logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Open sockets from Endpoints

Status: Approved Submitted by on ‎04-07-2020 05:50 AM

Description: This Query get the currently open sockets from the Endpoints - useful in Incident Response

Tested on Windows 7/10,MAC OS X 10.14.5 and CentOS 7.7-1908

What The Data Shows: This provides you with the open sockets from the endpoint to find local and remote port, as well as PID, username, process and more

SQL:

select u.username, 
       p.pid, 
       p.name, 
       pos.local_address, 
       pos.local_port, 
       p.path, 
       p.cmdline, 
       pos.remote_address, 
       pos.remote_port 

from processes as p 

join users as u 
    on u.uid=p.uid 

join process_open_sockets as pos 
    on pos.pid=p.pid 

where pos.remote_port !='0' 

limit 1000;

 

Comment
1 Comment
jnelson
Carbon Black Employee
‎04-08-2020 08:07 AM
‎04-08-2020 08:07 AM
Status changed to: Approved

@gstrandberg awesome query! I edited it to make it a little more readable. Hope you don't mind.

logo