Closed frack113 closed 1 month ago
The usage of this technique requires the call of all those Cmdlets in order to create, assign provider and create the session. If we add all of the cmdlets. The rule would "always" trigger 3-4 times with every strings match.
As we are interested in the starting of the capture. We could focus only on Start-NetEventSession
.
VT behavior doesn't have CLI execution and most scripts leveraging this are diagnostic scripts.
@frack113
Summary of the Pull Request
Very simple rule as user should never have to capture network Test : https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
Changelog
new: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Example Log Event
N/A
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions