Potential Network Sniffing Activity Using Network Tools

calendar Dec 21, 2023 · attack.credential_access attack.discovery attack.t1040  ·
Share on: linkedin copy

Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Sigma rule (View on GitHub)

 1title: Potential Network Sniffing Activity Using Network Tools
 2id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
 3status: test
 4description: |
 5    Detects potential network sniffing via use of network tools such as "tshark", "windump".
 6    Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
 7    An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
10author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
11date: 2019/10/21
12modified: 2023/02/20
13tags:
14    - attack.credential_access
15    - attack.discovery
16    - attack.t1040
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_tshark:
22        Image|endswith: '\tshark.exe'
23        CommandLine|contains: '-i'
24    selection_windump:
25        Image|endswith: '\windump.exe'
26    condition: 1 of selection_*
27falsepositives:
28    - Legitimate administration activity to troubleshoot network issues
29level: medium

References

Related rules

to-top