Get-NetTCPConnection -State Listen -LocalPort 22
PS C:\> Get-NetTCPConnection -State Listen -LocalPort 22 LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess ------------ --------- ------------- ---------- ----- -------------- ------------- :: 22 :: 0 Listen 2588 0.0.0.0 22 0.0.0.0 0 Listen 2588
In this example, the process sshd (Win32-OpenSSH Server) is used.
Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -State Established -ErrorAction SilentlyContinue
PS C:\> Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -State Established -ErrorAction SilentlyContinue LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess ------------ --------- ------------- ---------- ----- -------------- ------------- 192.0.2.150 22 192.0.2.1 54497 Established Internet 2588
PS C:\> Get-Process -Name sshd Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 128 12 1880 7464 0.05 2588 0 sshd 139 10 2496 8444 0.06 6228 0 sshd 145 10 2428 8476 0.03 6808 0 sshd PS C:\> Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -ErrorAction SilentlyContinue LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess ------------ --------- ------------- ---------- ----- -------------- ------------- :: 22 :: 0 Listen 2588 192.0.2.150 22 192.0.2.1 54497 Established Internet 2588 0.0.0.0 22 0.0.0.0 0 Listen 2588
Get-NetUDPEndpoint | Select-Object Local*,CreationTime,OwningProcess,@{n="Process";e={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalAddress,LocalPort | Format-Table -AutoSize
PS C:\> Get-NetUDPEndpoint | Select-Object Local*,CreationTime,OwningProcess,@{n="Process";e={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalAddress,LocalPort | Format-Table -AutoSize LocalAddress LocalPort CreationTime OwningProcess Process ------------ --------- ------------ ------------- ------- :: 123 9/29/2024 11:18:37 AM 2652 svchost :: 3389 9/24/2024 7:43:21 PM 300 svchost :: 3702 9/29/2024 11:18:26 AM 3508 svchost :: 5353 9/29/2024 11:18:20 AM 1540 svchost :: 5355 9/29/2024 7:35:47 PM 1540 svchost :: 57681 9/24/2024 7:43:24 PM 3508 svchost :: 63725 9/29/2024 11:25:12 AM 1540 svchost 0.0.0.0 123 9/29/2024 11:18:37 AM 2652 svchost 0.0.0.0 3389 9/24/2024 7:43:21 PM 300 svchost 0.0.0.0 3702 9/29/2024 11:18:26 AM 3508 svchost 0.0.0.0 5353 9/29/2024 11:18:20 AM 1540 svchost 0.0.0.0 5355 9/29/2024 7:35:47 PM 1540 svchost 0.0.0.0 57680 9/24/2024 7:43:24 PM 3508 svchost 127.0.0.1 62923 9/24/2024 7:43:22 PM 2384 svchost 192.0.2.150 137 9/24/2024 7:43:20 PM 4 System 192.0.2.150 138 9/24/2024 7:43:20 PM 4 System
Limited to the last 30 days.
Get-Eventlog Application -EntryType "Error" -InstanceId 1511 -Source "Microsoft-Windows-User Profiles Service" -After (Get-Date).AddDays(-30) | Where-Object { $_.Message -like "*logging you on with a temporary profile*" } | Select-Object TimeGenerated,UserName,Message
Example:
PS C:\> Get-Eventlog Application -EntryType "Error" -InstanceId 1511 -Source "Microsoft-Windows-User Profiles Service" -After (Get-Date).AddDays(-30) | Where-Object { $_.Message -like "*logging you on with a temporary profile*" } | Select-Object TimeGenerated,UserName,Message TimeGenerated UserName Message ------------- -------- ------- 07.03.2024 16:02:57 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. 07.03.2024 15:34:09 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. 07.03.2024 15:32:24 MYDOMAIN\user2 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. 07.03.2024 13:40:41 MYDOMAIN\user3 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. 07.03.2024 12:36:36 MYDOMAIN\user2 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. 07.03.2024 11:25:54 MYDOMAIN\user3 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. 07.03.2024 08:57:32 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
If you work in an organization and don't use quick assist, you can prevent its use to minimize the attack vector.
Source: https://x.com/NathanMcNulty/status/1790992514041995357
Uninstall.
Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist -AllUsers | Remove-AppxPackage -AllUsers
Prevent DNS resolution.
Add-DnsClientNrptRule -Namespace "remoteassistance.support.services.microsoft.com" -NameServers "10.0.0.0"