From 7e3d8ccaf3958e84c7ee4f8abcc6a79b2cbbb588 Mon Sep 17 00:00:00 2001
From: zinint <zinin.t@gmail.com>
Date: Wed, 30 Oct 2019 19:05:50 +0300
Subject: [PATCH] T1040

---
 rules/linux/auditd/lnx_network_sniffing.yml | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/linux/auditd/lnx_network_sniffing.yml

diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml
new file mode 100644
index 00000000..373926e6
--- /dev/null
+++ b/rules/linux/auditd/lnx_network_sniffing.yml
@@ -0,0 +1,29 @@
+title: Network Sniffing
+status: experimental
+description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
+author: Timur Zinniatullin, oscd.community
+references:
+    - https://attack.mitre.org/techniques/T1040/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection1:
+        type: 'execve'
+        a0: 'tcpdump'
+        a1: '-c'
+        a3: '-nnni' # you don't need "n" three times, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯
+    selection2:
+        type: 'execve'
+        a0: 'tshark'
+        a1: '-c'
+        a3: '-i'
+    condition: 1 of them
+falsepositives:
+    - Admin activity
+level: low
+tags:
+    - attack.credential_access
+    - attack.discovery
+    - attack.t1040