-
Notifications
You must be signed in to change notification settings - Fork 82
TCPConnections
Tony Phipps edited this page Nov 7, 2019
·
3 revisions
Credential Access, Persistence, Privilege Escalation
Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.
SELECT OwningProcessPath, LocalPort, RemotePort
GROUP BY OwningProcessPath, LocalPort, RemotePort
- Active Connections
- Listening Ports
- Unusual process names that are listening or have open connections