Get-NetTCPConnection returns all current TCP network connections, but this cmdlet won’t tell you exactly who is connecting to your machine. You receive the IP address only:

 
PS> Get-NetTCPConnection -RemotePort 443 

LocalAddress  LocalPort RemoteAddress  RemotePort State       AppliedSetting OwningProcess     
------------  --------- -------------  ---------- -----       -------------- ---------
192.168.2.110 60960     13.107.6.171   443        Established Internet       21824    
192.168.2.110 60959     20.44.232.74   443        Established Internet       4540     
192.168.2.110 60956     52.184.216.226 443        Established Internet       13204    
 

With calculated properties, you can recalculate the returned values and for example send the IP addresses to a web service that exposes the real origin. With the same technique, you can also translate the process ID found in OwningProcess and return the process name that maintains the connection:

$process = @{
  Name = 'ProcessName'
  Expression = { (Get-Process -Id $_.OwningProcess).Name }
}

$darkAgent = @{
  Name = 'ExternalIdentity'
  Expression = { 
    $ip = $_.RemoteAddress 
    (Invoke-RestMethod -Uri "http://ipinfo.io/$ip/json" -UseBasicParsing -ErrorAction Ignore).org
  
  }
}
Get-NetTCPConnection -RemotePort 443 -State Established |
  Select-Object -Property RemoteAddress, OwningProcess, $process, $darkAgent

The result provides much more insight into the connections, and the example shows all HTTPS connections and their external destination:

 
RemoteAddress  OwningProcess ProcessName ExternalIdentity            
-------------  ------------- ----------- ----------------            
13.107.6.171           21824 WINWORD     AS8068 Microsoft Corporation
52.113.194.132         15480 Teams       AS8068 Microsoft Corporation
52.114.32.24           25476 FileCoAuth  AS8075 Microsoft Corporation
142.250.185...         15744 chrome      AS15169 Google LLC          
52.114.32.24            3800 OneDrive    AS8075 Microsoft Corporation
52.114.32.24            3800 OneDrive    AS8075 Microsoft Corporation
45.60.13.212            9808 AgentShell  AS19551 Incapsula Inc       
18.200.231.29          15744 chrome      AS16509 Amazon.com, Inc.  
 


Twitter This Tip! ReTweet this Tip!

Anonymous