TCP Table

Overview

Evidence: TCP Table Description: Collect TCP Table Category: Network Platform: windows Short Name: tcpt Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a table of all active TCP connections including local/remote addresses, ports, connection state, and the process ID that owns each connection.

Active TCP connections can reveal malware C2 communications, lateral movement, data exfiltration, and unauthorized network access in progress.

Data Collected

This collector gathers structured data about tcp table.

TCP Table Data

Field

Description

Example

State

Connection state

5 (ESTABLISHED)

Local

Local IP address

192.168.1.100

LocalPort

Local port number

49152

Remote

Remote IP address

93.184.216.34

RemotePort

Remote port number

443

ProcessID

Owning process ID

1234

Collection Method

This collector uses Windows API to enumerate TCP connections:

GetExtendedTcpTable with TCP_TABLE_OWNER_PID_ALL flag
Includes all TCP connection states
Associates connections with process IDs

TCP states include: CLOSED, LISTEN, SYN_SENT, SYN_RECEIVED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, CLOSE_WAIT, CLOSING, LAST_ACK, TIME_WAIT.

Forensic Value

Active TCP connections can reveal ongoing malicious activity. Investigators use this data to identify active C2 communications, detect data exfiltration in progress, track lateral movement connections, identify unauthorized remote access, correlate network activity with processes, and detect suspicious port usage.

PreviousTanium Logs NextTeamViewer Logs

Last updated 3 days ago

Was this helpful?