From dce7ce69496b4590ca23247714d791fbcc0d5299 Mon Sep 17 00:00:00 2001 From: Jesse Moore Date: Tue, 4 Aug 2020 21:27:30 -0700 Subject: [PATCH] Update T1040.yaml Use Built-in Windows Packet capture (#1172) * Update T1040.yaml Uses the built-in Windows packet capture * Update T1040 Adding temp folder and del command to delete that trace.etl and added sleep command before and after (it does a little bit of processing when stopped) with PowerShell. * Update T1040.yaml Changed to use variables where possible (couldn't get %temp% to work in the command) Use a long time out (50 seconds) as it took awhile for collections to complete . Added more description to explain what artifacts are left after execution. Thanks Carrie with all your time/input spent on this to make it great. * Update T1040.yaml added %LOCALAPPDATA% * Update T1040.yaml Switched to %temp% Co-authored-by: Carrie Roberts --- atomics/T1040/T1040.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index aaa93867..4250789a 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -75,3 +75,20 @@ atomic_tests: c:\windump.exe name: command_prompt elevation_required: true + +- name: Windows Internal Packet Capture + description: |- + Uses the built-in Windows packet capture + After execution you should find a file named trace.etl and trace.cab in the temp directory + supported_platforms: + - windows + executor: + command: netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10 + cleanup_command: |- + netsh trace stop + TIMEOUT /T 50 + del %temp%\trace.etl + del %temp%\trace.cab + name: command_prompt + elevation_required: true +