Make sure you have network connections monitoring enabled:
PS temp> sysmon -c
Sysinternals Sysmon v3.11 - System activity monitor
Copyright (C) 2014-2015 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com
Current configuration:
- Service name: Sysmon
- Driver name: SysmonDrv
- HashingAlgorithms: SHA1
- Network connection: enabled
- Image loading: disabled
No rules installed
Then run the following Powershell function:
function Get-SysmonNetworkStats([Parameter(Mandatory=$False)][Int64]$MaxEvents = 0) {
if ($MaxEvents -gt 0) {
$networkEvents = Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -FilterXPath "Event/System[EventID=3]" -MaxEvents @MaxEvents
} else {
$networkEvents = Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -FilterXPath "Event/System[EventID=3]"
}
$networkEventsWithCount = @{}
$networkEvents | % {
$key = "{0} ({1})" -f $_.Properties[13].Value,$_.Properties[14].Value
if ($networkEventsWithCount["$key"] -eq $null) {
$networkEventsWithCount["$key"] = 1
} else {
$networkEventsWithCount["$key"] += 1
}
}
$networkEventsWithCount.GetEnumerator() | sort -Descending Value | select
}It will show a destination IP with hostname (if resolved) and the number of connections logged, eg.
PS temp> Get-SysmonNetworkStats -MaxEvents 1000 | ft -AutoSize
Name Value
---- -----
127.0.0.1 (DELAPTOP) 62
239.255.255.250 () 31
...