Guide to DevSecOps

Appearance

Windows Server Port and Process Monitoring Guide

This guide demonstrates how to identify open ports, the processes using them, which users own these processes, and how they were invoked on a Windows server.

Checking Open Ports

Using netstat Command

powershell
# Show all listening TCP ports
netstat -ano

# Show only listening ports
netstat -ano | findstr LISTENING

# Filter for a specific port
netstat -ano | findstr :80

Using PowerShell

powershell
# Get all TCP connections
Get-NetTCPConnection

# Get only listening connections
Get-NetTCPConnection -State Listen

# Filter for a specific port
Get-NetTCPConnection -LocalPort 80

Using TCPView (Sysinternals)

TCPView is a graphical tool from Sysinternals that provides real-time monitoring:

  1. Download from Microsoft Sysinternals website
  2. Run the application to see all active connections
  3. Right-click on connections for additional options

Mapping Ports to Processes

Find Process Details for a Specific Port

powershell
# Using netstat to find process ID
netstat -ano | findstr :80

# Using PowerShell to find process with PID
Get-Process -Id <PID>

# One-liner to get process from port
$port = 80; Get-Process -Id (Get-NetTCPConnection -LocalPort $port).OwningProcess

Identifying Process Owners and Command Lines

Using Task Manager

  1. Press Ctrl+Shift+Esc to open Task Manager
  2. Go to Details tab
  3. Right-click on column headers and add "User name" and "Command line" columns

Using PowerShell

powershell
# Get information about a process by PID
Get-Process -Id <PID> | Format-List *

# Get process owner
Get-Process -Id <PID> | Select-Object -ExpandProperty UserName

# Get command line information
Get-CimInstance Win32_Process -Filter "ProcessId = <PID>" | Select-Object CommandLine

# SAMPLE - Get process, owner, and command line
Get-CimInstance Win32_Process -Filter "ProcessId = <PID>" | Select-Object ProcessId, Name, @{Name='Owner'; Expression={(Get-Process -Id $_.ProcessId -IncludeUserName).UserName}}, CommandLine

Using tasklist Command

powershell
# List all processes with user information
tasklist /v

# Get specific process info
tasklist /fi "PID eq <PID>" /v

# Get process modules
tasklist /m /fi "PID eq <PID>"

Using wmic Command

powershell
# Get command line of a process
wmic process where ProcessId=<PID> get CommandLine

# Get owner of a process
wmic process where ProcessId=<PID> get ProcessId,Name,UserName

Determining How Processes Were Started

Check Windows Services

powershell
# Using PowerShell to check service status
Get-Service | Where-Object {$_.Status -eq "Running"}

# Check specific service
Get-Service -Name <ServiceName> | Format-List *

# Using SC command
sc qc <ServiceName>

Using Process Explorer (Sysinternals)

  1. Download Process Explorer from Microsoft Sysinternals website
  2. Run the application
  3. Find the process of interest
  4. Right-click and select Properties to see detailed information
  5. Check the "Parent" process to determine how it was started

Checking User Sessions and Activities

powershell
# List logged in users
query user

# Get more detailed user session information
Get-CimInstance Win32_LogonSession | Format-List

# Check login history
Get-EventLog -LogName Security -InstanceId 4624 -Newest 10

Comprehensive System Overview

powershell
# PowerShell one-liner to show listening ports and their processes
Get-NetTCPConnection -State Listen | Select-Object LocalPort, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).Name}}, @{Name="PID";Expression={$_.OwningProcess}} | Sort-Object LocalPort

Practical Examples

Example 1: Identifying a Web Server Process

powershell
# Find what's using port 80
$port = 80
$process = Get-Process -Id (Get-NetTCPConnection -LocalPort $port -ErrorAction SilentlyContinue).OwningProcess
$process | Format-List Id, Name, Path

# Check if it's a service
Get-Service | Where-Object {$_.Name -eq $process.Name -or $_.DisplayName -like "*$($process.Name)*"}

Example 2: Investigating Unknown Ports

powershell
# Discover unusual listening ports
Get-NetTCPConnection -State Listen | Where-Object {$_.LocalPort -gt 10000}

# Investigate a specific process
$pid = (Get-NetTCPConnection -LocalPort 12345 -ErrorAction SilentlyContinue).OwningProcess
Get-Process -Id $pid | Format-List *
Get-CimInstance Win32_Process -Filter "ProcessId = $pid" | Select-Object CommandLine

# Check file details
Get-Item (Get-Process -Id $pid).Path | Format-List *

# Check connections being made
Get-NetTCPConnection | Where-Object {$_.OwningProcess -eq $pid} | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, State

Remember to run these commands with appropriate permissions. Most of these commands require administrator privileges to see all the information.