List open socket info
SCHEMA
| cmdline | string | Process command line |
| local_address | string | Socket local address |
| name | string | Name of the registry value entry |
| parent | long | Process parent's PID |
| path | string | Full path to the value |
| pid | long | Process (or thread) ID |
| remote_address | string | IP address of machine from which logon attempt was performed |
| remote_port | int | Source port which was used for logon attempt from remote machine |
-- open_sockets INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, cmdline, local_address, name, parent, path, pid, remote_address, remote_port, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'open_sockets'
RESULTS
+-----------------+-------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------------------+----------+-----------------------------------------------------------------------------------------------------------------+-------+------------------+---------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------+ | meta_hostname | meta_ip_address | query_name | cmdline | local_address | name | parent | path | pid | remote_address | remote_port | meta_boot_time | meta_eid | meta_endpoint_type | meta_ip_mask | meta_mac_address | meta_os_name | meta_os_platform | meta_os_type | meta_os_version | meta_public_ip | meta_query_pack_version | meta_username | calendar_time | counter | epoch | host_identifier | osquery_action | unix_time | customer_id | endpoint_id | upload_size | |-----------------+-------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+------------------------+----------+-----------------------------------------------------------------------------------------------------------------+-------+------------------+---------------+------------------+--------------------------------------+----------------------+----------------+--------------------+------------------------------+--------------------+----------------+-------------------+------------------+---------------------------+-----------------+----------------------+-----------+------------+-------------------+------------------+----------------------+--------------------------------------+--------------------------------------+---------------| | Victim5-Win10 | 192.168.100.129 | open_sockets | C:\WINDOWS\System32\svchost.exe -k utcsvc -p | 192.168.100.129 | svchost.exe | 676 | C:\Windows\System32\svchost.exe | 2620 | 52.114.76.34 | 443 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T23:55:52Z | 10022 | 1601898679 | Victim5-Win10 | False | 2020-10-09T23:55:52Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 874 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T23:56:15Z | 10023 | 1601898679 | Victim5-Win10 | False | 2020-10-09T23:56:15Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | 192.168.100.129 | svchost.exe | 676 | C:\Windows\System32\svchost.exe | 72 | 40.90.137.127 | 443 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T23:56:44Z | 10024 | 1601898679 | Victim5-Win10 | False | 2020-10-09T23:56:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 874 | | Victim5-Win10 | 192.168.100.129 | open_sockets | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | 192.168.100.129 | svchost.exe | 676 | C:\Windows\System32\svchost.exe | 72 | 52.179.224.121 | 443 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T23:56:44Z | 10024 | 1601898679 | Victim5-Win10 | False | 2020-10-09T23:56:44Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 875 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-09T23:58:40Z | 10028 | 1601898679 | Victim5-Win10 | False | 2020-10-09T23:58:40Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-10T00:00:07Z | 10031 | 1601898679 | Victim5-Win10 | False | 2020-10-10T00:00:07Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-10T00:03:01Z | 10037 | 1601898679 | Victim5-Win10 | False | 2020-10-10T00:03:01Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-10T00:05:26Z | 10042 | 1601898679 | Victim5-Win10 | False | 2020-10-10T00:05:26Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-10T00:06:53Z | 10045 | 1601898679 | Victim5-Win10 | False | 2020-10-10T00:06:53Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-10T00:08:20Z | 10048 | 1601898679 | Victim5-Win10 | False | 2020-10-10T00:08:20Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe" | 192.168.100.129 | SophosNtpService.exe | 676 | C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNtpService.exe | 2732 | 52.5.76.173 | 8347 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-10T00:11:00Z | 10052 | 1601898679 | Victim5-Win10 | False | 2020-10-10T00:11:00Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 968 | | Victim5-Win10 | 192.168.100.129 | open_sockets | C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup | 192.168.100.129 | svchost.exe | 676 | C:\Windows\System32\svchost.exe | 5072 | 104.92.231.222 | 80 | 1601910607 | 099242c2-3595-94e0-891c-51a7ee2659c8 | computer | 255.255.255.0 | 00:0c:29:56:e8:01 | Microsoft Windows 10 Pro | windows | client | 10.0.18363 | 73.69.54.187 | 1.1.12 | Admin | 2020-10-10T00:12:12Z | 10056 | 1601898679 | Victim5-Win10 | False | 2020-10-10T00:12:12Z | b288d41b-53bb-64ae-5a67-1bc1507d5198 | 9029242c-5359-490e-98c1-157aee62958c | 882 |
