Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Sigma rule (View on GitHub)
1title: Network Sniffing - MacOs
2id: adc9bcc4-c39c-4f6b-a711-1884017bf043
3status: test
4description: |
5 Detects the usage of tooling to sniff network traffic.
6 An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
9author: Alejandro Ortuno, oscd.community
10date: 2020/10/14
11modified: 2022/11/26
12tags:
13 - attack.discovery
14 - attack.credential_access
15 - attack.t1040
16logsource:
17 category: process_creation
18 product: macos
19detection:
20 selection:
21 Image|endswith:
22 - '/tcpdump'
23 - '/tshark'
24 condition: selection
25falsepositives:
26 - Legitimate administration activities
27level: informational
References
Related rules
- System and Hardware Information Discovery
- File and Directory Discovery - Linux
- File and Directory Discovery - MacOS
- Abnormal LSASS Child and Parent Process Relationships
- Abnormal LSASS Process Access and Injection