1. Enumerating Active TCP Connections

• Command

  Get-NetTCPConnection -State Established -RemoteAddress 10.0.2.6
  

• Explanation : Lists all established TCP connections to the IP address 10.0.2.6, showing local and remote IP addresses, ports, connection states, and the owning process IDs.

2. Retrieving Process Details

• Command

  Get-Process -Id 4908
  

• Explanation : Retrieves details of the process with ID 4908, such as resource usage and the process name.

3. Getting Process Information with Path

• Command

  Get-Process -Id 4908 | Select-Object -Property Name, Id, Path, Description | Format-List
  

• Explanation : Provides a detailed list of the process information for process ID 4908, including the name, path, and description.

4. Querying Process Information with CIM Instance

• Command

  Get-CimInstance Win32_Process -Filter "ProcessId = 4908" | Select-Object Name, ProcessId, CommandLine, ParentProcessId
  

• Explanation : Retrieves detailed process information using Get-CimInstance, focusing on the command line and parent process for process ID 4908.

5. Filtering Suspicious Network Activity

• Command

  Get-NetTCPConnection -State 'Established' | Where-Object {$_.RemotePort -eq 4444}
  

• Explanation : Filters out active connections on port 4444, which is commonly used for command-and-control communication by malware.

6. Calculating Session Duration

• Command

  (Get-Date) - (Get-NetTCPConnection -OwningProcess 4908).CreationTime
  

• Explanation : Calculates how long a network session associated with process ID 4908 has been active by subtracting the session's creation time from the current date.

7. Investigating Process Details (CIM Instance)

• Command

  Get-CimInstance Win32_Process -Filter "ProcessId = 4908" | Select-Object Name, ProcessId, CommandLine, ParentProcessId