WMI and PowerShell get TCP connection list

The network port number provides critical information about applications that access the computer over the network . Understand the applications that use the network and the corresponding network ports , You can create precise rules for firewalls and configure remote hosts to allow only useful traffic . Besides , Activity on endpoint TCP/IP The port may indicate potential malicious activity or network attack . Get all activities TCP A list of connections in each of your networks TCP On endpoint , This is an important first step in understanding the attack surface and locking your network from future security incidents and ransomware . The information should include source and target IP Address and port 、 Process information and other data . This manual describes how to Windows Create activities on the operating system TCP Some ways to simplify the connection list . Besides , You will learn how to use PowerShell obtain TCP Connect .

Manual ：

1. stay ROOT\StandardCIMV2 Namespace WMI Inquire about ：

start-up WMI Explorer Or anything else that can run WMI Query tools .
function WMI Inquire about ：  SELECT * FROM MSFT_NetTCPConnection

2. Run this simple Windows Powershell Script ：

adopt WMI object ：Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName 

3. Use the following code to select a specific column ：

perform ：Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName |  Select object RemoteAddress、RemotePort、OwningProcess、PSComputerName 

4. Use the following lines to sort the results ：

Call the command ：Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName |  Select object RemoteAddress、RemotePort、OwningProcess、PSComputerName |  Sort object remote address  

5. The next code helps filter the results ：

Use it ：  Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName |  Select object RemoteAddress、RemotePort、OwningProcess、PSComputerName | Where-Object -FilterScript {$_.RemoteAddress -like “192.168.*”}

6. Save the results to CSV file ：

function ：  Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer RemoteComputerName |  Select object RemoteAddress、RemotePort、OwningProcess、PSComputerName |  export -CSV “c:\file.csv” -Append -NoTypeInformation

7. The next step is to query multiple computers ：

Computer from text file ：Get-Content -Path c:\computers.txt | ForEach-Object {Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer $_} come from AD Domain computers ：  Get-ADComputer -Filter {OperatingSystem -Like 'Windows 10*'} | ForEach-Object {Get-WmiObject -Namespace ROOT\StandardCIMV2 -Class MSFT_NetTCPConnection -Computer $_.Name}