Another way to see application communications is

3r3114. 3r3-31. 3r3102. Good afternoon, colleagues. As you know, there is a very useful utility - 3r311. sysmon
. In a nutshell, it allows you to collect and "log" events that occur in Windows. One such event is an attempt to establish a network connection. Thus, you can try to find out where your applications go. For this we need:
3r3-300. 3r3114.
3r3114.
itself. sysmon
3r3114.
configuration to it, I prefer to use here this
3r3114.
module PSQuickGraph module
3r3114.
and a little fancy
3r3114. 3r330. 3r3-300. 3r3114. 3r3102. In principle, we need a little fantasy. Sysmon writes events to the log Microsoft-Windows-Sysmon /Operational . So we need to get them out, disassemble and display. Something like this: 3r3-300. 3r3114. 3r3386. $ ids = Get-WinEvent -LogName Microsoft-Windows-Sysmon /Operational | ? {$ _. id -eq 3} $ commObjects = $ ids | % { New-Object psobject -Property @ { RuleName = $ _. Properties[0].value UtcTime = $ _. Properties[1].value ProcessGuid = $ _. Properties[2].value ProcessId = $ _. Properties[3].value Image = $ _. Properties[4].value User = $ _. Properties[5].value Protocol = $ _. Properties[6].value Initiated = $ _. Properties[7].value SourceIsIpv6 = $ _. Properties[8].value SourceIp = $ _. Properties[9].value SourceHostname = $ _. Properties[10].value SourcePort = $ _. Properties[11].value SourcePortName = $ _. Properties[12].value DestinationIsIpv6 = $ _. Properties[13].value DestinationIp = $ _. Properties[14].value DestinationHostname = $ _. Properties[15].value DestinationPort = $ _. Properties[16].value DestinationPortName = $ _. Properties[17].value SourceString = "$ ($ _. Properties[4].Value)`: $ ($ _. Properties[3].Value) "3r3114. DestinationString = "$ ($ _. Properties[14].Value)`: $ ($ _. Properties[16].Value) "3r3114.} } 3r3114. $ g = New-Graph -Type BidirectionalGraph $ commObjects | % { Add-Edge -From $ _. SourceString -To $ _. DestinationString -Graph $ g | Out-Null } 3r3114. Show-GraphLayout -Graph $ g 3r3-300. 3r3114. 3r3102. Unfortunately, the values in property Properties as a list, just values, no keys. Therefore, in order to bind them, I had to act rudely. Ultimately, we simply take these values from each log entry, convert them to objects, and then add them to the graph as vertices and display. 3r3-300. 3r3114. 3r3102. It is important to remember that a process with the same "path" can be started many times. On the other hand, a vertex with the same name is not added twice. Therefore, in order to uniquely represent each process on a graph, we slightly modify the original set of values by adding two new ones. This allows us to accurately identify the process, since its identifier is a relatively unique value. 3r3-300. 3r3114. 3r3386. SourceString = "$ ($ _. Properties[4].Value)`: $ ($ _. Properties[3].Value) "3r3114. DestinationString = "$ ($ _. Properties[14].Value)`: $ ($ _. Properties[16].Value) "
3r3-300. 3r3114. 3r3102. This is how it might look like
3r3-300. 3r3114. 3r3102. 3r3398.
3r3-300. 3r3114. 3r3102. Hope this
comes in handy. 3r31-10. 3r3114. 3r3114.
! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r3108. 3r3114. 3r31-10. 3r3114. 3r3114. 3r3114. 3r3114.