valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2a63927d51
SigmaHQ/rules/linux/macos_network_sniffing.yml

25 lines
795 B
YAML
Raw Normal View History

Initial Sigma Rule
2020-10-14 08:24:59 +00:00
title: Network Sniffing
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: experimental
description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Alejandro Ortuno, oscd.community
date: 2020/10/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
category: process_creation
product: macos
detection:
changes a syntax a bit to re-run the test
2020-10-20 15:10:20 +00:00
selection:
Fixes and improvements
2021-04-02 22:00:43 +00:00
Image|endswith:
Initial Sigma Rule
2020-10-14 08:24:59 +00:00
- '/tcpdump'
- '/tshark'
changes a syntax a bit to re-run the test
2020-10-20 15:10:20 +00:00
condition: selection
Initial Sigma Rule
2020-10-14 08:24:59 +00:00
falsepositives:
- Legitimate administration activities
Fixes and improvements
2021-04-02 22:00:43 +00:00
level: informational
Initial Sigma Rule
2020-10-14 08:24:59 +00:00
tags:
- attack.discovery
- attack.credential_access
- attack.t1040
Reference in New Issue Copy Permalink