NETSTAT.EXE

  • File Path: C:\windows\system32\NETSTAT.EXE
  • Description: TCP/IP Netstat Command

Hashes

Type Hash
MD5 71B6ED8BDE828CCC00F8D316AD844BD0
SHA1 D35CA0ADB9F306B043CD134EB8E5012D2666185C
SHA256 2FACED0ABA2A30B41DC2112F70A9B0C076C58EC2D25DFC5C7646C32B763C0954
SHA384 6A504954C77A7429561609D5E668B8CF918A6C79AB4BBC6128C43D115FF13416634BDB080D430D611563737663FB1E38
SHA512 2C50A2E43D46833B1264515BA4A2BA9CD560AF2ADEEE567F5D4EB926D8A2859AC095D15F1F2D5DD922DB431F9E34E47EE3720960F8D5DEC98E68AA8A9E899189
SSDEEP 768:BzyruHr5DSXxxrNAshZOUAA6QaNIMBGjjwR5DQ6Ki:MwShAshZO1ALa7BG/wR5jKi

Signature

  • Status: The file C:\windows\system32\NETSTAT.EXE is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: netstat.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.18202 (winblue_ltsb.160119-0600)
  • Product Version: 6.3.9600.18202
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of NETSTAT.EXE being misused. While NETSTAT.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_webshell_detection.yml - '\netstat.exe' DRL 1.0
signature-base gen_cn_hacktools.yar description = “Chinese Hacktool Set - file netstat.exe” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


netstat

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, this command displays active TCP connections.

[!IMPORTANT] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

Syntax

netstat [-a] [-b] [-e] [-n] [-o] [-p <Protocol>] [-r] [-s] [<interval>]

Parameters

Parameter Description
-a Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
-b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
-e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
-n Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
-o Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
-p <Protocol> Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-s Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
-r Displays the contents of the IP routing table. This is equivalent to the route print command.
<interval> Redisplays the selected information every interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, this command prints the selected information only once.
/? Displays help at the command prompt.
Remarks
  • The netstat command provides statistics for the following:

    Parameter Description
    Proto The name of the protocol (TCP or UDP).
    Local address The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
    Foreign address The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
    State Indicates the state of a TCP connection, including:<ul><li>CLOSE_WAIT</li><li>CLOSED</li><li>ESTABLISHED</li><li>FIN_WAIT_1</li><li>FIN_WAIT_2</li><li>LAST_ACK</li><li>LISTEN</li><li>SYN_RECEIVED</li><li>SYN_SEND</li><li>TIMED_WAIT</li></ul>

Examples

To display both the Ethernet statistics and the statistics for all protocols, type:

netstat -e -s

To display the statistics for only the TCP and UDP protocols, type:

netstat -s -p tcp udp

To display active TCP connections and the process IDs every 5 seconds, type:

netstat -o 5

To display active TCP connections and the process IDs using numerical form, type:

netstat -n -o

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.