UDP Table
Overview
Section titled “Overview”Evidence: UDP Table
Description: Collect UDP Table
Category: Network
Platform: windows
Short Name: udpt
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows maintains a table of all UDP endpoints (listening ports) including the local address, port, and process ID that owns each endpoint. Unlike TCP, UDP is connectionless, so only local endpoints are tracked.
UDP is commonly used for DNS, DHCP, and various application protocols. Malware may also use UDP for C2 communications or data exfiltration.
Data Collected
Section titled “Data Collected”This collector gathers structured data about udp table.
UDP Table Data
Section titled “UDP Table Data”| Field | Description | Example |
|---|---|---|
Local | Local IP address | 0.0.0.0 |
LocalPort | Local UDP port number | 137 |
ProcessID | Owning process ID | 4 |
Collection Method
Section titled “Collection Method”This collector uses Windows API to enumerate UDP endpoints:
GetExtendedUdpTablewithUDP_TABLE_OWNER_PIDflag- Returns all UDP listening ports
- Associates endpoints with process IDs
Forensic Value
Section titled “Forensic Value”UDP endpoints can reveal services and potential backdoors. Investigators use this data to identify listening UDP services, detect unusual UDP ports, track DNS client activity, correlate UDP usage with processes, and identify potential UDP-based C2 channels.