Skip to content
AIR Knowledge Base

Active Connections

Overview

Section titled “Overview”

Evidence: Active Connections
Description: List active TCP/IP connections
Category: Network
Platform: esxi
Short Name: aconns
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

Active TCP/IP connections on ESXi hosts reveal network communication between the hypervisor and external systems, including management interfaces, storage networks, and VM traffic. This data is crucial for identifying unauthorized network access and detecting lateral movement.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about active connections.

Active Connections Data

Section titled “Active Connections Data”
FieldDescriptionExample
AccessTimeAccess Time2023-10-15 14:30:25+03:00
AccessCountAccess Count123
URLURLExample value
BrowserBrowserExample value
TitleTitleExample value
VisitDurationVisit DurationExample value
ReferrerReferrerExample value
TypedCountTyped Count123
IsHiddenIs Hiddentrue
TransitionTypeTransition TypeExample value
VisitIDVisit ID123
TransitionQualifiersTransition QualifiersExample value
UserUserExample value
ProfileProfileExample value
HistoryFilePathHistory File PathExample value

Collection Method

Section titled “Collection Method”

This collector parses the output of ‘esxcli network ip connection list’ command, extracting protocol type, send/receive queue sizes, local and foreign addresses with ports, connection states, world IDs, congestion control algorithms, and associated world names for each active connection.

Forensic Value

Section titled “Forensic Value”

Network connection data exposes active communication channels, potentially revealing backdoors, C2 connections, unauthorized management access, or suspicious inter-host communication. Analyzing connection states, world names, and remote endpoints helps investigators detect malicious network activity and trace attacker movements.