UDP Table

Overview

Evidence: UDP Table Description: Collect UDP Table Category: Network Platform: Windows Short Name: udpt Is Parsed: Yes - UDP table parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a table of all UDP endpoints (listening ports) including the local address, port, and process ID that owns each endpoint. Unlike TCP, UDP is connectionless, so only local endpoints are tracked.

UDP is commonly used for DNS, DHCP, and various application protocols. Malware may also use UDP for C2 communications or data exfiltration.

Data Collected

Field

Description

Example

Local

Local IP address

0.0.0.0

LocalPort

Local UDP port number

137

ProcessID

Owning process ID

Collection Method

This collector uses Windows API to enumerate UDP endpoints:

GetExtendedUdpTable with UDP_TABLE_OWNER_PID flag
Returns all UDP listening ports
Associates endpoints with process IDs

Usage

UDP endpoints can reveal services and potential backdoors. Investigators use this data to identify listening UDP services, detect unusual UDP ports, track DNS client activity, correlate UDP usage with processes, and identify potential UDP-based C2 channels.

Known Limitations

Point-in-time snapshot
No connection state (UDP is connectionless)
Doesn't show remote endpoints
Ephemeral ports may change rapidly

Notes

Cross-reference Process IDs with the Processes collector to identify which programs are listening on UDP ports. Look for suspicious high-numbered ports and unexpected processes using UDP.

PreviousTypedURLs NextUSB Storage History

Last updated 47 minutes ago

Was this helpful?