I need a highly efficient, persistent script on Windows 10/11 to execute an immediate, non-interactive system shutdown (shutdown.exe /s /t 0) the moment an active, outbound TCP connection is established to any IP address within a predefined list of remote CIDR ranges (e.g., specific Google/AS15169 networks).
Standard filtering methods (DNS/proxy) are insufficient; the consequence must be an immediate system shutdown.
Requirements
Target Definition: Read a list of remote IP CIDR blocks (e.g., 208.65.153.0/24) from a configuration source.
Monitoring: Continuously detect newly established outbound TCP connections.
Action: Upon the first successful CIDR match, execute an immediate system shutdown.
Existing Approaches Considered (and Issues)
Continuous Polling with Get-NetTCPConnection: Too CPU-intensive if the polling interval is short enough for “real-time” detection.
Windows Event Log Monitoring: Introduces unacceptable latency, as the connection is already established before the log is written and processed.
The Core Technical Question
What is the most robust and CPU-efficient, event-driven method in Windows (using PowerShell, WMI, or other built-in features) to detect an established network connection to a specific remote IP CIDR range?
I am looking for suggestions on using lower-level Event Tracing (ETW) or dedicated WMI/CIM monitoring that can trigger immediately on a new network session event, effectively avoiding continuous polling of the entire connection table.
