Network

These artifacts collect information related to the windows network.

Windows.Network.ArpCache

Address resolution cache, both static and dynamic (from ARP, NDP).

Arg Default Description
wmiQuery SELECT AddressFamily, Store, State, InterfaceIndex …
wmiNamespace ROOT\StandardCimv2
kMapOfState {\n “0”: “Unreachable”,\n “1”: “Incomplete”,\n “2” …
View Artifact Source

Windows.Network.InterfaceAddresses

Network interfaces and relevant metadata.

View Artifact Source

Windows.Network.ListeningPorts

Processes with listening (bound) network sockets/ports.

View Artifact Source

Windows.Network.Netstat

Show information about open sockets. On windows the time when the socket was first bound is also shown.

View Artifact Source

Windows.Network.NetstatEnriched

NetstatEnhanced adds addtional data points to the Netstat artifact and enables verbose search options.

Examples include: Process name and path, authenticode information or network connection details.

Arg Default Description
IPRegex .* regex search over IP address fields.
PortRegex .* regex search over port fields.
Family ALL IP version family selection
Type ALL Transport protocol type selection
Status ALL TCP status selection
ProcessNameRegex .* regex search over source process name
ProcessPathRegex .* regex search over source process path
CommandLineRegex .* regex search over source process commandline
HashRegex .* regex search over source process hash
UsernameRegex .* regex search over source process user context
AuthenticodeSubjectRegex .* regex search over source Authenticode Subject
AuthenticodeIssuerRegex .* regex search over source Authenticode Issuer
AuthenticodeVerified ALL Authenticode signiture selection
View Artifact Source