Identify Malicious Activity

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use this procedure when you want to confirm that malicious activity is occurring within your network. This procedure is useful if you suspect such activity is taking place and you want to identify the targets of the attacks.

Administrative Credentials

No special administrative credentials are required to perform this task.

Special Considerations

No special considerations are required to perform this task.

To identify malicious activity

Note

Broadcast packets have destination IP addresses that end in 255. Disregard those packets when you search the Windows Firewall log file for malicious activity.

To identify malicious activity

  1. With the Windows Firewall log file open in Notepad, scroll through the file from beginning to end.

  2. Look at each log entry with DROP in the action field and note whether the destination IP address (dstip) ends with a number other than 255.

  3. If you find many such entries, take note of the destination IP addresses of the packets.

  4. If those destination IP addresses are all the same, similar, or systematic, write down the source IP addresses (srcip) and the destination IP addresses. These dropped packets can be considered suspicious. Suspicious dropped packets often have systematic port hit entries as well.

See Also

Concepts

Interpreting the Windows Firewall Log
View the Windows Firewall Log File