cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Open sockets from Endpoints

Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response

Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908

What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more

SQL:

select u.username, 
       p.pid,
       p.name,
       pos.local_address,
       pos.local_port,
       p.path,
       p.cmdline,
       pos.remote_address,
       pos.remote_port
from processes as p
join users as u
    on u.uid=p.uid
join process_open_sockets as pos
    on pos.pid=p.pid
where pos.remote_port !='0'
limit 1000;

 

1 Comment
Carbon Black Employee
Status changed to: Approved

@gstrandberg awesome query! I edited it to make it a little more readable. Hope you don't mind.