Invoke-BluGenieNetStat

SYNOPSIS

Report and Manage processes that have created a Listening port

SYNTAX

Invoke-BluGenieNetStat [[-FilterType] <String>] [[-Pattern] <String>] [[-Managetype] <String>] [-Algorithm <String>] [-State <String>] [-Signature] [-NotMatch] [-ForeignAddressAsIP] [-Walkthrough] [-ReturnObject] 
[-OutUnEscapedJSON] [<CommonParameters>]

DESCRIPTION

Report and Manage processes that have created a Listening port

EXAMPLES

EXAMPLE 1

Command: Invoke-BluGenieNetStat

Description: Output any (Listening or Established) connection information
Notes: 
The Default Hash Algorithm is (MD5)
- Sample Output -
              "State":  "LISTENING",
              "PID":  "664",
              "Protocol":  "TCP",
              "Local_Address":  "[::]:49701",
              "Foreign_Address":  "[::]:0",
              "Process_Name":  "lsass.exe",
              "Process_StartTime":  null,
              "Process_Path":  "C:\\WINDOWS\\system32\\lsass.exe",
              "Hash":  "3df3b76b19da92a8adc01ff38560282d",
              "CommandLine":  null,
              "Signature_Comment":  "",
              "Signature_FileVersion":  "10.0.17134.376 (WinBuild.160101.0800)",
              "Signature_Description":  "Local Security Authority Process",
              "Signature_Date":  "2:45 AM 10/21/2018",
              "Signature_Company":  "Microsoft Corporation",
              "Signature_Publisher":  "Microsoft Windows Publisher",
              "Signature_Verified":  "Signed"

EXAMPLE 2

Command: Invoke-BluGenieNetStat -State ALL -Algorithm SHA256

Description: Connection information with Hash value of SHA256
Notes:

EXAMPLE 3

Command: Invoke-BluGenieNetStat -FilterType Local_Address -Pattern 3389

Description: Report on all Listening or Established ports that have a port of 3389
Notes: The -Pattern is a (RegEx) query by default.  If you used :3389 for the port 
            you would have to escape the (:) like so '\:3389'

EXAMPLE 4

Command: Invoke-BluGenieNetStat -FilterType Process_Name -Pattern Windows10FirewallService

Description: Connection information with with any ( Process Name ) of ( Windows10FirewallService )
Notes:

EXAMPLE 5

Command: Invoke-BluGenieNetStat -FilterType Process_Name -Pattern Windows10FirewallService -Managetype Stop

Description: Terminate any connection based on the search terms
Notes:

EXAMPLE 6

Command: Invoke-BluGenieNetStat -NotMatch -Pattern '\[\:\:\]\:0|0.0.0.0:0'

Description: Report on all Listening or Established ports that do not have a value for Foreign_Address of '[::]:0' or '0.0.0.0:0'
Notes: 	The -Pattern is a (RegEx) query by default.  If you used '[::]:0' for the Foreign_Address 
             you would have to escape the ascii charactors '\[\:\:\]\:0'.  You can also use the pipe command to do an (OR) in Regex.

EXAMPLE 7

Command: Invoke-BluGenieNetStat -Help

Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal 
Get-Help will be called with the -Full parameter

EXAMPLE 8

Command: Invoke-BluGenieNetStat -WalkThrough

Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal 
Get-Help will be called with the -Full parameter

EXAMPLE 9

Command: Invoke-BluGenieNetStat -OutUnEscapedJSON

Description: Invoke-BluGenieNetStat and Return Output as UnEscaped JSON format
Notes:  The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters.  Normal return data is a Hash Table.

EXAMPLE 10

Command: Invoke-BluGenieNetStat -ReturnObject

Description: Invoke-BluGenieNetStat and Return Output an Object
Notes:  The ReturnObject is used to return a PowerShell Object.  Normal return data is a Hash Table.

PARAMETERS

FilterType

-FilterType <String>
   Description: Filter based on Property Type 
   Notes: 
   Filter Types
   •	"CommandLine"
   	Command line used to spawn the Network Connection
       •	"Foreign_Address"
   	The Remote Address for the currect connection with port information
       •	"Hash"
   	The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 ) 
       •	"Local_Address"
   	The IP of the Local host with port information
       •	"PID"
   	The current Process ID associated with the Connection
       •	"ProcessName"
   	The Process name associated with the Connection
       •	"Path"
   	The path of the Process associated with the Connection
       •	"Protocol"
   	What Protocal is used for the currect Connection
   •	"Caption"
   	The Caption property of the associated process
   •	"Description"
   	The Description property of the associated process
   •	"Name"
   	The Name of the associated process
   •	"ProcessId"
   	The current Process ID associated with the Connection
   •	"SessionId"
   	The current Session associated with the Connection
       •	"Signature_Comment"
   	Display error message while pulling Signature Information [Note: This is only available if you use the -Signature switch]
       •	"Signature_FileVersion"
   	File Version and OS Build information in part of the OS [Note:  This is only available if you use the -Signature switch]
       •	"Signature_Description"
   	The description of the files signature [Note:  This is only available if you use the -Signature switch]
       •	"Signature_Date"
   	Date when the file was signed [Note:  This is only available if you use the -Signature switch]
       •	"Signature_Company"
   	The company signing the file [Note:  This is only available if you use the -Signature switch]
       •	"Signature_Publisher"
   	The Publisher signing the file [Note:  This is only available if you use the -Signature switch]
       •	"Signature_Verified"
   	Verification ( Signed / UnSigned / Null ) [Note:  This is only available if you use the -Signature switch]
   Alias:
   ValidateSet: 'CommandLine','Foreign_Address','Hash','Local_Address','PID','ProcessName','Path','Caption','Description','Name','ProcessId','SessionId','Proto','Signature_Comment','Signature_FileVersion','Signat
   ure_Description','Signature_Date','Signature_Company','Signature_Publisher','Signature_Verified'
   
   Required?                    false
   Position?                    1
   Default value                Foreign_Address
   Accept pipeline input?       false
   Accept wildcard characters?  false

Pattern

-Pattern <String>
   Description: Search Pattern using RegEx
   Notes:  
   Alias:
   ValidateSet: 'Item1','Item2','Item3'
   
   Required?                    false
   Position?                    2
   Default value                .*
   Accept pipeline input?       false
   Accept wildcard characters?  false

Managetype

-Managetype <String>
   Description: Manage the behavior of the process (Suspend, Resume, Stop) 
   Notes:  
   Alias:
   ValidateSet: Suspend,Resume,Stop
   
   Required?                    false
   Position?                    3
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

Algorithm

-Algorithm <String>
   Description:  Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. 
   Notes:  The acceptable values for this parameter are:
   
               - SHA1
               - SHA256
               - SHA384
               - SHA512
               - MACTripleDES
               - MD5 = (Default)
               - RIPEMD160
   Alias: 
   ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512'
   
   Required?                    false
   Position?                    named
   Default value                MD5
   Accept pipeline input?       false
   Accept wildcard characters?  false

State

-State <String>
   Description: What state is the Connection in ( LISTENING / CLOSE_WAIT / TIME_WAIT / ESTABLISHED )
   Notes:  
   Alias:
   ValidateSet: LISTENING,ESTABLISHED,LISTENING & ESTABLISHED,WAIT,ALL
   
   Required?                    false
   Position?                    named
   Default value                LISTENING|ESTABLISHED
   Accept pipeline input?       false
   Accept wildcard characters?  false

Signature

-Signature [<SwitchParameter>]
   Description: Query Signature information 
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

NotMatch

-NotMatch [<SwitchParameter>]
   Description: Not Matching or Exclude pattern queries 
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ForeignAddressAsIP

-ForeignAddressAsIP [<SwitchParameter>]
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

Walkthrough

-Walkthrough [<SwitchParameter>]
   Description:  Start the dynamic help menu system to help walk through the current command and all of the parameters
   Notes: Default Value = '.*'
   Alias: Help
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ReturnObject

-ReturnObject [<SwitchParameter>]
   Description: Return information as an Object
   Notes: By default the data is returned as a Hash Table
   Alias: 
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

OutUnEscapedJSON

-OutUnEscapedJSON [<SwitchParameter>]
   Description: Remove UnEsacped Char from the JSON information.
   Notes: This will beautify json and clean up the formatting.
   Alias: 
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

CommonParameters

PreviousInvoke-BluGenieLoadAllProfileHives NextInvoke-BluGenieParallel

Last updated 3 years ago

Invoke-BluGenieNetStat [[-FilterType] <String>] [[-Pattern] <String>] [[-Managetype] <String>] [-Algorithm <String>] [-State <String>] [-Signature] [-NotMatch] [-ForeignAddressAsIP] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [<CommonParameters>]

Description: Output any (Listening or Established) connection information Notes: The Default Hash Algorithm is (MD5) - Sample Output - "State": "LISTENING", "PID": "664", "Protocol": "TCP", "Local_Address": "[::]:49701", "Foreign_Address": "[::]:0", "Process_Name": "lsass.exe", "Process_StartTime": null, "Process_Path": "C:\\WINDOWS\\system32\\lsass.exe", "Hash": "3df3b76b19da92a8adc01ff38560282d", "CommandLine": null, "Signature_Comment": "", "Signature_FileVersion": "10.0.17134.376 (WinBuild.160101.0800)", "Signature_Description": "Local Security Authority Process", "Signature_Date": "2:45 AM 10/21/2018", "Signature_Company": "Microsoft Corporation", "Signature_Publisher": "Microsoft Windows Publisher", "Signature_Verified": "Signed"

Description: Report on all Listening or Established ports that have a port of 3389 Notes: The -Pattern is a (RegEx) query by default. If you used :3389 for the port you would have to escape the (:) like so '\:3389'

Description: Report on all Listening or Established ports that do not have a value for Foreign_Address of '[::]:0' or '0.0.0.0:0' Notes: The -Pattern is a (RegEx) query by default. If you used '[::]:0' for the Foreign_Address you would have to escape the ascii charactors '\[\:\:\]\:0'. You can also use the pipe command to do an (OR) in Regex.

Description: Call Help Information Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

Description: Call Help Information [2] Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

Description: Invoke-BluGenieNetStat and Return Output as UnEscaped JSON format Notes: The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters. Normal return data is a Hash Table.

-FilterType <String> Description: Filter based on Property Type Notes: Filter Types • "CommandLine"  Command line used to spawn the Network Connection • "Foreign_Address"  The Remote Address for the currect connection with port information • "Hash"  The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 ) • "Local_Address"  The IP of the Local host with port information • "PID"  The current Process ID associated with the Connection • "ProcessName"  The Process name associated with the Connection • "Path"  The path of the Process associated with the Connection • "Protocol"  What Protocal is used for the currect Connection • "Caption"  The Caption property of the associated process • "Description"  The Description property of the associated process • "Name"  The Name of the associated process • "ProcessId"  The current Process ID associated with the Connection • "SessionId"  The current Session associated with the Connection • "Signature_Comment"  Display error message while pulling Signature Information [Note: This is only available if you use the -Signature switch] • "Signature_FileVersion"  File Version and OS Build information in part of the OS [Note: This is only available if you use the -Signature switch] • "Signature_Description"  The description of the files signature [Note: This is only available if you use the -Signature switch] • "Signature_Date"  Date when the file was signed [Note: This is only available if you use the -Signature switch] • "Signature_Company"  The company signing the file [Note: This is only available if you use the -Signature switch] • "Signature_Publisher"  The Publisher signing the file [Note: This is only available if you use the -Signature switch] • "Signature_Verified"  Verification ( Signed / UnSigned / Null ) [Note: This is only available if you use the -Signature switch] Alias: ValidateSet: 'CommandLine','Foreign_Address','Hash','Local_Address','PID','ProcessName','Path','Caption','Description','Name','ProcessId','SessionId','Proto','Signature_Comment','Signature_FileVersion','Signat ure_Description','Signature_Date','Signature_Company','Signature_Publisher','Signature_Verified' Required? false Position? 1 Default value Foreign_Address Accept pipeline input? false Accept wildcard characters? false

-Pattern <String> Description: Search Pattern using RegEx Notes: Alias: ValidateSet: 'Item1','Item2','Item3' Required? false Position? 2 Default value .* Accept pipeline input? false Accept wildcard characters? false

-Managetype <String> Description: Manage the behavior of the process (Suspend, Resume, Stop) Notes: Alias: ValidateSet: Suspend,Resume,Stop Required? false Position? 3 Default value Accept pipeline input? false Accept wildcard characters? false

-Algorithm <String> Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. Notes: The acceptable values for this parameter are: - SHA1 - SHA256 - SHA384 - SHA512 - MACTripleDES - MD5 = (Default) - RIPEMD160 Alias: ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512' Required? false Position? named Default value MD5 Accept pipeline input? false Accept wildcard characters? false

-State <String> Description: What state is the Connection in ( LISTENING / CLOSE_WAIT / TIME_WAIT / ESTABLISHED ) Notes: Alias: ValidateSet: LISTENING,ESTABLISHED,LISTENING & ESTABLISHED,WAIT,ALL Required? false Position? named Default value LISTENING|ESTABLISHED Accept pipeline input? false Accept wildcard characters? false

-Signature [<SwitchParameter>] Description: Query Signature information Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false

-NotMatch [<SwitchParameter>] Description: Not Matching or Exclude pattern queries Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false

-ForeignAddressAsIP [<SwitchParameter>] Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false

-Walkthrough [<SwitchParameter>] Description: Start the dynamic help menu system to help walk through the current command and all of the parameters Notes: Default Value = '.*' Alias: Help ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false

-ReturnObject [<SwitchParameter>] Description: Return information as an Object Notes: By default the data is returned as a Hash Table Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false

-OutUnEscapedJSON [<SwitchParameter>] Description: Remove UnEsacped Char from the JSON information. Notes: This will beautify json and clean up the formatting. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false