Network Sniffing - Linux

calendar Dec 18, 2022 · attack.credential_access attack.discovery attack.t1040  ·
Share on: linkedin copy

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Sigma rule (View on GitHub)

 1title: Network Sniffing - Linux
 2id: f4d3748a-65d1-4806-bd23-e25728081d01
 3status: test
 4description: |
 5  Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
 6  An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.  
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
 9author: Timur Zinniatullin, oscd.community
10date: 2019/10/21
11modified: 2022/12/18
12tags:
13    - attack.credential_access
14    - attack.discovery
15    - attack.t1040
16logsource:
17    product: linux
18    service: auditd
19detection:
20    selection_1:
21        type: 'execve'
22        a0: 'tcpdump'
23        a1: '-c'
24        a3|contains: '-i'
25    selection_2:
26        type: 'execve'
27        a0: 'tshark'
28        a1: '-c'
29        a3: '-i'
30    condition: 1 of selection_*
31falsepositives:
32    - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
33level: low

References

Related rules

to-top