PktMon.EXE Execution

calendar Jul 13, 2023 · attack.credential_access attack.t1040  ·
Share on: linkedin copy

Detects execution of PktMon, a tool that captures network packets.

Sigma rule (View on GitHub)

 1title: PktMon.EXE Execution
 2id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
 3status: test
 4description: Detects execution of PktMon, a tool that captures network packets.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
 7author: frack113
 8date: 2022/03/17
 9modified: 2023/06/23
10tags:
11    - attack.credential_access
12    - attack.t1040
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        - Image|endswith: '\pktmon.exe'
19        - OriginalFileName: 'PktMon.exe'
20    condition: selection
21falsepositives:
22    - Legitimate use
23level: medium

References

  • Pktmon | LOLBAS

    Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop pktmon.exe start --etw Use caseuse this a built in network sniffer on windows 10 to capture senstive traffic Privil...


    Read More

Related rules

to-top