HOWTO: Get a List of Open TCP/IP Connections on a Remote Computer


Open TCP/IP ports on your endpoints can indicate potential malicious activity or exposure to cyber attacks. Getting a list of all active network connections on each endpoint on your network is a great first step to understanding the attack surface, as well as locking down your network from future security incidents and ransomware. Information should include source and destination IP address and port, process info and other data. This HOWTO describes some streamlined ways to approach this task.



Manually:

1. Run WMI query in ROOT\CIMV2 namespace:

   - Start WMI Explorer or any other tool which can run WMI queries.
   - Run WMI query: SELECT * FROM MSFT_NetTCPConnection

2. Run Powershell script:

   - thru WMI object: Get-WmiObject -Class MSFT_NetTCPConnection -Computer RemoteComputerName

3. Select specific columns:

   - run: Get-WmiObject -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, OwningProcess

4. Sort results:

   - run: Get-WmiObject -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, OwningProcess | Sort-Object RemoteAddress

5. Filter results:

   - run: Get-WmiObject -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, OwningProcess | Where-Object -FilterScript {$_.RemoteAddress -like "192.168.*"}

6. Save to CSV file:

   - run: Get-WmiObject -Class MSFT_NetTCPConnection -Computer RemoteComputerName | Select-Object RemoteAddress, OwningProcess | Export-CSV "c:\file.csv" -Append -NoTypeInformation

7. Query multiple computers:

   - computers from a text file: Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Class MSFT_NetTCPConnection -Computer $_}
   - computers from AD domain: Get-ADComputer -Filter {OperatingSystem -Like “Windows 10*”} | ForEach-Object {Get-WmiObject -Class MSFT_NetTCPConnection -Computer $_.Name}

With Action1 Endpoint Security Platform:

Step 1 - Sign-up for free:

Step 2 - Type your question in plain English:

Step 3 - Set filters, if necessary:

Step 4 - See results from all endpoints in seconds:

Endpoint NameLocalAddressProcessIdRemoteAddress
mac.widgets.local192.168.0.245:59343342223.100.122.175:443
fred.widgets.local192.168.0.213:592132342205.251.242.103:80
ray.widgets.local192.168.0.223:58144764396.43.145.26:3389

Do not have time to write scripts? Check out Action1 Endpoint Security Platform.
Ask questions in plain English such as "list of installed software" or "all running processes". Get answers instantly from live systems:


Other Relevant HOWTOs: