We have many vbscripts that run on our network and we are trying to identify the source of a vbscript that is starting any service on a server that is stopped at the top of the hour. So I stopped the Print Spooler service on a random server, started the capture a minute before the top of the hour and then waited until the service started again. I then stopped the capture and saved it to a file. How would I go about filtering this capture file now for vbscript traffic? I don't even know if it's tcp or udp or what else? Thank you. asked 01 Feb '11, 11:30  vegas588 |
One Answer:
Are you sure there isn't an automated script running on the server itself that's automatically restarting the processes? If it's truly being pushed from a remote source I imagine it'll appear to be some kind of SMS/WMI/MOM/SMB deal. You can just go looking through all of the conversations labeled SMB. You can try searching through the packets for strings like "service" (Edit->Find Packet). Unless your programmers went all out and built a complete socket based application from the ground up I doubt you'll see a dedicated stream just for this script. Good luck! answered 01 Feb '11, 12:34  GeonJay |
