New Network Trace Capture Started Via Netsh.EXE
Detects the execution of netsh with the "trace" flag in order to start a network capture
Sigma rule (View on GitHub)
1title: New Network Trace Capture Started Via Netsh.EXE
2id: d3c3861d-c504-4c77-ba55-224ba82d0118
3status: test
4description: Detects the execution of netsh with the "trace" flag in order to start a network capture
5references:
6 - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
7 - https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
8author: Kutepov Anton, oscd.community
9date: 2019-10-24
10modified: 2023-02-13
11tags:
12 - attack.discovery
13 - attack.credential-access
14 - attack.t1040
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\netsh.exe'
21 - OriginalFileName: 'netsh.exe'
22 selection_cli:
23 CommandLine|contains|all:
24 - 'trace'
25 - 'start'
26 condition: all of selection_*
27falsepositives:
28 - Legitimate administration activity
29level: medium
References
-
Archived MSDN and TechNet Blogs Article 8/28/2023 If you were looking for MSDN or TechNet blogs, please know that MSDN and TechNet blog sites have been retired, and blog content has been migrated a...
Read More -
3 February 2016 For IT pros the Windows built-in command netsh is one of the tools of choice for troubleshooting network issues. For a cyber attacker netsh is the tool of choice once he managed to …
Read More
Related rules
- Cisco Sniffing
- Harvesting Of Wifi Credentials Via Netsh.EXE
- Network Sniffing - Linux
- Network Sniffing - MacOs
- Potential Network Sniffing Activity Using Network Tools