Get Nmap scanner process, as well as its user, parent, and process details.
To learn more about queries, check this guide
SELECT p.pid, name, p.path, cmdline, cwd, start_time, parent, (SELECT name FROM processes WHERE pid=p.parent) AS parent_name, (SELECT username FROM users WHERE uid=p.uid) AS username FROM processes as p WHERE cmdline like 'nmap%';
$processes = Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE CommandLine LIKE 'nmap%'"
foreach ($proc in $processes) {
# Get parent's name
$parentName = ""
if ($proc.ParentProcessId) {
$parentProc = Get-WmiObject Win32_Process -Filter "ProcessId=$($proc.ParentProcessId)" -ErrorAction SilentlyContinue
if ($parentProc) {
$parentName = $parentProc.Name
}
}
# Get username from process owner
$username = ""
$ownerInfo = $proc.GetOwner()
if ($ownerInfo.ReturnValue -eq 0) {
$username = "$($ownerInfo.Domain)\$($ownerInfo.User)"
}
# Convert WMI creation date to readable time
$startTime = $null
if ($proc.CreationDate) {
$startTime = [Management.ManagementDateTimeConverter]::ToDateTime($proc.CreationDate)
}
# cwd is not available from Win32_Process; use placeholder
$cwd = "N/A"
# Create a custom object with the desired fields
$result = [PSCustomObject]@{
pid = $proc.ProcessId
name = $proc.Name
path = $proc.ExecutablePath
cmdline = $proc.CommandLine
cwd = $cwd
start_time = $startTime
parent = $proc.ParentProcessId
parent_name = $parentName
username = $username
}
Write-Output $result
}
PowerShell commands are currently work in progress, contributions welcome.