# Active Connections

## Overview

**Evidence:** Active Connections\
**Description:** List active TCP/IP connections\
**Category:** Network\
**Platform:** esxi\
**Short Name:** aconns\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Active TCP/IP connections on ESXi hosts reveal network communication between the hypervisor and external systems, including management interfaces, storage networks, and VM traffic. This data is crucial for identifying unauthorized network access and detecting lateral movement.

## Data Collected

This collector gathers structured data about active connections.

### Active Connections Data

| Field                  | Description           | Example                   |
| ---------------------- | --------------------- | ------------------------- |
| `AccessTime`           | Access Time           | 2023-10-15 14:30:25+03:00 |
| `AccessCount`          | Access Count          | 123                       |
| `URL`                  | URL                   | Example value             |
| `Browser`              | Browser               | Example value             |
| `Title`                | Title                 | Example value             |
| `VisitDuration`        | Visit Duration        | Example value             |
| `Referrer`             | Referrer              | Example value             |
| `TypedCount`           | Typed Count           | 123                       |
| `IsHidden`             | Is Hidden             | true                      |
| `TransitionType`       | Transition Type       | Example value             |
| `VisitID`              | Visit ID              | 123                       |
| `TransitionQualifiers` | Transition Qualifiers | Example value             |
| `User`                 | User                  | Example value             |
| `Profile`              | Profile               | Example value             |
| `HistoryFilePath`      | History File Path     | Example value             |

## Collection Method

This collector parses the output of 'esxcli network ip connection list' command, extracting protocol type, send/receive queue sizes, local and foreign addresses with ports, connection states, world IDs, congestion control algorithms, and associated world names for each active connection.

## Forensic Value

Network connection data exposes active communication channels, potentially revealing backdoors, C2 connections, unauthorized management access, or suspicious inter-host communication. Analyzing connection states, world names, and remote endpoints helps investigators detect malicious network activity and trace attacker movements.