NETSTAT.EXE

File Path: C:\windows\system32\NETSTAT.EXE
Description: TCP/IP Netstat Command

Hashes

Type	Hash
MD5	`71B6ED8BDE828CCC00F8D316AD844BD0`
SHA1	`D35CA0ADB9F306B043CD134EB8E5012D2666185C`
SHA256	`2FACED0ABA2A30B41DC2112F70A9B0C076C58EC2D25DFC5C7646C32B763C0954`
SHA384	`6A504954C77A7429561609D5E668B8CF918A6C79AB4BBC6128C43D115FF13416634BDB080D430D611563737663FB1E38`
SHA512	`2C50A2E43D46833B1264515BA4A2BA9CD560AF2ADEEE567F5D4EB926D8A2859AC095D15F1F2D5DD922DB431F9E34E47EE3720960F8D5DEC98E68AA8A9E899189`
SSDEEP	`768:BzyruHr5DSXxxrNAshZOUAA6QaNIMBGjjwR5DQ6Ki:MwShAshZO1ALa7BG/wR5jKi`

Signature

Status: The file C:\windows\system32\NETSTAT.EXE is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: netstat.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.18202 (winblue_ltsb.160119-0600)
Product Version: 6.3.9600.18202
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of NETSTAT.EXE being misused. While NETSTAT.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_webshell_detection.yml	`- '\netstat.exe'`	DRL 1.0
signature-base	gen_cn_hacktools.yar	description = “Chinese Hacktool Set - file netstat.exe”	CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

netstat

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, this command displays active TCP connections.

[!IMPORTANT] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

Syntax

netstat [-a] [-b] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<interval>]

Parameters

Parameter	Description
-a	Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
-b	Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
-e	Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
-n	Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
-o	Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
-p `<Protocol>`	Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-s	Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
-r	Displays the contents of the IP routing table. This is equivalent to the route print command.
`<interval>`	Redisplays the selected information every interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, this command prints the selected information only once.
/?	Displays help at the command prompt.

Remarks

The netstat command provides statistics for the following:

Parameter	Description
Proto	The name of the protocol (TCP or UDP).
Local address	The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
Foreign address	The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
State	Indicates the state of a TCP connection, including:<ul><li>CLOSE_WAIT</li><li>CLOSED</li><li>ESTABLISHED</li><li>FIN_WAIT_1</li><li>FIN_WAIT_2</li><li>LAST_ACK</li><li>LISTEN</li><li>SYN_RECEIVED</li><li>SYN_SEND</li><li>TIMED_WAIT</li></ul>

Examples

To display both the Ethernet statistics and the statistics for all protocols, type:

netstat -e -s

To display the statistics for only the TCP and UDP protocols, type:

netstat -s -p tcp udp

To display active TCP connections and the process IDs every 5 seconds, type:

netstat -o 5

To display active TCP connections and the process IDs using numerical form, type:

netstat -n -o

Additional References

Command-Line Syntax Key