attack_technique: T1040 display_name: Network Sniffing atomic_tests: - name: Packet Capture Linux using tshark or tcpdump auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e description: | Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - linux input_arguments: interface: description: Specify interface to perform PCAP on. type: string default: ens33 dependency_executor_name: bash dependencies: - description: | Check if at least one of tcpdump or tshark is installed. prereq_command: | if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; get_prereq_command: | (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) executor: command: | tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} name: bash elevation_required: true - name: Packet Capture FreeBSD using tshark or tcpdump auto_generated_guid: c93f2492-9ebe-44b5-8b45-36574cccfe67 description: | Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. supported_platforms: - linux input_arguments: interface: description: Specify interface to perform PCAP on. type: string default: em0 dependency_executor_name: sh dependencies: - description: | Check if at least one of tcpdump or tshark is installed. prereq_command: | if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; get_prereq_command: | (which pkg && pkg install -y wireshark-nox11) executor: command: | tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} name: sh elevation_required: true - name: Packet Capture macOS using tcpdump or tshark auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608 description: | Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A. supported_platforms: - macos input_arguments: interface: description: Specify interface to perform PCAP on. type: string default: en0A dependency_executor_name: bash dependencies: - description: | Check if at least one of tcpdump or tshark is installed. prereq_command: | if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; get_prereq_command: | (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) executor: command: | sudo tcpdump -c 5 -nnni #{interface} if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi; name: bash elevation_required: true - name: Packet Capture Windows Command Prompt auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca description: | Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed. Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet". supported_platforms: - windows input_arguments: interface: description: Specify interface to perform PCAP on. type: string default: Ethernet wireshark_url: description: wireshark installer download URL type: url default: https://1.eu.dl.wireshark.org/win64/Wireshark-latest-x64.exe tshark_path: description: path to tshark.exe type: path default: c:\program files\wireshark\tshark.exe npcap_url: description: npcap installed download URL type: url default: https://nmap.org/npcap/dist/npcap-1.31.exe npcap_path: description: path to npcap.sys type: path default: C:\Program Files\Npcap\npcap.sys dependency_executor_name: powershell dependencies: - description: | tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe" #{wireshark_url} Start-Process "PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe" /S - description: | npcap must be installed. prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe" #{npcap_url} Start-Process "PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe" executor: command: | "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 name: command_prompt elevation_required: true - name: Windows Internal Packet Capture auto_generated_guid: b5656f67-d67f-4de8-8e62-b5581630f528 description: |- Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory supported_platforms: - windows executor: command: netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10 cleanup_command: |- netsh trace stop >nul 2>&1 TIMEOUT /T 5 >nul 2>&1 del %temp%\trace.etl >nul 2>&1 del %temp%\trace.cab >nul 2>&1 name: command_prompt elevation_required: true - name: Windows Internal pktmon capture auto_generated_guid: c67ba807-f48b-446e-b955-e4928cd1bf91 description: |- Will start a packet capture and store log file as t1040.etl. https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ supported_platforms: - windows executor: command: | pktmon.exe start --etw -f %TEMP%\t1040.etl TIMEOUT /T 5 >nul 2>&1 pktmon.exe stop cleanup_command: |- del %TEMP%\t1040.etl name: command_prompt elevation_required: true - name: Windows Internal pktmon set filter auto_generated_guid: 855fb8b4-b8ab-4785-ae77-09f5df7bff55 description: |- Select Desired ports for packet capture https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ supported_platforms: - windows executor: command: | pktmon.exe filter add -p 445 cleanup_command: |- pktmon filter remove name: command_prompt elevation_required: true - name: Packet Capture macOS using /dev/bpfN with sudo auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa description: | Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds. supported_platforms: - macos input_arguments: ifname: description: Specify interface to perform PCAP on. type: string default: en0 csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_macos_pcapdemo dependency_executor_name: bash dependencies: - description: | compile C program prereq_command: | exit 1 get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -i #{ifname} -t 3 cleanup_command: | rm -f #{program_path} name: bash elevation_required: true - name: Filtered Packet Capture macOS using /dev/bpfN with sudo auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19 description: | Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds. supported_platforms: - macos input_arguments: ifname: description: Specify interface to perform PCAP on. type: string default: en0 csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_macos_pcapdemo dependency_executor_name: bash dependencies: - description: | compile C program prereq_command: | exit 1 get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -f -i #{ifname} -t 3 cleanup_command: | rm -f #{program_path} name: bash elevation_required: true - name: Packet Capture FreeBSD using /dev/bpfN with sudo auto_generated_guid: e2028771-1bfb-48f5-b5e6-e50ee0942a14 description: | Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds. supported_platforms: - linux input_arguments: ifname: description: Specify interface to perform PCAP on. type: string default: em0 csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_freebsd_pcapdemo dependency_executor_name: sh dependencies: - description: | compile C program prereq_command: | exit 1 get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -i #{ifname} -t 3 cleanup_command: | rm -f #{program_path} name: sh elevation_required: true - name: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo auto_generated_guid: a3a0d4c9-c068-4563-a08d-583bd05b884c description: | Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds. supported_platforms: - linux input_arguments: ifname: description: Specify interface to perform PCAP on. type: string default: em0 csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_freebsd_pcapdemo dependency_executor_name: sh dependencies: - description: | compile C program prereq_command: | exit 1 get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -f -i #{ifname} -t 3 cleanup_command: | rm -f #{program_path} name: sh elevation_required: true - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29 description: | Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few seconds. supported_platforms: - linux input_arguments: csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - description: | compile C program prereq_command: | if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -a -t 3 cleanup_command: | rm -f #{program_path} name: bash elevation_required: true - name: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo auto_generated_guid: 7a0895f0-84c1-4adf-8491-a21510b1d4c1 description: | Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP for a few seconds. supported_platforms: - linux input_arguments: csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - description: | compile C program prereq_command: | if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -4 -p 6 -t 3 cleanup_command: | rm -f #{program_path} name: bash elevation_required: true - name: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo auto_generated_guid: 515575ab-d213-42b1-aa64-ef6a2dd4641b description: | Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds. SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04 supported_platforms: - linux input_arguments: csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - description: | compile C program prereq_command: | if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -4 -P -p 17 -t 3 cleanup_command: | rm -f #{program_path} name: bash elevation_required: true - name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo auto_generated_guid: b1cbdf8b-6078-48f5-a890-11ea19d7f8e9 description: | Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds. Sets a BPF filter on the socket to filter for UDP traffic. supported_platforms: - linux input_arguments: csource_path: description: Path to C program source type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - description: | compile C program prereq_command: | if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi get_prereq_command: | cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -a -f -t 3 cleanup_command: | rm -f #{program_path} name: bash elevation_required: true - name: PowerShell Network Sniffing auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae description: |- PowerShell Built-in Cmdlets to capture network traffic. https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps supported_platforms: - windows executor: command: | New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl" Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100 Start-NetEventSession -Name Capture007 Stop-NetEventSession -Name Capture007 Remove-NetEventSession -Name Capture007 cleanup_command: |- del $ENV:Temp\sniff.etl name: powershell elevation_required: true