Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Show when a monitor or a span/rspan is setup or modified
status testauthor Austin Clarkid b9e1f193-d236-4451-aaae-2f3d2102120d
view Sigma YAML
title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: test
description: Show when a monitor or a span/rspan is setup or modified
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'monitor capture point'
- 'set span'
- 'set rspan'
condition: keywords
falsepositives:
- Admins may setup new or modify old spans, or use a monitor for troubleshooting
level: medium
medium
Harvesting Of Wifi Credentials Via Netsh.EXE
Detect the harvesting of wifi credentials using netsh.exe
status testauthor Andreas Hunkeler (@Karneades), oscd.communityid 42b1a5b8-353f-4f10-b256-39de4467faff
view Sigma YAML
title: Harvesting Of Wifi Credentials Via Netsh.EXE
id: 42b1a5b8-353f-4f10-b256-39de4467faff
status: test
description: Detect the harvesting of wifi credentials using netsh.exe
references:
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
author: Andreas Hunkeler (@Karneades), oscd.community
date: 2020-04-20
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'wlan'
- ' s'
- ' p'
- ' k'
- '=clear'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
New Network Trace Capture Started Via Netsh.EXE
Detects the execution of netsh with the "trace" flag in order to start a network capture
status testauthor Kutepov Anton, oscd.communityid d3c3861d-c504-4c77-ba55-224ba82d0118
view Sigma YAML
title: New Network Trace Capture Started Via Netsh.EXE
id: d3c3861d-c504-4c77-ba55-224ba82d0118
status: test
description: Detects the execution of netsh with the "trace" flag in order to start a network capture
references:
- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
- https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
author: Kutepov Anton, oscd.community
date: 2019-10-24
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'trace'
- 'start'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: medium
medium
PktMon.EXE Execution
Detects execution of PktMon, a tool that captures network packets.
status testauthor frack113id f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
view Sigma YAML
title: PktMon.EXE Execution
id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
status: test
description: Detects execution of PktMon, a tool that captures network packets.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
author: frack113
date: 2022-03-17
modified: 2023-06-23
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\pktmon.exe'
- OriginalFileName: 'PktMon.exe'
condition: selection
falsepositives:
- Legitimate use
level: medium
medium
Potential Network Sniffing Activity Using Network Tools
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
status testauthor Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)id ba1f7802-adc7-48b4-9ecb-81e227fddfd5
view Sigma YAML
title: Potential Network Sniffing Activity Using Network Tools
id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
status: test
description: |
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2023-02-20
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_tshark:
Image|endswith: '\tshark.exe'
CommandLine|contains: '-i'
selection_windump:
Image|endswith: '\windump.exe'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activity to troubleshoot network issues
level: medium
medium
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
status testauthor frack113id da34e323-1e65-42db-83be-a6725ac2caa3
view Sigma YAML
title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
id: da34e323-1e65-42db-83be-a6725ac2caa3
status: test
description: |
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
author: frack113
date: 2024-05-12
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Start-NetEventSession'
condition: selection
falsepositives:
- Legitimate network diagnostic scripts.
level: medium
medium
Windows Pcap Drivers
Detects Windows Pcap driver installation based on a list of associated .sys files.
status testauthor Cian Heasleyid 7b687634-ab20-11ea-bb37-0242ac130002
view Sigma YAML
title: Windows Pcap Drivers
id: 7b687634-ab20-11ea-bb37-0242ac130002
status: test
description: Detects Windows Pcap driver installation based on a list of associated .sys files.
references:
- https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
author: Cian Heasley
date: 2020-06-10
modified: 2023-04-14
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'pcap'
- 'npcap'
- 'npf'
- 'nm3'
- 'ndiscap'
- 'nmnt'
- 'windivert'
- 'USBPcap'
- 'pktmon'
condition: selection
falsepositives:
- Unknown
level: medium
low
Network Sniffing - Linux
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
status testauthor Timur Zinniatullin, oscd.communityid f4d3748a-65d1-4806-bd23-e25728081d01
view Sigma YAML
title: Network Sniffing - Linux
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: test
description: |
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2022-12-18
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: linux
service: auditd
detection:
selection_1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection_2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: 1 of selection_*
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
informational
Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
status testauthor Alejandro Ortuno, oscd.communityid adc9bcc4-c39c-4f6b-a711-1884017bf043
view Sigma YAML
title: Network Sniffing - MacOs
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: test
description: |
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2022-11-26
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/tcpdump'
- '/tshark'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational