Query Exchange

 View Only
  • 1.  Open sockets from Endpoints

    Posted Apr 07, 2020 12:51 PM

    Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response

    Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908

    What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more

    SQL:

    select u.username,
           p.pid,
           p.name,
           pos.local_address,
           pos.local_port,
           p.path,
           p.cmdline,
           pos.remote_address,
           pos.remote_port
    from processes as p
    join users as u
        on u.uid=p.uid
    join process_open_sockets as pos
        on pos.pid=p.pid
    where pos.remote_port !='0'
    limit 1000;

     


    #IncidentResponse
    #Mac
    #Linux
    #Windows
    #Community


  • 2.  RE: Open sockets from Endpoints

    Broadcom Employee
    Posted Apr 08, 2020 03:07 PM

     awesome query! I edited it to make it a little more readable. Hope you don't mind.