From 25515b8f72428e2bd05f52768e2bb5e3880ffbdf Mon Sep 17 00:00:00 2001
From: Kyaw-Pyiyt-Htet <58761670+Mikoyan-Dee@users.noreply.github.com>
Date: Mon, 5 Feb 2024 23:12:53 +0630
Subject: [PATCH] Mikoyan dee patch 1 (#2679)

* Update T1040.yaml

PowerShell cmdlets to capture network traffic

* Update T1040.yaml

* Update T1040.yaml
---
 atomics/T1040/T1040.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml
index 3e101766..c359be16 100644
--- a/atomics/T1040/T1040.yaml
+++ b/atomics/T1040/T1040.yaml
@@ -440,3 +440,21 @@ atomic_tests:
       rm -f #{program_path}
     name: bash
     elevation_required: true
+- name: PowerShell Network Sniffing
+  auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+  description: |-
+    PowerShell Built-in Cmdlets to capture network traffic.
+    https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+      Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+      Start-NetEventSession -Name Capture007
+      Stop-NetEventSession -Name Capture007
+      Remove-NetEventSession -Name Capture007
+    cleanup_command: |-
+      del $ENV:Temp\sniff.etl
+    name: powershell
+    elevation_required: true