Techniques
Sample rules
Network Sniffing via Tcpdump
- source: elastic
- technicques:
- T1040
Description
The Tcpdump program ran on a Linux host. Tcpdump is a network monitoring or packet sniffing tool that can be used to capture insecure credentials or data in motion. Sniffing can also be used to discover details of network services as a prelude to lateral movement or defense evasion.
Detection logic
event.category:process and event.type:(start or process_started) and process.name:tcpdump