title: Network Sniffing status: experimental description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml logsource: category: process_creation product: windows detection: selection: - Image: '*\tshark.exe' CommandLine|contains: '-i' - Image: '*\windump.exe' condition: selection falsepositives: - Admin activity fields: - Image - CommandLine - User - LogonGuid - Hashes - ParentProcessGuid - ParentCommandLine level: low tags: - attack.credential_access - attack.discovery - attack.t1040