Techniques
Sample rules
Potential Network Sniffing Activity Using Network Tools
- source: sigma
- technicques:
- t1040
Description
Detects potential network sniffing via use of network tools such as “tshark”, “windump”. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Detection logic
condition: 1 of selection_*
selection_tshark:
CommandLine|contains: -i
Image|endswith: \tshark.exe
selection_windump:
Image|endswith: \windump.exe