Add rule for Atomic t1040 - Githubissues

SigmaHQ / sigma

Main Sigma Rule Repository

Other

7.84k stars 2.12k forks source link

Add rule for Atomic t1040 #4852

Closed frack113 closed 1 month ago

frack113 commented 1 month ago

Summary of the Pull Request

Very simple rule as user should never have to capture network Test : https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing

Changelog

new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

nasbench commented 1 month ago

The usage of this technique requires the call of all those Cmdlets in order to create, assign provider and create the session. If we add all of the cmdlets. The rule would "always" trigger 3-4 times with every strings match. As we are interested in the starting of the capture. We could focus only on Start-NetEventSession.

VT behavior doesn't have CLI execution and most scripts leveraging this are diagnostic scripts.

@frack113