heroui logo

Potential Network Sniffing Activity Using Network Tools

Sigma Rules

View Source
Summary
This detection rule identifies potential network sniffing activities that utilize common network tool applications like "tshark" and "windump". Network sniffing is a technique employed by adversaries to monitor and capture sensitive information transmitted over network connections. The rule specifically looks for the creation of process instances that correspond to the execution of these tools with certain command-line parameters indicative of sniffing activities. By placing a network interface in promiscuous mode or utilizing SPAN ports, attackers can gain unauthorized access to network traffic, collecting data that could contain sensitive credentials or other critical information. The rule is structured to trigger when either "tshark" is executed with a command line containing parameters that specify an interface to monitor, or when "windump" is initiated. This dual selection mechanism enhances the coverage of potential malicious activities while minimizing false positives, which may arise from legitimate network troubleshooting efforts.
Categories
  • Network
  • Endpoint
  • Windows
Data Sources
  • Process
ATT&CK Techniques
  • T1040
Created: 2019-10-21