Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Network Sniffing||N/A||Credential Access, Discovery||Moderate|
Data Model References
Pseudocode - commands containing known network sniffing application names (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create sniffer_processes = filter processes where ( exe = "tshark.exe" OR exe = "windump.exe" OR (exe = "logman.exe" AND parent_exe exists AND parent_exe!="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe") OR exe = "tcpdump.exe" OR exe = "wprui.exe" OR exe = "wpr.exe" ) output sniffer_processes
Splunk Search - common network traffic sniffing apps being run (Splunk, Sysmon native)
look for common network traffic sniffing apps being run
(index=__your_sysmon_index__ EventCode=1) (Image="*tshark.exe" OR Image="*windump.exe" OR (Image="*logman.exe" AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\Windows Event Reporting\\Core\\EventReporting.AgentService.exe") OR Image="*tcpdump.exe" OR Image="*wprui.exe" OR Image="*wpr.exe")