Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -1410,6 +1410,7 @@ credential-access,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACK
 credential-access,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
 credential-access,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
 credential-access,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
+credential-access,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1624,6 +1625,7 @@ discovery,T1040,Network Sniffing,12,"Packet Capture Linux socket AF_PACKET,SOCK_
 discovery,T1040,Network Sniffing,13,"Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo",7a0895f0-84c1-4adf-8491-a21510b1d4c1,bash
 discovery,T1040,Network Sniffing,14,"Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo",515575ab-d213-42b1-aa64-ef6a2dd4641b,bash
 discovery,T1040,Network Sniffing,15,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo",b1cbdf8b-6078-48f5-a890-11ea19d7f8e9,bash
+discovery,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1135,Network Share Discovery,3,Network Share Discovery - FreeBSD,77e468a6-3e5c-45a1-9948-c4b5603747cb,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -916,6 +916,7 @@ credential-access,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt
 credential-access,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 credential-access,T1040,Network Sniffing,7,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+credential-access,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1069,6 +1070,7 @@ discovery,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a
 discovery,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 discovery,T1040,Network Sniffing,7,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+discovery,T1040,Network Sniffing,16,PowerShell Network Sniffing,9c15a7de-de14-46c3-bc2a-6d94130986ae,powershell
 discovery,T1135,Network Share Discovery,4,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
 discovery,T1135,Network Share Discovery,5,Network Share Discovery PowerShell,1b0814d1-bb24-402d-9615-1b20c50733fb,powershell
 discovery,T1135,Network Share Discovery,6,View available share drives,ab39a04f-0c93-4540-9ff2-83f862c385ae,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1987,6 +1987,7 @@
   - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
   - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
   - Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -2264,6 +2265,7 @@
   - Atomic Test #13: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo [linux]
   - Atomic Test #14: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo [linux]
   - Atomic Test #15: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo [linux]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #1: Network Share Discovery [macos]
   - Atomic Test #2: Network Share Discovery - linux [linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -1358,6 +1358,7 @@
   - Atomic Test #5: Windows Internal Packet Capture [windows]
   - Atomic Test #6: Windows Internal pktmon capture [windows]
   - Atomic Test #7: Windows Internal pktmon set filter [windows]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -1565,6 +1566,7 @@
   - Atomic Test #5: Windows Internal Packet Capture [windows]
   - Atomic Test #6: Windows Internal pktmon capture [windows]
   - Atomic Test #7: Windows Internal pktmon set filter [windows]
+  - Atomic Test #16: PowerShell Network Sniffing [windows]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
   - Atomic Test #4: Network Share Discovery command prompt [windows]
   - Atomic Test #5: Network Share Discovery PowerShell [windows]

atomics/Indexes/index.yaml

@@ -83873,6 +83873,23 @@ credential-access:
           '
         name: bash
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1552.002:
     technique:
       modified: '2023-07-28T18:29:56.525Z'
@@ -94295,6 +94312,23 @@ discovery:
           '
         name: bash
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1135:
     technique:
       modified: '2023-09-29T19:44:43.870Z'

atomics/Indexes/windows-index.yaml

@@ -68344,6 +68344,23 @@ credential-access:
         cleanup_command: pktmon filter remove
         name: command_prompt
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1552.002:
     technique:
       modified: '2023-07-28T18:29:56.525Z'
@@ -76962,6 +76979,23 @@ discovery:
         cleanup_command: pktmon filter remove
         name: command_prompt
         elevation_required: true
+    - name: PowerShell Network Sniffing
+      auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
+      description: |-
+        PowerShell Built-in Cmdlets to capture network traffic.
+        https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+          Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+          Start-NetEventSession -Name Capture007
+          Stop-NetEventSession -Name Capture007
+          Remove-NetEventSession -Name Capture007
+        cleanup_command: del $ENV:Temp\sniff.etl
+        name: powershell
+        elevation_required: true
   T1135:
     technique:
       modified: '2023-09-29T19:44:43.870Z'

atomics/T1040/T1040.md

@@ -42,6 +42,8 @@ On network devices, adversaries may perform network captures using [Network Devi
 
 - [Atomic Test #15 - Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo](#atomic-test-15---packet-capture-linux-socket-af_packetsock_raw-with-bpf-filter-for-udp-with-sudo)
 
+- [Atomic Test #16 - PowerShell Network Sniffing](#atomic-test-16---powershell-network-sniffing)
+
 
 <br/>
 
@@ -761,4 +763,41 @@ cc #{csource_path} -o #{program_path}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #16 - PowerShell Network Sniffing
+PowerShell Built-in Cmdlets to capture network traffic.
+https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9c15a7de-de14-46c3-bc2a-6d94130986ae
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
+Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
+Start-NetEventSession -Name Capture007
+Stop-NetEventSession -Name Capture007
+Remove-NetEventSession -Name Capture007
+```
+
+#### Cleanup Commands:
+```powershell
+del $ENV:Temp\sniff.etl
+```
+
+
+
+
+
 <br/>