Create Get-NetstatObject.ps1 #208
Conversation
|
Per conversation ref: #207 |
|
Do you know if there's a specific version of PS or the Get-NetTCPConnection cmdlet that returns the OwningProcess property? In my local lab running PS 5.1 and that property does not exist. Also given that Get-NetTCPConnection only returns TCP connections, it's probably worth renaming this collector from Get-NetstatObject.ps1 to something like Get-NetstatTCP.ps1. |
|
I tested on two verisons the oldest being 5.1.17134.858 I agree with the renaming. |
|
Compatible after v3.0+ for PowerShell, utilizing the Get-CimInstance is a newer, better implementation. It is faster than the Get-WmiObject commands, and comply better with CIM and WSMAN standards, allowing better cross-platform compatability and more flexibility. Get-CimInstance (and all -Cim cmdlets) are able to leverage the WSMAN protocol, whereas WMI cmdlets can only use DCOM RPC. By making one tweak, it can increase speed, increase compatibility, and is implemented in native PowerShell since v3.0.
Should be the newer, more PS way to accomplish the same task. @mwilco03 thoughts? |
|
100% agree with this assessment @davehull can you validate from your local lab? |
|
I should have some time to check this out tomorrow. Thanks. |
|
@davehull @covertpanda IDK how applicable it would be to an enterprise wide sweep / IR investigation but doing the code this way could also allow for functionalization of the code (ie grabbing all procs wither or not they are talking) -Edited got it working :-) |
|
Have you updated the PR? I've got some time today to check it out. |
|
No sorry, I’ll get it updated today. |
Renamed since it now pulls udp endpoint, in tandem to tcp. Should have similar output still needs to be tested & verified but methodology should be sound.
|
Finally got back to this updated PR |
_ were missing through transcription
|
Going through old requests & wondering if you've had a chance to test this. |
No description provided.