Query Exchange

 View Only
  • 1.  Open sockets from Endpoints

    Posted Apr 07, 2020 12:51 PM

    Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response

    Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908

    What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more


    select u.username,
    from processes as p
    join users as u
        on u.uid=p.uid
    join process_open_sockets as pos
        on pos.pid=p.pid
    where pos.remote_port !='0'
    limit 1000;



  • 2.  RE: Open sockets from Endpoints

    Broadcom Employee
    Posted Apr 08, 2020 03:07 PM

     awesome query! I edited it to make it a little more readable. Hope you don't mind.