Process Attribution In Network Traffic
A DARPA CFT Program
PAINT is a software product used to capture network packets and attribute their originating and receiving Process IDs (PIDs) and Process Names on Windows systems in real-time. It is a Windows console application that optionally integrates with Wireshark for ease of use. PAINT uses Event Tracing for Windows (ETW) events provided by Windows 7+ to capture TCPIP and NDIS layer events to ultimately correlate each TCP/UDP/IP packet to the originating and target executable in real-time.
You can read more about PAINT in our blog post on it.
Digital Operatives is proud to release to the public for Research Purposes Only the beta version of PAINT. You can download PAINT here.
Commercial and Government Users should email us at firstname.lastname@example.org.
PAINT was developed by Digital Operatives LLC with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions, and/or findings contained in these articles/presentations are those of Digital Operatives LLC and should not be interpreted as representing the official views or policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the Department of Defense. Reference herein to any specific commercial product, process, or service by trade name, trademark or other trade name, manufacturer or otherwise, does not necessarily constitute or imply endorsement by DARPA, the Defense Department or the United States Government, and shall not be used for advertising or product endorsement purposes.