Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Sigma rule (View on GitHub)
1title: Network Sniffing - MacOs
2id: adc9bcc4-c39c-4f6b-a711-1884017bf043
3status: test
4description: |
5 Detects the usage of tooling to sniff network traffic.
6 An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
9author: Alejandro Ortuno, oscd.community
10date: 2020-10-14
11modified: 2022-11-26
12tags:
13 - attack.discovery
14 - attack.credential-access
15 - attack.t1040
16logsource:
17 category: process_creation
18 product: macos
19detection:
20 selection:
21 Image|endswith:
22 - '/tcpdump'
23 - '/tshark'
24 condition: selection
25falsepositives:
26 - Legitimate administration activities
27level: informational
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Sniffing
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Network Sniffing - Linux
- New Network Trace Capture Started Via Netsh.EXE
- Potential Network Sniffing Activity Using Network Tools