Collecting NetTcpConnection and Process information with PowerShell

if you need information on active TCP connections, you probably start with the netstat command When using the -b or -o parameter netstat will also list the executable involved in creating the process respectively the owing Process ID.

The output then looks as following.

In PowerShell we can use Get-NetTCPConnection to retrieve TCP connection information.

When suspecting that something malicious is running on a device, I look at the TCP connections and want to know more about the executable that owns the process. I am also interested in who’s owning the domain and where it’s geographically located. And so another cmdlet was born. Get-NetConnectionDetails

The Get-NetConnectionDetails retrieves all TCP connections and then collects additional information about the owning process such as the executable name, version, the user that runs the process, the geolocation and some domain registration data from the whois database.

Here’s an example of the output.

Get-NetConnectionDetails -Process ftp      

Below is the complete Code is also stored on GitHub




Leave a Reply

Your email address will not be published. Required fields are marked *