# Invoke-BluGenieNetStat ### Invoke-BluGenieNetStat ### SYNOPSIS Report and Manage processes that have created a Listening port ### SYNTAX ``` Invoke-BluGenieNetStat [[-FilterType] ] [[-Pattern] ] [[-Managetype] ] [-Algorithm ] [-State ] [-Signature] [-NotMatch] [-ForeignAddressAsIP] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [] ``` ### DESCRIPTION Report and Manage processes that have created a Listening port ### EXAMPLES #### EXAMPLE 1 ``` Command: Invoke-BluGenieNetStat ``` ``` Description: Output any (Listening or Established) connection information Notes: The Default Hash Algorithm is (MD5) - Sample Output - "State": "LISTENING", "PID": "664", "Protocol": "TCP", "Local_Address": "[::]:49701", "Foreign_Address": "[::]:0", "Process_Name": "lsass.exe", "Process_StartTime": null, "Process_Path": "C:\\WINDOWS\\system32\\lsass.exe", "Hash": "3df3b76b19da92a8adc01ff38560282d", "CommandLine": null, "Signature_Comment": "", "Signature_FileVersion": "10.0.17134.376 (WinBuild.160101.0800)", "Signature_Description": "Local Security Authority Process", "Signature_Date": "2:45 AM 10/21/2018", "Signature_Company": "Microsoft Corporation", "Signature_Publisher": "Microsoft Windows Publisher", "Signature_Verified": "Signed" ``` #### EXAMPLE 2 ``` Command: Invoke-BluGenieNetStat -State ALL -Algorithm SHA256 ``` ``` Description: Connection information with Hash value of SHA256 Notes: ``` #### EXAMPLE 3 ``` Command: Invoke-BluGenieNetStat -FilterType Local_Address -Pattern 3389 ``` ``` Description: Report on all Listening or Established ports that have a port of 3389 Notes: The -Pattern is a (RegEx) query by default. If you used :3389 for the port you would have to escape the (:) like so '\:3389' ``` #### EXAMPLE 4 ``` Command: Invoke-BluGenieNetStat -FilterType Process_Name -Pattern Windows10FirewallService ``` ``` Description: Connection information with with any ( Process Name ) of ( Windows10FirewallService ) Notes: ``` #### EXAMPLE 5 ``` Command: Invoke-BluGenieNetStat -FilterType Process_Name -Pattern Windows10FirewallService -Managetype Stop ``` ``` Description: Terminate any connection based on the search terms Notes: ``` #### EXAMPLE 6 ``` Command: Invoke-BluGenieNetStat -NotMatch -Pattern '\[\:\:\]\:0|0.0.0.0:0' ``` ``` Description: Report on all Listening or Established ports that do not have a value for Foreign_Address of '[::]:0' or '0.0.0.0:0' Notes: The -Pattern is a (RegEx) query by default. If you used '[::]:0' for the Foreign_Address you would have to escape the ascii charactors '\[\:\:\]\:0'. You can also use the pipe command to do an (OR) in Regex. ``` #### EXAMPLE 7 ``` Command: Invoke-BluGenieNetStat -Help ``` ``` Description: Call Help Information Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 8 ``` Command: Invoke-BluGenieNetStat -WalkThrough ``` ``` Description: Call Help Information [2] Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter ``` #### EXAMPLE 9 ``` Command: Invoke-BluGenieNetStat -OutUnEscapedJSON ``` ``` Description: Invoke-BluGenieNetStat and Return Output as UnEscaped JSON format Notes: The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters. Normal return data is a Hash Table. ``` #### EXAMPLE 10 ``` Command: Invoke-BluGenieNetStat -ReturnObject ``` ``` Description: Invoke-BluGenieNetStat and Return Output an Object Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table. ``` ### PARAMETERS #### FilterType ``` -FilterType Description: Filter based on Property Type Notes: Filter Types • "CommandLine"  Command line used to spawn the Network Connection • "Foreign_Address"  The Remote Address for the currect connection with port information • "Hash"  The Hash value of the Process ( MACTripleDES / MD5 / RIPEMD160 / SHA1 / SHA256 / SHA384 / SHA512 ) • "Local_Address"  The IP of the Local host with port information • "PID"  The current Process ID associated with the Connection • "ProcessName"  The Process name associated with the Connection • "Path"  The path of the Process associated with the Connection • "Protocol"  What Protocal is used for the currect Connection • "Caption"  The Caption property of the associated process • "Description"  The Description property of the associated process • "Name"  The Name of the associated process • "ProcessId"  The current Process ID associated with the Connection • "SessionId"  The current Session associated with the Connection • "Signature_Comment"  Display error message while pulling Signature Information [Note: This is only available if you use the -Signature switch] • "Signature_FileVersion"  File Version and OS Build information in part of the OS [Note: This is only available if you use the -Signature switch] • "Signature_Description"  The description of the files signature [Note: This is only available if you use the -Signature switch] • "Signature_Date"  Date when the file was signed [Note: This is only available if you use the -Signature switch] • "Signature_Company"  The company signing the file [Note: This is only available if you use the -Signature switch] • "Signature_Publisher"  The Publisher signing the file [Note: This is only available if you use the -Signature switch] • "Signature_Verified"  Verification ( Signed / UnSigned / Null ) [Note: This is only available if you use the -Signature switch] Alias: ValidateSet: 'CommandLine','Foreign_Address','Hash','Local_Address','PID','ProcessName','Path','Caption','Description','Name','ProcessId','SessionId','Proto','Signature_Comment','Signature_FileVersion','Signat ure_Description','Signature_Date','Signature_Company','Signature_Publisher','Signature_Verified' Required? false Position? 1 Default value Foreign_Address Accept pipeline input? false Accept wildcard characters? false ``` #### Pattern ``` -Pattern Description: Search Pattern using RegEx Notes: Alias: ValidateSet: 'Item1','Item2','Item3' Required? false Position? 2 Default value .* Accept pipeline input? false Accept wildcard characters? false ``` #### Managetype ``` -Managetype Description: Manage the behavior of the process (Suspend, Resume, Stop) Notes: Alias: ValidateSet: Suspend,Resume,Stop Required? false Position? 3 Default value Accept pipeline input? false Accept wildcard characters? false ``` #### Algorithm ``` -Algorithm Description: Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. Notes: The acceptable values for this parameter are: - SHA1 - SHA256 - SHA384 - SHA512 - MACTripleDES - MD5 = (Default) - RIPEMD160 Alias: ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512' Required? false Position? named Default value MD5 Accept pipeline input? false Accept wildcard characters? false ``` #### State ``` -State Description: What state is the Connection in ( LISTENING / CLOSE_WAIT / TIME_WAIT / ESTABLISHED ) Notes: Alias: ValidateSet: LISTENING,ESTABLISHED,LISTENING & ESTABLISHED,WAIT,ALL Required? false Position? named Default value LISTENING|ESTABLISHED Accept pipeline input? false Accept wildcard characters? false ``` #### Signature ``` -Signature [] Description: Query Signature information Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### NotMatch ``` -NotMatch [] Description: Not Matching or Exclude pattern queries Notes: Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ForeignAddressAsIP ``` -ForeignAddressAsIP [] Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### Walkthrough ``` -Walkthrough [] Description: Start the dynamic help menu system to help walk through the current command and all of the parameters Notes: Default Value = '.*' Alias: Help ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### ReturnObject ``` -ReturnObject [] Description: Return information as an Object Notes: By default the data is returned as a Hash Table Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### OutUnEscapedJSON ``` -OutUnEscapedJSON [] Description: Remove UnEsacped Char from the JSON information. Notes: This will beautify json and clean up the formatting. Alias: ValidateSet: Required? false Position? named Default value False Accept pipeline input? false Accept wildcard characters? false ``` #### CommonParameters This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about\_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuals.blusapphire.io/blugenie/full-function-list/invoke-blugenienetstat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.