            return ($ipAddress -like '10.*' -or
                    $ipAddress -like '172.16.*' -or
                    $ipAddress -like '192.168.*')
        } elseif ($ip.AddressFamily -eq 'InterNetworkV6') { # IPv6
            return ($ip.IsIPv6LinkLocal -or $ip.IsIPv6SiteLocal)
        } else {
            return $false
        }
    } catch {
        return $false
    }
}

# Ask the user if they want to filter out local traffic
$filterPrivateIPs = (Read-Host "Do you want to filter out local traffic? (yes/no)").Trim().ToLower()
$filterPrivate = $filterPrivateIPs -eq 'yes' -or $filterPrivateIPs -eq 'y'

# Ask the user if they want to capture DNS requests
$dnsCaptureInput = (Read-Host "Do you want to capture DNS requests? (yes/no)").Trim().ToLower()
$captureDNS = $dnsCaptureInput -eq 'yes' -or $dnsCaptureInput -eq 'y'

# Output the monitoring message at the top
Write-Host "Monitoring network connections. Press Ctrl+C to stop."
Add-Content -Path $tcpLogFile -Value "Monitoring TCP connections. Press Ctrl+C to stop."
Add-Content -Path $dnsLogFile -Value "Monitoring DNS connections. Press Ctrl+C to stop."

# Define the headers
$tcpHeader = "{0,-20} {1,-20} {2,-25} {3}" -f "Date/Time", "Process", "Remote Address", "Remote Host"
$dnsHeader = "{0,-20} {1,-30}" -f "Date/Time", "DNS Query"

Write-Host $tcpHeader
Write-Host ("-" * 90)
Add-Content -Path $tcpLogFile -Value $tcpHeader
Add-Content -Path $tcpLogFile -Value ("-" * 90)

if ($captureDNS) {
    $dnsLogName = "Microsoft-Windows-DNS-Client/Operational"
    if (-not (Get-WinEvent -ListLog $dnsLogName).IsEnabled) {
        Write-Host "Enabling DNS client operational log..."
        try {
            wevtutil sl $dnsLogName /e:true
        } catch {
            Write-Host "Failed to enable DNS client operational log. You may need to run PowerShell as Administrator."
            $captureDNS = $false
        }
    }
    if ($captureDNS) {
        # Initialize the last DNS check time
        $lastDNSCheckTime = Get-Date
        # Output the DNS header
        Write-Host $dnsHeader
        Write-Host ("-" * 50)
        Add-Content -Path $dnsLogFile -Value $dnsHeader
        Add-Content -Path $dnsLogFile -Value ("-" * 50)
    }
}

# To prevent duplication, maintain hashsets of logged connections and DNS queries
$loggedConnections = @{}
$loggedDNSQueries = @{}

while ($true) {
    # Get current network connections
    $currentConnections = Get-NetTCPConnection -State Established

    if ($filterPrivate) {
        $currentConnections = $currentConnections | Where-Object {
            $_.RemoteAddress -ne '127.0.0.1' -and
            $_.RemoteAddress -ne '::1'
        }
    }

    foreach ($conn in $currentConnections) {
        $connectionKey = "$($conn.OwningProcess)|$($conn.RemoteAddress):$($conn.RemotePort)"
        if (-not $loggedConnections.ContainsKey($connectionKey)) {
            if (-not $filterPrivate -or (-not (IsPrivateIP $conn.RemoteAddress))) {
                $dateTime = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
                $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
                $processName = if ($process) { $process.ProcessName } else { 'N/A' }
                $remoteHost = $conn.RemoteAddress
                try {
                    $dnsEntry = [System.Net.Dns]::GetHostEntry($conn.RemoteAddress)
                    $remoteHost = $dnsEntry.HostName
                } catch {
                    # Could not resolve host
                }
                $remoteAddressPort = "$($conn.RemoteAddress):$($conn.RemotePort)"
                $logEntry = "TCP {0,-20} {1,-20} {2,-25} {3}" -f $dateTime, $processName, $remoteAddressPort, $remoteHost
                Add-Content -Path $tcpLogFile -Value $logEntry
                Write-Host $logEntry
                # Add the connection to the loggedConnections hashset to prevent future duplicates
                $loggedConnections[$connectionKey] = $true
            }
        }
    }

    if ($captureDNS) {
        try {
            # Get new DNS query events
            $dnsEvents = Get-WinEvent -FilterHashtable @{
                LogName = 'Microsoft-Windows-DNS-Client/Operational';
                Id = 3008;
                StartTime = $lastDNSCheckTime
            } -ErrorAction SilentlyContinue
            
            if ($dnsEvents) {
                foreach ($event in $dnsEvents) {
                    $dateTime = $event.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
                    $queryName = $event.Properties[0].Value
                    if (-not $loggedDNSQueries.ContainsKey($queryName)) {
                        $dnsEntry = "DNS {0,-20} {1,-30}" -f $dateTime, $queryName
                        Add-Content -Path $dnsLogFile -Value $dnsEntry
                        Write-Host $dnsEntry
                        # Add the DNS query to the loggedDNSQueries hashset to prevent future duplicates
                        $loggedDNSQueries[$queryName] = $true
                    }
                }
                # Update the last DNS check time
                $lastDNSCheckTime = Get-Date
            }
        } catch {
            # Suppress any errors related to DNS event fetching
        }
    }

    Start-Sleep -Seconds 5
}