security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5cd850640355a32f4cfeaac0355b32477b80098
blue-team-tools/rules/linux/macos_network_sniffing.yml
T

25 lines
795 B
YAML
Raw Normal View History

Initial Sigma Rule
2020-10-14 10:24:59 +02:00
title: Network Sniffing
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: experimental
description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Alejandro Ortuno, oscd.community
date: 2020/10/14
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
logsource:
category: process_creation
product: macos
detection:
changes a syntax a bit to re-run the test
2020-10-20 17:10:20 +02:00
selection:
Fixes and improvements
2021-04-03 00:00:43 +02:00
Image|endswith:
Initial Sigma Rule
2020-10-14 10:24:59 +02:00
- '/tcpdump'
- '/tshark'
changes a syntax a bit to re-run the test
2020-10-20 17:10:20 +02:00
condition: selection
Initial Sigma Rule
2020-10-14 10:24:59 +02:00
falsepositives:
- Legitimate administration activities
Fixes and improvements
2021-04-03 00:00:43 +02:00
level: informational
Initial Sigma Rule
2020-10-14 10:24:59 +02:00
tags:
- attack.discovery
- attack.credential_access
- attack.t1040
Reference in New Issue Copy Permalink