Environment
- EDR Server: All Versions
- EDR Windows Sensor: 7.2.x and lower
- Windows OS: All Supported Versions
Question
Does the Windows sensor capture netconns when running a process that has embedded shell code?
Answer
Starting again in 7.3.0-win sensor, the netconn communication will be collected and available in the EDR UI console.
Additional Notes
In version 7.2.0-win and lower the netconns related to a process that has embedded shell code were more obvious in the UI; however, it was changed in the 7.2.x branches to only capture established netconns. This additional visibility was requested to be brought back and was improved in 7.2.2-win and fully restored in 7.3.0-win.
Related Content
