TCP Table

Overview

Evidence: TCP Table Description: Collect TCP Table Category: Network Platform: Windows Short Name: tcpt Is Parsed: Yes - TCP table parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a table of all active TCP connections including local/remote addresses, ports, connection state, and the process ID that owns each connection.

Active TCP connections can reveal malware C2 communications, lateral movement, data exfiltration, and unauthorized network access in progress.

Data Collected

Collection Method

This collector uses Windows API to enumerate TCP connections:

• GetExtendedTcpTable with TCP_TABLE_OWNER_PID_ALL flag

• Includes all TCP connection states

• Associates connections with process IDs

TCP states include: CLOSED, LISTEN, SYN_SENT, SYN_RECEIVED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, CLOSE_WAIT, CLOSING, LAST_ACK, TIME_WAIT.

Usage

Active TCP connections can reveal ongoing malicious activity. Investigators use this data to identify active C2 communications, detect data exfiltration in progress, track lateral movement connections, identify unauthorized remote access, correlate network activity with processes, and detect suspicious port usage.

Known Limitations

• Point-in-time snapshot

• Connections may terminate during collection

• Short-lived connections may be missed

• State captured at collection moment only

Notes

Cross-reference Process IDs with the Processes collector to identify which programs are making connections. Look for suspicious remote IPs, unusual ports, and connections from unexpected processes.