Windows Pcap Drivers
Detects Windows Pcap driver installation based on a list of associated .sys files.
Sigma rule (View on GitHub)
1title: Windows Pcap Drivers
2id: 7b687634-ab20-11ea-bb37-0242ac130002
3status: test
4description: Detects Windows Pcap driver installation based on a list of associated .sys files.
5references:
6 - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
7author: Cian Heasley
8date: 2020-06-10
9modified: 2023-04-14
10tags:
11 - attack.discovery
12 - attack.credential-access
13 - attack.t1040
14logsource:
15 product: windows
16 service: security
17 definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
18detection:
19 selection:
20 EventID: 4697
21 ServiceFileName|contains:
22 - 'pcap'
23 - 'npcap'
24 - 'npf'
25 - 'nm3'
26 - 'ndiscap'
27 - 'nmnt'
28 - 'windivert'
29 - 'USBPcap'
30 - 'pktmon'
31 condition: selection
32fields:
33 - EventID
34 - ServiceFileName
35 - Account_Name
36 - Computer_Name
37 - Originating_Computer
38 - ServiceName
39falsepositives:
40 - Unknown
41level: medium
References
-
Blue team blog relating to infosec, cybersecurity, Splunk, threat hunting, Linux & Windows log analysis & whatever else I'm working on thrown in too
Read More
Related rules
- Cisco Sniffing
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Network Sniffing - Linux
- Network Sniffing - MacOs
- New Network Trace Capture Started Via Netsh.EXE