TCPView For Security Incident Response

While doing security incident response you might want to gather information as you can to come out with the proper finding.

Personally I have come across a lot of incident where I’m required to capture the ports open on the infected machine.

This is a not a difficult task, however with the current emerging of technology, the hacker get smarter too. They design the malware to hide their process from being captured by the task manager, netstat commands and other system admin useful commands. Rootkits is one of the example malware which sits on the handle use by the windows to hide itself from “netstat”.

TCPView is a Sysinternal product which allows you to capture all the relevant ports and its protocols with detail overview of its attached processes. This program has an advance future. It allows you to capture the malware ports or connection hidden from a normal Windows “netstat” program.


One thought on “TCPView For Security Incident Response

  1. Mister Reiner says:

    It’s important for people to use the tool prior to an incident, to baseline processes that are normally running in the background and the protocols and ports that they use. This makes it easier to identify a rogue process when a compromise is suspected.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s