Mikoyan dee patch 1 (#2679)

* Update T1040.yaml PowerShell cmdlets to capture network traffic * Update T1040.yaml * Update T1040.yaml
redcanaryco · Feb 5, 2024 · 25515b8 · 25515b8
1 parent 0e202df
commit 25515b8
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml
@@ -440,3 +440,21 @@ atomic_tests:
       rm -f #{program_path}
     name: bash
     elevation_required: true
+- name: PowerShell Network Sniffing
+  auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+  description: |-
+    PowerShell Built-in Cmdlets to capture network traffic.
+    https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+      Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+      Start-NetEventSession -Name Capture007
+      Stop-NetEventSession -Name Capture007
+      Remove-NetEventSession -Name Capture007
+    cleanup_command: |-
+      del $ENV:Temp\sniff.etl
+    name: powershell
+    elevation_required: true