TCP Table
Overview
Section titled “Overview”Evidence: TCP Table
Description: Collect TCP Table
Category: Network
Platform: windows
Short Name: tcpt
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows maintains a table of all active TCP connections including local/remote addresses, ports, connection state, and the process ID that owns each connection.
Active TCP connections can reveal malware C2 communications, lateral movement, data exfiltration, and unauthorized network access in progress.
Data Collected
Section titled “Data Collected”This collector gathers structured data about tcp table.
TCP Table Data
Section titled “TCP Table Data”| Field | Description | Example |
|---|---|---|
State | Connection state | 5 (ESTABLISHED) |
Local | Local IP address | 192.168.1.100 |
LocalPort | Local port number | 49152 |
Remote | Remote IP address | 93.184.216.34 |
RemotePort | Remote port number | 443 |
ProcessID | Owning process ID | 1234 |
Collection Method
Section titled “Collection Method”This collector uses Windows API to enumerate TCP connections:
GetExtendedTcpTablewithTCP_TABLE_OWNER_PID_ALLflag- Includes all TCP connection states
- Associates connections with process IDs
TCP states include: CLOSED, LISTEN, SYN_SENT, SYN_RECEIVED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, CLOSE_WAIT, CLOSING, LAST_ACK, TIME_WAIT.
Forensic Value
Section titled “Forensic Value”Active TCP connections can reveal ongoing malicious activity. Investigators use this data to identify active C2 communications, detect data exfiltration in progress, track lateral movement connections, identify unauthorized remote access, correlate network activity with processes, and detect suspicious port usage.