PktMon.exe
- File Path:
C:\WINDOWS\system32\PktMon.exe - Description: Packet Monitor
Hashes
| Type | Hash |
|---|---|
| MD5 | 2B65BC360DD7C4C290231DEE93A0CE75 |
| SHA1 | 8A758206BE69385E418E3633970556EE16B167F9 |
| SHA256 | 395364BAE8EB95FE58397F4B408A1D8BC3205529A375B979409DD9FD0E26A00C |
| SHA384 | 91158EE37D5976E479E96A0195869FA26B417934A83319D45D826B1A8730825DCAFE14B96F4EAF2FE46D9707EDAA2F94 |
| SHA512 | D2760181E94847A47A4ECAEDE288D12C82BD25EB05FE57881FF1DDDDBDECD106D21DEBC9A8E9399A36D8A3944E8D57BB11FA8CD082FAAA531AF2300AAD46C5D3 |
| SSDEEP | 3072:uJEmhfWDN/2qhND+jvMEXAxzkFD2D/o2Kwa5wGz+R4dx:5md4R2qhND+jEvxzkFaZs+Rw |
Runtime Data
Usage (stdout):
pktmon { filter | comp | reset | start | stop } [OPTIONS | help]
Monitor internal packet propagation and packet drop reports.
Commands
filter Manage packet filters.
comp Manage registered components.
reset Reset counters to zero.
start Start packet monitoring.
stop Stop monitoring.
format Convert log file to text.
unload Unload PktMon driver.
help
Show help text for a command.
Usage (stderr):
Unknown command '-help'. See pktmon help.
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232 - Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: PktMon.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.18362.1 (WinBuild.160101.0800)
- Product Version: 10.0.18362.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of PktMon.exe being misused. While PktMon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_pcap_drivers.yml | - 'pktmon' |
DRL 1.0 |
| LOLBAS | Pktmon.yml | Name: Pktmon.exe |
|
| LOLBAS | Pktmon.yml | - Command: pktmon.exe start --etw |
|
| LOLBAS | Pktmon.yml | Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop |
|
| LOLBAS | Pktmon.yml | - Command: pktmon.exe filter add -p 445 |
|
| LOLBAS | Pktmon.yml | - Path: c:\windows\system32\pktmon.exe |
|
| LOLBAS | Pktmon.yml | - Path: c:\windows\syswow64\pktmon.exe |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
pktmon
Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Azure Stack HCI, Azure Stack Hub, Azure
Packet Monitor (Pktmon) is an in-box, cross-component network diagnostics tool for Windows. It can be used for advanced packet capture and event collection, drop detection, filtering, and counting. Pktmon is especially helpful in virtualization scenarios such as container networking and SDN, because it provides visibility within the networking stack.
Syntax
pktmon { filter | list | start | stop | status | unload | counters | reset | etl2txt | etl2pcap | hex2pkt | help } [options]
Commands
| Command | Description |
|---|---|
| pktmon filter | Manage packet filters. |
| pktmon list | List packet processing components. |
| pktmon start | Start packet capture and event collection. |
| pktmon stop | Stop data collection. |
| pktmon status | Query current status. |
| pktmon unload | Unload PktMon driver. |
| pktmon counters | Display current packet counters. |
| pktmon reset | Reset packet counters to zero. |
| pktmon etl2txt | Convert log file to text format. |
| pktmon etl2pcap | Convert log file to pcapng format. |
| pktmon hex2pkt | Decode packet in hexadecimal format. |
| pktmon help | Show help text for specific command. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.