LoFP / full network packet capture may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. full network packet capture from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

• t1074

Sample rules

Azure Full Network Packet Capture Detected

• source: elastic
• technicques:
  • T1040

Description

Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Detection logic

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
    (
        MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or
        MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or
        MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE
    ) and
event.outcome:(Success or success)

Google Full Network Traffic Packet Capture

• source: sigma
• technicques:
  • t1074

Description

Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - v*.Compute.PacketMirrorings.Get
  - v*.Compute.PacketMirrorings.Delete
  - v*.Compute.PacketMirrorings.Insert
  - v*.Compute.PacketMirrorings.Patch
  - v*.Compute.PacketMirrorings.List
  - v*.Compute.PacketMirrorings.aggregatedList