Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock

Rule Info

Name
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Author
frack113
Description
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Reference
https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
Date
2024-05-12 00:00:00
Modified
None
Id
da34e323-1e65-42db-83be-a6725ac2caa3
Tags
attack.credential_access attack.discovery attack.t1040 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=da34e323-1e65-42db-83be-a6725ac2caa3

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4852 from @frack113 - Add `Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock`
2024-05-13
fb3a72b43
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022