## Windows Network Threat Hunting

Network hunting on Windows is basically the same thing as on Linux, it's all just packets. Packet captures from all operating systems will be saved in the same place on the security monitoring server and network analysts will look at them using the same tools. Even looking at Wireshark captures locally will be basically the same, though there will be a bunch of weird looking Microsoft protocols going on that all look like malware C2 but really are benign. "Know normal, find evil", so get used to the weirdness.

The primary difference for you will be what tools you use to look for rouge local connections. I recommend the built-in commands netstat –ano and netstat –af for that on Windows.

Even better, an awesome Windows program named Glasswire identifies processes making network connections and alerts on them. If the process doesn't make sense when it pops up, go to Wireshark and open up the stream.

Basically a self-sufficient threat hunter now.