Detects Windows Pcap driver installation based on a list of associated .sys files.

Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Detect the harvesting of wifi credentials using netsh.exe

Detects the execution of netsh with the "trace" flag in order to start a network capture

Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.

Show when a monitor or a span/rspan is setup or modified

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.