We often get emails from readers stating that they feel their system is compromised, even though they "do nothing". Most of the time, our response is "that's normal". Indeed, most modern operating systems, not just Windows, will trigger lots of network traffic without user activity. But I found little documentation about what exactly to expect from a "normal" Windows 10 system. So I ran a quick experiment: Microsoft offers a number of free virtual machines. I picked the "Microsoft Edge Windows 10 (x64) Stable 1809" system. The reason I went this route is that it first of all made things more reproducible, and secondly, these virtual machines do not include additional software, so you only get the default Windows 10 behavior. These systems are also in a default configuration. The initial plan was to only record the first boot. But I discard this quickly. After 5 minutes, I had a few hundred MBytes of traffic as Windows first downloaded a lot of updates (including VMware Tools). So I modified my plan: I let the system run for about an hour, until all updates were applied, then I rebooted it a couple of times again making sure that it didn't download additional updates. Finally, I recorded the first few minutes after a reboot. You can find the raw packet capture at https://isc.sans.edu/diaryimages/WindowsStartup.pcapng . I am using the PCAPNG format as I started to add comments to some of the packets. But here are the basic features: I recorded 87 seconds. During that time, I captured 531 packets and 196kBytes. 20 DNS requests and responses, 18 TCP connections and 30 UDP connections. My host communicated with 18 other IPv4 hosts (there is no significant IPv6 traffic as the network didn't support IPv6). Here is the short summary of the pcap: IP address of the system: 172.16.29.198 The system was configured to log in automatically. I did not open a browser window and did not interact with the system beyond powering it on. Here are some of the main features of the pcap:
There was also a DNS lookup for puppet.localdomain. Not sure if Windows is looking for a Puppet server here for configuration files. See anything I missed? --- |
Johannes 4040 Posts ISC Handler Apr 12th 2019 |
Thread locked Subscribe |
Apr 12th 2019 1 year ago |
s/live/life/
|
James 35 Posts |
Quote |
Apr 12th 2019 1 year ago |
This is a great read and should be done for all major OS. Mac, Ubuntu, LinuxMint, aso. With this one could quickly check for reference.
|
remy 1 Posts |
Quote |
Apr 13th 2019 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!