PktMon.EXE Execution

calendar Oct 23, 2025 · attack.discovery attack.credential-access attack.t1040  ·
Share on: linkedin copy

Detects execution of PktMon, a tool that captures network packets.

Sigma rule (View on GitHub)

 1title: PktMon.EXE Execution
 2id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
 3status: test
 4description: Detects execution of PktMon, a tool that captures network packets.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
 7author: frack113
 8date: 2022-03-17
 9modified: 2023-06-23
10tags:
11    - attack.discovery
12    - attack.credential-access
13    - attack.t1040
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|endswith: '\pktmon.exe'
20        - OriginalFileName: 'PktMon.exe'
21    condition: selection
22falsepositives:
23    - Legitimate use
24level: medium

References

  • Pktmon on LOLBAS

    Pktmon.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

Related rules

to-top