Kansa icon indicating copy to clipboard operation
Kansa copied to clipboard

Published 20 hours ago verified publisher icon davehull

Create Get-NetstatObject.ps1

Open mwilco03 opened this issue 4 years ago • 11 comments

mwilco03 avatar Jul 18 '20 14:07 mwilco03

Per conversation ref: https://github.com/davehull/Kansa/issues/207 Submitted pull request

mwilco03 avatar Jul 18 '20 14:07 mwilco03

Do you know if there's a specific version of PS or the Get-NetTCPConnection cmdlet that returns the OwningProcess property? In my local lab running PS 5.1 and that property does not exist. Also given that Get-NetTCPConnection only returns TCP connections, it's probably worth renaming this collector from Get-NetstatObject.ps1 to something like Get-NetstatTCP.ps1.

davehull avatar Jul 19 '20 19:07 davehull

I tested on two verisons the oldest being 5.1.17134.858 Could you try the following? Get-WMIObject -namespace Root\StandardCIMV2 -Class MSFT_NetTCPConnection Piping that to gm or ogv to see if the wmi object has owningprocess ? Could rewrite it with WMI if that works instead of Get-NetTCPConnection

I agree with the renaming.

mwilco03 avatar Jul 20 '20 13:07 mwilco03

Compatible after v3.0+ for PowerShell, utilizing the Get-CimInstance is a newer, better implementation. It is faster than the Get-WmiObject commands, and comply better with CIM and WSMAN standards, allowing better cross-platform compatability and more flexibility. Get-CimInstance (and all -Cim cmdlets) are able to leverage the WSMAN protocol, whereas WMI cmdlets can only use DCOM RPC. By making one tweak, it can increase speed, increase compatibility, and is implemented in native PowerShell since v3.0.

Get-CimInstance -Namespace root/StandardCimv2 -ClassName MSFT_NetTCPConnection

Should be the newer, more PS way to accomplish the same task.

@mwilco03 thoughts?

covertpanda avatar Jul 21 '20 23:07 covertpanda

100% agree with this assessment @davehull can you validate from your local lab?

mwilco03 avatar Jul 21 '20 23:07 mwilco03

I should have some time to check this out tomorrow. Thanks.

davehull avatar Jul 22 '20 04:07 davehull

@davehull @covertpanda
Per the discussion, I have refactored the code to achieve two goals, first be more readable, secondarily I have pulled the UDP information as well.

IDK how applicable it would be to an enterprise wide sweep / IR investigation but doing the code this way could also allow for functionalization of the code (ie grabbing all procs wither or not they are talking)

-Edited got it working :-) -Edited updated pull request

mwilco03 avatar Jul 25 '20 23:07 mwilco03

Have you updated the PR? I've got some time today to check it out.

davehull avatar Jul 26 '20 15:07 davehull

No sorry, I’ll get it updated today.

mwilco03 avatar Jul 26 '20 18:07 mwilco03

Finally got back to this updated PR

mwilco03 avatar Jul 30 '20 14:07 mwilco03

Going through old requests & wondering if you've had a chance to test this.

mwilco03 avatar Feb 17 '21 00:02 mwilco03