Some helpful blue team commands?:
TCP [Local address]:55824 [Dest address]:443 ESTABLISHED 5748
What's that lil guy connecting out under Process ID PID 5748?
C:\wmic process where processid=5748 get name, parentprocessid
Cool. My browser IS running right now. But what's that other guy LISTENING on port 5040?
C:\wmic process where processid=3392 get name, parentprocessid
Above doesn't require priv escalation. You could also run netstat -naob as admin to get the process name from the start along with other variations of the commands. Some require priv escalation. Listing parentprocessid helps follow the trail of what invoked that process. Some services run under svchost process and you need service details to figure out what it is. Know what's normal to find the bad.
A Mastodon instance for info/cyber security-minded people.