Get-NetTCPConnection returns all current TCP network connections, but this cmdlet won’t tell you exactly who is connecting to your machine. You receive the IP address only:
PS> Get-NetTCPConnection -RemotePort 443 LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess ------------ --------- ------------- ---------- ----- -------------- --------- 192.168.2.110 60960 13.107.6.171 443 Established Internet 21824 192.168.2.110 60959 20.44.232.74 443 Established Internet 4540 192.168.2.110 60956 52.184.216.226 443 Established Internet 13204
With calculated properties, you can recalculate the returned values and for example send the IP addresses to a web service that exposes the real origin. With the same technique, you can also translate the process ID found in OwningProcess and return the process name that maintains the connection:
$process = @{ Name = 'ProcessName' Expression = { (Get-Process -Id $_.OwningProcess).Name } } $darkAgent = @{ Name = 'ExternalIdentity' Expression = { $ip = $_.RemoteAddress (Invoke-RestMethod -Uri "http://ipinfo.io/$ip/json" -UseBasicParsing -ErrorAction Ignore).org } } Get-NetTCPConnection -RemotePort 443 -State Established | Select-Object -Property RemoteAddress, OwningProcess, $process, $darkAgent
The result provides much more insight into the connections, and the example shows all HTTPS connections and their external destination:
RemoteAddress OwningProcess ProcessName ExternalIdentity ------------- ------------- ----------- ---------------- 13.107.6.171 21824 WINWORD AS8068 Microsoft Corporation 52.113.194.132 15480 Teams AS8068 Microsoft Corporation 52.114.32.24 25476 FileCoAuth AS8075 Microsoft Corporation 142.250.185... 15744 chrome AS15169 Google LLC 52.114.32.24 3800 OneDrive AS8075 Microsoft Corporation 52.114.32.24 3800 OneDrive AS8075 Microsoft Corporation 45.60.13.212 9808 AgentShell AS19551 Incapsula Inc 18.200.231.29 15744 chrome AS16509 Amazon.com, Inc.
