The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Open sockets from Endpoints

Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response

Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908

What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more

SQL:

select u.username, 
       p.pid,
       p.name,
       pos.local_address,
       pos.local_port,
       p.path,
       p.cmdline,
       pos.remote_address,
       pos.remote_port
from processes as p
join users as u
    on u.uid=p.uid
join process_open_sockets as pos
    on pos.pid=p.pid
where pos.remote_port !='0'
limit 1000;

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved

@gstrandberg awesome query! I edited it to make it a little more readable. Hope you don't mind.