Wanna know if your Windows is compromised?

I put together a quick powershell „one-liner“ for Digital Forensics and Incident Response (DFIR), in quotes cause it’s a bit on the edge in regards to the term one-liner.

Default

(Including DNS resolution, may hang a bit, lots of output)

netstat.exe -a -f -o | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_.trim() -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_`r`n$proc"; Write-Host $output ; }

You can easily adjust parameters of netstat.exe, for example -n will omit DNS resolution and so be much faster. If you rather wanted to see TCP only, use -p TCP or -p TCPv6, sadly these don’t seem like they can be combined. I prepared a few for you below.

Yes, this command is completely safe, also for novice users. Best results can be expected if you run the Powershell as Administrator, shortcut for this would be CTRL+SHIFT+left click on Powershell icon or right click and select Run as Administrator.

If you aren’t exactly sure what do to with that output, I highlighted one application path, next thing on the list for you would be to open that location in Windows File Explorer and maybe run a Virus Scan (Windows Defender) on the file in question, or upload it to Virus Total and check it that way. You could also consider, if you actually need the service listening on a public port and try to find, why it’s running in the first place.

A good place to start looking for this would be your Autostart folder, msconfig.exe and the Autostart Tab in Taskmanager. If you can’t find it there, chances are there’s something weird going on. Your next stop would have to be the Registry and Windows Event logging, or trying to find if another process maybe migrated to the .exe, but this is more for advanced users and professionals.

TCP only

netstat.exe -a -f -o -p TCP | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_.trim() -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_`r`n$proc"; Write-Host $output ; }

TCP IPv6 only

netstat.exe -a -f -o -p TCPv6 | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_.trim() -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_`r`n$proc"; Write-Host $output ; }

Prevent DNS resolution

netstat.exe -a -f -o -n | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_.trim() -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_`r`n$proc"; Write-Host $output ; }

Single-line output

netstat.exe -a -f -o | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_.trim() -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_ $proc".trim(); Write-Host $output ; }

Combined

(Single-line output, TCP only, no DNS resolution)

netstat.exe -a -f -o -n -p TCP | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_.trim() -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_ $proc".trim(); Write-Host $output ; }

Combined, only listening ports

(German)

netstat.exe -a -o -n -p TCP | Select-String -Pattern "ABHÖREN" | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_ -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_ $proc".trim(); Write-Host $output ; }

(English)

netstat.exe -a -o -n -p TCP | Select-String -Pattern "LISTENING" | foreach { try { $proc = Get-Process -IncludeUserName -Id ($_ -split '\s+')[-1] | sort -Property ProcessName | % { "Path: " + $_.PATH + " Name: " + $_.ProcessName + " Username: " + $_.UserName | Format-table | out-string }} catch { $proc = ""}; $output = "$_ $proc".trim(); Write-Host $output ; }

Linux equivalent would be more or less sudo netstat -tlpn (include ‚u‘ if you also want UDP ports, so -tulpn) and sudo ss -tlpn along with ps -ef –forest and which <command / name>. Usually, if you got sudo privileges, netstat and ss should already give you most of the output, I’ll have a look into a bash one-liner that gives you the entire thing including path on another day and in another post.

Manuel Geissinger, zertifizierter IT-Sicherheitsexperte, Webedesigner aus Freiburg, Webentwickler, Administrator und Digitalkünstler.
Ihr freiburger Webentwickler Nr. 1 auf LinkedIn Zertifizierter IT Sicherheits-Experte & Webdesigner auf Xing