Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Sigma rule (View on GitHub)
1title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
2id: da34e323-1e65-42db-83be-a6725ac2caa3
3status: experimental
4description: |
5 Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
6 Adversaries may attempt to capture network to gather information over the course of an operation.
7 Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
10 - https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
11 - https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
12author: frack113
13date: 2024-05-12
14tags:
15 - attack.credential-access
16 - attack.discovery
17 - attack.t1040
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection:
24 ScriptBlockText|contains: 'Start-NetEventSession'
25 condition: selection
26falsepositives:
27 - Legitimate network diagnostic scripts.
28level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
A huge chunk of my personal notes since I started playing CTFs and working as a Red Teamer. - 0xsyr0/Awesome-Cybersecurity-Handbooks
Read More -
Just random powershell things I've put together. . Contribute to forgottentq/powershell development by creating an account on GitHub.
Read More
Related rules
- Cisco Sniffing
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Network Sniffing - Linux
- Network Sniffing - MacOs
- New Network Trace Capture Started Via Netsh.EXE