• Coding
• Tutorials
• Video
• AUTHOR: codevision AI engine
• YT | The Cyber Mentor

This video continues the series on live endpoint analysis using PowerShell, focusing on threat hunting and network activity correlation. The presenter explores various commands and utilities for interrogating active network connections on a Windows system, including netstat.exe and get-net TCP connection. By correlating network information with process data, investigators can identify suspicious activity and uncover indicators of compromise. The video demonstrates how to use PowerShell to filter and analyze network connections, including filtering by state, local address, and remote address. By combining this information with other data sources, investigators can build a more complete picture of potential threats and take action to mitigate them.

Introduction

The video discusses threat hunting and how to use PowerShell to investigate network connections on a Windows system.

Key Facts

1. Threat hunting aims to close the gap between detection and response efforts by uncovering signs that protection mechanisms have failed.
2. The network is a key area to focus on when hunting for malicious activity, as it provides a universal view of all processes and systems.
3. Network artifacts can be interrogated using various commands and utilities, including netstat.exe and get-net TCP connection.
4. PowerShell can be used to correlate network connections with running processes and identify suspicious activity.
5. The get-net TCP connection commandlet can list out network connections, including local and remote addresses, ports, state, and owning process ID.
6. Filtering can be applied to the output of get-net TCP connection using properties such as local address, local port, remote address, and remote port.
7. PowerShell can also be used to correlate network connections with processes by joining the results of get-net TCP connection with process information.
8. The get-sim instance commandlet can be used to interrogate additional information about processes, including parent process and command line arguments.

Conclusion

The video concludes by emphasizing the importance of correlation in threat hunting and how PowerShell can be used to identify suspicious network connections and processes. It also highlights the need for continuous learning and improvement in threat hunting techniques.