Collecting NetTcpConnection and Process information with PowerShell

if you need information on active TCP connections, you probably start with the netstat command When using the -b or -o parameter netstat will also list the executable involved in creating the process respectively the owing Process ID.

The output then looks as following.

In PowerShell we can use Get-NetTCPConnection to retrieve TCP connection information.

When suspecting that something malicious is running on a device, I look at the TCP connections and want to know more about the executable that owns the process. I am also interested in who’s owning the domain and where it’s geographically located. And so another cmdlet was born. Get-NetConnectionDetails

The Get-NetConnectionDetails retrieves all TCP connections and then collects additional information about the owning process such as the executable name, version, the user that runs the process, the geolocation and some domain registration data from the whois database.

Here’s an example of the output.

Get-NetConnectionDetails -Process ftp      

Below is the complete Code is also stored on GitHub

 

 

 

One Reply to “Collecting NetTcpConnection and Process information with PowerShell”

  1. Great script – thanks so much for sharing. I am getting an error related to the geo location lookup. Has that URL changed recently?

Leave a Reply