Releases: H4NM/WhoYouCalling
WhoYouCalling v1.6.1 ⚙️
Changelog
🛠️ Fixes:
- Fix empty output for executables for the proc.txt files.
- Fix check for requests module before attempting to validate APIs. This allows for
callmapper.pyto run without having therequestspython library installed.
Get-FileHash -Path *1.6.1*.zip -Algorithm SHA256
Algorithm Hash Path
--------- ---- ----
SHA256 DB5B1B6D40BE207ACEFE4D40C9088E1B8AFFEAB0351F5462F9D84CD3AE33A13D .\CallMapper-1.6.1.zip
SHA256 05D807915D064AEC02B849BDE10378974DB3CC9281343D61083BE414EA197191 .\WhoYouCalling-x64-1.6.1.zip
SHA256 EEFCE9CF51DC3B89D2A4FBE58CD87E492BDBAD5904F453A9724999AECCABEFD2 .\WhoYouCalling-x64-and-CallMapper-1.6.1.zip WhoYouCalling v1.6 🫧
Changelog
✨Features:
- Added compression alternativ in which the output folder is compressed to a zip file for easier extraction of data in case the data is analyzed elsewhere
- Added metadata retrieval of Executable related to running process such as checksums, creation time of executable (when it landed on the system), if its digitally signed or not. MD5, SHA1 and SHA256 are all retrieved, and lots more. Having multiple different checksums increases the likelihood of finding a correct match
- Added retrieval of user name in which processes are running as
- Added retrieval of established TCP connections by processes for when monitoring everything and when listening to a specific PID. This is to extend the capture capabilities beyond ETW and to ensure the initial state is immediately captured. See it as an initial
netstatbeing run before listening to ETW - Added the ability to supply whole IP or start of IP for automatic interface selection. Example, you can supply
-i 192.168or full IP-i 192.168.20.15which will select the corresponding interface with that start IP. Selecting the index number for the NIC is still applicable, as long as a.is not included where it will search for related IP - Extended host metadata thats captured
- CallMapper:
- Major UI improvement
- Added functionality to visualize multiple WYC result files. This allows for mapping host-based processes to domains and IPs and find shared telemetry activity
- Greatly extended filtering capabilities where details regarding IPs, domains and processes and executables.
- Added arguments to CallMapper to specify IP and port to expose the UI
- Added tabs. Currently there's
Summary,MapandSupporters
📄Changes:
- Removed Summary.txt
- Changed filenames per process folder for consistency
- Removed console clear on start
- Made process start events only to be registered when listening to a specific pid or executing a program. When monitoring everything there's simply too much noise.
- Removed option to track processes by name as it's more suitable to monitor everything and filter thereafter. It was also removed for better performance and for less complexity overall.
- Extended the Executable name field in monitored processes to hold an Executable object with more detailed information - see features.
- Modified the output argument to be able to take custom folders in which the results are stored in, allowing for simplified extraction of results
- Removed the flag to explicitly state that no full packet capture is collected, which now occurs by default when no interface/ip is provided
- Renamed the argument "Illuminate" to simply "Machine". This applies to both the short and long flag argument where capital I was provided for illuminate and now it's capital M, with their long variants with the double dash and word. The reason for this is simply that it doesn't really make sense to call it "Illuminate" rather than it's a theatric word for what it does
- Renamed fields for MonitoredProcess from ProcessStartTime, ProcessStopTime to just StartTime and StopTime. Also renamed ETWRegisteredStartTime to just StartTime for childprocesses as it takes the embedded start timestamp in the event
- Removed adding started processes when using the Illuminate flag as it tended to add alot of noise. Even though the data with processes with telemetry is primarily output from WYC, the Result.json that's read into callmapper becomes too noisy (and large) In addition, the goal of WYC is to identify processes with telemetry, the previous code did not align
- CallMapper:
- API calls are no longer made at the start of the script. API calls are now made per node in the web GUI.
- Removed the possibility of having it become backwards compatible to older Results.json files.
- Made the phone in the icon black instead of white (big change)
- API calls are no longer made at the start of the script. API calls are now made per node in the web GUI.
- Lots of Refactoring and code cleaning. This can basically always be expected in every patch.
🛠️ Fixes:
- Fixed bug where ETW registered TCP/UDP events sometimes do not include the process name causing the events not to be cataloged
- Fix issue where incorrect filter type was passed for DFL filter per process
Get-FileHash -Path *1.6*.zip -Algorithm SHA256
Algorithm Hash Path
--------- ---- ----
SHA256 5351BEECE132726B370CD68F6C3F423D4CFC69F37D2CD285E4D6FE5369FE6C3B CallMapper-1.6.zip
SHA256 E260A2FB2FB6E52602F1262E34AEF4B613F190F0804D26D87F9C93C058EBF6A9 WhoYouCalling-x64-1.6.zip
SHA256 8782747C36E2261C8F30D93C0668CEAB771CC2CA6B40C5DB54226478CF6141C0 WhoYouCalling-x64-and-CallMapper-1.6.zip
WhoYouCalling v1.5 🗺️
This release includes some minor changes and one medium and one minor bug fix, but above all it includes CallMapper - a Python and JavaScript solution for that enables an interactive network graph of all the processes and their respective network activity from a WhoYouCalling session. CallMapper also allows for conducting automatic API lookups for all of the endpoints identified - except ofcourse of single-label domains, private or localhost IPs. Currently, i've only integrated VirusTotal and AbuseIPDB as available APIs, in which you need to supply API-keys for them. I also came to the realization that a solution that integrates API lookups is the most applicable if you as end users are able to add your own REST APIs for enriching data as you see fit - especially since there are tons of different IP and domain lookup APIs.... Therefore, CallMapper includes functionality to streamline the process of adding custom REST APIs. See CallMapper README.md for more instructions on how to do so. I've also extended the GitHub actions to better catch potential bugs that may be introduced. Now they execute all three WYC modes (Execute, Listen and Illuminate). If you appreciate this MIT-project and want to buy me a coffee, i've added my link ☕ #WhoYouCallingET 
Changelog
✨Features:
- Add interactive network graph visualization of data and possibility of automatically performing API lookups to get reputation
- Add Hostname to the summary output
📄Changes:
- Change main folder name for when listening to a specific PID where it now takes the process name rather than the executable as it sometimes was problematic due to protected processes
- Rename ProcessID to PID in for ChildProcessInfo for consistency
- Expanded GitHub actions to execute WYC with the three main modes
- Set default value of CommandLine to null rather than empty string for monitored processes for consitency
- Adressed build warnings
- Update README.md
- Update LICENSE
🛠️ Fixes:
- Fix logic for indexing short lived processes that are started where WYC would state that that they couldn't be succcessfully be mapped.
- Fix logic for when executing a binary to correctly retrieve its process name.
- Fix bug where it was not possible to execute an application unprivileged, see #11. The extended GitHub actions is meant to catch this as early as possible
- Fix issue with Listen mode where the retrieved process name of the PID wasn't successfully added as a monitored process
Get-FileHash -path .\*1.5*.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 1CC76FAC345C46773C640F3DB6E58E660CB800D60CE069C8C6715C52563CDB64 CallMapper-1.5.zip
SHA256 FEB8729C28A4A4D9D3B2D30E6FE2DFD75CDB73622A7C3E11635C29B505D5D0ED WhoYouCalling-1.5-x64-selfcontained.zip
SHA256 4C9D0779712A41213B8B59C40CE2878F7C0698988A8E38D1C8B5B8FF657E871A WhoYouCalling-1.5-x86-selfcontained.zipWhoYouCalling v1.4 📄🛠️
This release mainly adresses issues such as race conditions and mapping of processes. I've also added a summary text file that provides with a slight overview of all of the processes that have network activity and the entire monitoring session. It can be useful for when there are a lot of processes with network activity and its faster to review one file than reviewing multiple folders.
✨ Features
- Added a monitoring summary text file
📄 Changes
- Change compiled executable name from
WhoYouCalling.exetowyc.exe- its a cli tool after all :-) - Changed file names to be shorter and more concise
- Remove JSON flag and create the JSON file regardless to avoid scenarios of missing crucial data.
- Change default process name when unable to sucesfully map it
- Added a spinner wheel to filtering processes
- Changed default values for process start and stop time, and executable name to null for cleaner and consistent data output
- Added github actions to ensure that wyc can be compiled from the source code
- Updated and cleaned up README to reflect the changes
- Refactoring and cleaning code
🛠️ Fixes:
- Fix so that the DNS wireshark filter folder is not created if there are no wireshark filters to be created
- Fix issue where entire BPF filter was not written to file
- Solve issue with short lived processes that perform DNS queries that do not have process names included.
- Solve issue where the DNS ETW event registers the process PID before the process start ETW does, causes for adding a process twice.
- Implement fix against race condition issue with short lived processes that perform DNS queries as they're labeled as unmapped processes.
- This is done by checking if the unmapped process has the same PID as the correctly mapped process and if it was added to monitoring close to the same time
- Solve issue for possible duplicate processname, indicating they're the same process, although launched separately and happend to get the same PID. Likely hood is very small but it could happen that would make results add to the same process even though they're separate.
🚀 Next up:
-
Adress code that produces build warnings -
Add IP and domain lookup for analysis. This will also be complemented by a network graph visualization to see the entire hierarchy of processes and child processes and the related DNS queries and TCP activity(v1.5)
If you have any suggestions, feedback or bug reports. I'd love to hear them
Get-FileHash -path .\WhoYouCalling-1.4*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 91B578CA10707B68D7D71116E2FD914B2C090D190FE3991AB518D8C856CF84BC WhoYouCalling-1.4-x64-selfcontained.zip
SHA256 4A8B8C9DE18D436ACFE54A7EFD93089790B4B282832E98E7A7E21C1D2A3631E6 WhoYouCalling-1.4-x86-selfcontained.zip
WhoYouCalling v1.3.2 💡
Features ✨:
- Added third monitoring option called illuminate. By passing capital i flag (-I), WhoYouCalling records every TCPIP and DNS activity made by every running process on the machine. Can be used with packet capture. Ideally used for incident response, or simply when you're bored or curious for what processes are doing on your machine. This option is currently experimental so please report any issues that you may experience.
- Changed the flag from
--execnamesto--nameswhere a case insensitive pattern can be applied being checked towards processname and executable file name. - Enriched console output with spinner wheel and line indicating how many processes are being processed for outputting their results.
(Updated the release for v1.3.1 and v1.3.2 to remove creating a filtered pcap based on the network traffic for all processes when using illuminate since that's not needed. I recommend using-sor--savefullpcapfor retaining pcap with including traffic. Also added fail-safe handling for cataloging events that may be subjected to rare race condition events.
Get-FileHash -path .\WhoYouCalling-1.3*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 1EF5FA3D51BA2282C9C709B7DECC48E896DF79C589729C86FC353D0DC6A0C712 WhoYouCalling-1.3.2-x64-selfcontained.zip
SHA256 6D1BD2E1E5A2497CD3CC22C92C87D224880221CD08D7711A83AF11713833400F WhoYouCalling-1.3.2-x86-selfcontained.zipWhoYouCalling v1.2 🛰️
Features ✨
- A Wireshark filter is created per DNS response. In other words, when a process wants to communicate with example-domain.com, a DNS request is made for that domain to retrieve an IP-adresses to communicate with. The response for that requests, if it includes an IP-adress or more, will result in a Wireshark filter. This can be used with a generated pcap for that process, further helping in analysing process telemetry.
- Added the command line of started processes. This provides additional insight to the use and intent of spawned processes, which may also fill in some gaps where some endpoints are communicated with or domain names being resolved.
- Add output of assigned IP-adresses to interfaces to make it easier identify which interface to monitor for packet capture.
Get-FileHash -path .\WhoYouCalling-1.2-*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 081AFC562CC9618C4CACE4A3407FF01BC374A9F2D8151266E62878F18EB63781 WhoYouCalling-1.2-x64-s...
SHA256 94F69313A677F7D33FCC1229C668326230A7DFDF3E8ADAC597E1E759F1722855 WhoYouCalling-1.2-x86-s...#WhyMyLsassPingingReddit
WhoYouCalling v1.1.1 🛠️
Added functionality to run without npcap drivers. This will of course not allow for packet capture, but it makes WhoYouCalling more lightweight and suitable for the cases where only understanding IF a process is reaching out and where is of importance, rather than seeing exactly what is being sent and/or received. To run without packet capture simply append the flag --nopcap. However, if you want packet capture, you can download the npcap drivers from here: https://npcap.com/#download
In the future only major and minor version updates will include release files. This was an exception as making the npcap drivers optional was worth the new release.
Get-FileHash -path .\WhoYouCalling-1.1.1-*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 ABBEBD8DFB1F15782E84DDBE8B3B9E412A385CE98FD304F5C7E3FED85D59E178 WhoYouCalling-1.1.1-x64-s...
SHA256 5CA6BA74DC5487BD4B98395FFE91D54E280D1E79F1C01AA7519D2B87E9A8E5B8 WhoYouCalling-1.1.1-x86-s...WhoYouCalling v1.1 🚀
Notable changes are the addition of two arguments. One for executing applications in an elevated state and the second being able to run them as another user. Please read the limitations part in the README.md to see exactly how it works. Also changed the flag of specifying the PID to captial P rather than lower case in order to conform to some form of standardization when providing username and password (-u and -p).
Note: To run WhoYoucalling, you need to have npcap installed on Windows. Download --> https://npcap.com/#download. If it's not installed it will complain that wpcap.dll is missing.
Get-FileHash -path .\WhoYouCalling-1.1-*-selfcontained.zip -algo sha256
Algorithm Hash Path
--------- ---- ----
SHA256 0AEDAFAB8EB49859C2C3C784648EE623EC51D50D2DB9925A7243746E1B0A4FCB WhoYouCalling-1.1-x64-selfcontained.zip
SHA256 2A3EE815BA688FD1E29ADE9C4EBFFCE6861DC8293D188C0101208F829EDC77E1 WhoYouCalling-1.1-x86-selfcontained.zipWhoYouCalling v1.0
First Release ✨ (1.0)
Note: You need to have npcap installed on Windows before running. Download --> https://npcap.com/#download. If it's not installed it will complain that wpcap.dll is missing.
In the future single binaries with statically packed libraries will be provided. The following releases are self contained and should be ready to for direct use.
sha256
WhoYouCalling-1.0-x64-selfcontained.zip: 9DBE3CAF6B01B2468727BB9D002613AD630BDD50FCC9D3E4153A9B13AE63417E
WhoYouCalling-1.0-x86-selfcontained.zip: EDEE00DC1D0B51AAC0295806AB68FB979E2B13A55E7197213E83A63C50A6742E