Some helpful blue team commands?:

C:\netstat -nao

TCP [Local address]:55824 [Dest address]:443 ESTABLISHED 5748

What's that lil guy connecting out under Process ID PID 5748?

C:\wmic process where processid=5748 get name, parentprocessid

Name Firefox.exe

Cool. My browser IS running right now. But what's that other guy LISTENING on port 5040?

C:\wmic process where processid=3392 get name, parentprocessid

Name svchost.exe

Hmmm svchost.exe?

What's running under svchost besides everything?

C:\wmic service where processid=3392 get name, servicetype, pathname

Name CDPSvc PathName C:\WINDOWS\system32\svchost.exe -k LocalService -p ServiceType Share Process

Ok. CDPSvc syncs mail, calendar, contact info.

Above doesn't require priv escalation. You could also run netstat -naob as admin to get the process name from the start along with other variations of the commands. Some require priv escalation. Listing parentprocessid helps follow the trail of what invoked that process. Some services run under svchost process and you need service details to figure out what it is. Know what's normal to find the bad.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.