Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Gitter chat

AMP for Endpoints Process Name to Network Connections:

Takes a process name as a command line argument and searches the environment for computers that have seen a seen a process or file with that name. It then fetches the trajectory for those computers and parses it to collect the SHA256s for the associated process. The the trajectory is parsed on more time looking at for network connections generated by the relevant SHA256s.

NOTE: This script will process hits from a maximum of 500 endpoints (there is no pagination). If you search for something and it hits on more than 500 endpoints you will not get a complete view of the environment

Before using you must update the following:

The authentictaion parameters are set in the api.cfg :

  • client_id
  • api_key


python powershell.exe

Example script output:

This script has multiple outputs:

  • Prints connection information to the console
  • Writes a CSV containing connection the IPs, ports, direction, hostname, and GUID
  • Writes a log containing basic information about progress
Computers Found: 5
Processing: Demo_AMP_Exploit_Prevention_Audit - 13de840a-3577-41b3-8930-1917ca87ceda
  TCP ->
  TCP ->
  TCP ->
  TCP ->
  TCP ->
  TCP ->
  TCP ->
Processing: Demo_AMP_Intel - 14dcfce3-9663-434d-9beb-c8836de035ce
  TCP ->
  TCP ->
Processing: Demo_AMP - 43ea5bb6-a4ec-48fa-876c-59cc304fda17
  TCP ->
  TCP ->
Processing: Demo_AMP_MAP_FriedEx - 93252a58-6d27-4687-b5a5-4e32e54cc166
  No communication observed
Processing: Demo_Command_Line_Arguments_Meterpreter - d2721a44-3795-4138-a73a-f36e6d8b0201
  No communication observed
Computers with powershell.exe: 5
Unique SHA256s for powershell.exe: 4
IPs powershell.exe has been observed communicating with: 38


Searches an environment for a process name and collects observed network connections




No releases published


No packages published