Update T1040.yaml Use Built-in Windows Packet capture (#1172)

* Update T1040.yaml

 Uses the built-in Windows packet capture

* Update T1040

Adding temp folder and del command to delete that trace.etl and added sleep command before and after (it does a little bit of processing when stopped) with PowerShell.

* Update T1040.yaml

Changed to use variables where possible (couldn't get %temp% to work in the command) Use a long time out (50 seconds) as it took awhile for collections to complete . Added more description to explain what artifacts are left after execution. Thanks Carrie with all your time/input spent on this to make it great.

* Update T1040.yaml

added %LOCALAPPDATA%

* Update T1040.yaml

Switched to %temp%

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1040/T1040.yaml

@@ -75,3 +75,20 @@ atomic_tests:
       c:\windump.exe
     name: command_prompt
     elevation_required: true
+    
+- name: Windows Internal Packet Capture
+  description: |-
+    Uses the built-in Windows packet capture
+    After execution you should find a file named trace.etl and trace.cab in the temp directory
+  supported_platforms:
+  - windows
+  executor:
+    command: netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10
+    cleanup_command: |-
+      netsh trace stop
+      TIMEOUT /T 50
+      del %temp%\trace.etl
+      del %temp%\trace.cab
+    name: command_prompt
+    elevation_required: true
+