June 15, 2025
ยท

Essential Commands for Threat Detection

Introduction

Network reconnaissance is a critical skill in cybersecurity, whether you're conducting penetration testing, incident response, or routine security audits. This guide covers essential Windows commands for analyzing network connections, identifying suspicious processes, and detecting potential security threats.

Core Commands for Network Analysis

1. netstat - Network Connection Analysis

The netstat command is your primary tool for examining network connections and listening ports.

Basic Network Enumeration

# List all TCP connections and listening ports
netstat -an

# Show only listening ports
netstat -an | findstr LISTENING

# Display connections with process information
netstat -anob

# Filter for specific states
netstat -an | findstr ESTABLISHED
netstat -an | findstr TIME_WAIT

Advanced Filtering Techniques

# Show connections to specific ports
netstat -an | findstr :443
netstat -an | findstr :80

# Display foreign connections only
netstat -an | findstr -v 127.0.0.1

2. WMIC - Process and Service Investigation

Windows Management Instrumentation Command-line provides powerful process analysis capabilities.

Process Analysis

# Get detailed process information
wmic process list full

# Find processes by name with full path
wmic process where "name='svchost.exe'" get ProcessId,ExecutablePath,CommandLine

# Identify processes listening on specific ports
wmic process where "name='chrome.exe'" get ProcessId,ExecutablePath,ParentProcessId

# Show process creation time and parent process
wmic process get Name,ProcessId,ParentProcessId,CreationDate

Service Enumeration

# List all services with their states
wmic service list brief

# Find services by name
wmic service where "name like '%vpn%'" get Name,State,StartMode,PathName

# Identify auto-start services
wmic service where "startmode='Auto'" get Name,PathName,State

3. Additional Reconnaissance Commands

System Information Gathering

# Network configuration
ipconfig /all
route print
arp -a

# DNS cache inspection
ipconfig /displaydns

# Active network shares
net share
net use

Process and Service Analysis

# Task list with services
tasklist /svc

# Show running processes with modules
tasklist /m

# Process tree view
wmic process get Name,ProcessId,ParentProcessId

# Service dependencies
sc queryex [service_name]

Threat Detection Methodology

Phase 1: Baseline Establishment

# Create network baseline
netstat -anob > baseline_network.txt

# Document normal processes
wmic process list brief > baseline_processes.txt

# Capture service configuration
wmic service list config > baseline_services.txt

Phase 2: Anomaly Detection

Suspicious Port Identification

# Look for non-standard listening ports
netstat -an | findstr LISTENING | findstr -v ":80 :443 :135 :445 :139"

# Identify processes binding to all interfaces
netstat -anob | findstr "0.0.0.0:"

Process Investigation

# Find processes without company information
wmic process where "Company is null" get Name,ExecutablePath,ProcessId

# Locate unsigned executables
wmic process where "ExecutablePath is not null" get ExecutablePath | findstr /v "Windows"

# Identify processes with suspicious paths
wmic process where "ExecutablePath like '%temp%'" get Name,ExecutablePath,ProcessId

Phase 3: Deep Analysis

Network Connection Correlation

# Cross-reference process and network data
for /f "tokens=5" %i in ('netstat -ano ^| findstr ESTABLISHED') do @wmic process where "ProcessId=%i" get Name,ExecutablePath

# Monitor connection changes over time
netstat -anob > connections_$(date /t:~6,4%$(date /t:~3,2%$(date /t:~0,2%).txt

Service Analysis

# Check service executables for digital signatures
wmic service where "state='Running'" get Name,PathName | findstr /v "system32"

# Identify services with unusual parameters
wmic service where "PathName like '% %'" get Name,PathName,StartName

Red Flags and Indicators of Compromise

Network-Level Indicators

  • Unusual outbound connections to foreign IP addresses
  • High-numbered ports listening without clear business justification
  • Multiple connections to the same external endpoint
  • Processes binding to all network interfaces (0.0.0.0)

Process-Level Indicators

  • Executables running from temporary directories
  • Unsigned binaries from unknown publishers
  • Processes with suspicious command-line arguments
  • Services with non-standard installation paths

Common Suspicious Patterns

# Look for processes masquerading as system processes
wmic process where "Name='svchost.exe' and not ExecutablePath like '%system32%'" get ProcessId,ExecutablePath

# Find network connections from script interpreters
netstat -anob | findstr "powershell\|cmd\|wscript\|cscript"

# Identify processes with encoded command lines
wmic process where "CommandLine like '%base64%' or CommandLine like '%-enc%'" get Name,CommandLine