When Windows 10 Comes to Live: The First Few Minutes in the Live of a Windows 10 System

When Windows 10 Comes to Live: The First Few Minutes in the Live of a Windows 10 System
We often get emails from readers stating that they feel their system is compromised, even though they "do nothing". Most of the time, our response is "that's normal". Indeed, most modern operating systems, not just Windows, will trigger lots of network traffic without user activity. But I found little documentation about what exactly to expect from a "normal" Windows 10 system. So I ran a quick experiment: Microsoft offers a number of free virtual machines. I picked the "Microsoft Edge Windows 10 (x64) Stable 1809" system. The reason I went this route is that it first of all made things more reproducible, and secondly, these virtual machines do not include additional software, so you only get the default Windows 10 behavior. These systems are also in a default configuration. The initial plan was to only record the first boot. But I discard this quickly. After 5 minutes, I had a few hundred MBytes of traffic as Windows first downloaded a lot of updates (including VMware Tools). So I modified my plan: I let the system run for about an hour, until all updates were applied, then I rebooted it a couple of times again making sure that it didn't download additional updates. Finally, I recorded the first few minutes after a reboot. You can find the raw packet capture at https://isc.sans.edu/diaryimages/WindowsStartup.pcapng . I am using the PCAPNG format as I started to add comments to some of the packets. But here are the basic features: I recorded 87 seconds. During that time, I captured 531 packets and 196kBytes. 20 DNS requests and responses, 18 TCP connections and 30 UDP connections. My host communicated with 18 other IPv4 hosts (there is no significant IPv6 traffic as the network didn't support IPv6). Here is the short summary of the pcap: IP address of the system: 172.16.29.198 MAC Address: 00:0c:29:1f:55:7b Hostname: MSEDGEWIN10 The system was configured to log in automatically. I did not open a browser window and did not interact with the system beyond powering it on. Here are some of the main features of the pcap: initially, the operating system configures itself (IPv6 router solicitations, DHCPv6 and DHCPv4). The operating system is trying to configure a proxy via WPAD a couple of times Content for tiles is downloaded (e.g. Weather) in the clear. There are TLS connections to Bing and events.data.microsoft.com, likely for more content. connections to canonicalizer.ucsuri.tcs which is part of Microsofts "Smartscreen" anti-malware. inference.location.live.net: Microsoft's geolocation additional Live.com systems for things like Microsoft's login features. There was also a DNS lookup for puppet.localdomain. Not sure if Windows is looking for a Puppet server here for configuration files. See anything I missed? --- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute Twitter\| I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defense Forum & Training	Johannes 3952 Posts ISC Handler Apr 12th 2019
Subscribe	Apr 12th 2019 1 year ago
s/live/life/	James 35 Posts
Quote	Apr 12th 2019 1 year ago
This is a great read and should be done for all major OS. Mac, Ubuntu, LinuxMint, aso. With this one could quickly check for reference.	remy 1 Posts
Quote	Apr 13th 2019 1 year ago

We often get emails from readers stating that they feel their system is compromised, even though they "do nothing". Most of the time, our response is "that's normal". Indeed, most modern operating systems, not just Windows, will trigger lots of network traffic without user activity. But I found little documentation about what exactly to expect from a "normal" Windows 10 system. So I ran a quick experiment:

Microsoft offers a number of free virtual machines. I picked the "Microsoft Edge Windows 10 (x64) Stable 1809" system. The reason I went this route is that it first of all made things more reproducible, and secondly, these virtual machines do not include additional software, so you only get the default Windows 10 behavior. These systems are also in a default configuration.

The initial plan was to only record the first boot. But I discard this quickly. After 5 minutes, I had a few hundred MBytes of traffic as Windows first downloaded a lot of updates (including VMware Tools). So I modified my plan: I let the system run for about an hour, until all updates were applied, then I rebooted it a couple of times again making sure that it didn't download additional updates. Finally, I recorded the first few minutes after a reboot.

You can find the raw packet capture at https://isc.sans.edu/diaryimages/WindowsStartup.pcapng . I am using the PCAPNG format as I started to add comments to some of the packets. But here are the basic features:

I recorded 87 seconds. During that time, I captured 531 packets and 196kBytes. 20 DNS requests and responses, 18 TCP connections and 30 UDP connections. My host communicated with 18 other IPv4 hosts (there is no significant IPv6 traffic as the network didn't support IPv6).

Here is the short summary of the pcap:

IP address of the system: 172.16.29.198
MAC Address: 00:0c:29:1f:55:7b
Hostname: MSEDGEWIN10

The system was configured to log in automatically. I did not open a browser window and did not interact with the system beyond powering it on.

Here are some of the main features of the pcap:

initially, the operating system configures itself (IPv6 router solicitations, DHCPv6 and DHCPv4).
The operating system is trying to configure a proxy via WPAD a couple of times
Content for tiles is downloaded (e.g. Weather) in the clear.
There are TLS connections to Bing and events.data.microsoft.com, likely for more content.
connections to canonicalizer.ucsuri.tcs which is part of Microsofts "Smartscreen" anti-malware.
inference.location.live.net: Microsoft's geolocation
additional Live.com systems for things like Microsoft's login features.

There was also a DNS lookup for puppet.localdomain. Not sure if Windows is looking for a Puppet server here for configuration files.

See anything I missed?

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defense Forum & Training

Johannes