Active Connections

Overview

Evidence: Active Connections Description: List active TCP/IP connections Category: Network Platform: esxi Short Name: aconns Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Active TCP/IP connections on ESXi hosts reveal network communication between the hypervisor and external systems, including management interfaces, storage networks, and VM traffic. This data is crucial for identifying unauthorized network access and detecting lateral movement.

Data Collected

This collector gathers structured data about active connections.

Active Connections Data

Field

Description

Example

AccessTime

Access Time

2023-10-15 14:30:25+03:00

AccessCount

Access Count

123

URL

URL

Example value

Browser

Browser

Example value

Title

Title

Example value

VisitDuration

Visit Duration

Example value

Referrer

Referrer

Example value

TypedCount

Typed Count

123

IsHidden

Is Hidden

true

TransitionType

Transition Type

Example value

VisitID

Visit ID

123

TransitionQualifiers

Transition Qualifiers

Example value

User

User

Example value

Profile

Profile

Example value

HistoryFilePath

History File Path

Example value

Collection Method

This collector parses the output of 'esxcli network ip connection list' command, extracting protocol type, send/receive queue sizes, local and foreign addresses with ports, connection states, world IDs, congestion control algorithms, and associated world names for each active connection.

Forensic Value

Network connection data exposes active communication channels, potentially revealing backdoors, C2 connections, unauthorized management access, or suspicious inter-host communication. Analyzing connection states, world names, and remote endpoints helps investigators detect malicious network activity and trace attacker movements.

PreviousAccount Info NextAdvanced Configuration

Last updated 9 days ago

Was this helpful?