From 58b7368940a5efae2592baf4bd15b49a35f80669 Mon Sep 17 00:00:00 2001
From: keyboardcrunch <REDACTED>
Date: Wed, 17 Mar 2021 19:20:55 -0500
Subject: [PATCH] T1040 Network Sniffing

---
 queries/linux/nix_network_sniffing.yml | 15 +++++++++++++++
 queries/windows/network_sniffing.yml   | 15 +++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 queries/linux/nix_network_sniffing.yml
 create mode 100644 queries/windows/network_sniffing.yml

diff --git a/queries/linux/nix_network_sniffing.yml b/queries/linux/nix_network_sniffing.yml
new file mode 100644
index 0000000..fce33d2
--- /dev/null
+++ b/queries/linux/nix_network_sniffing.yml
@@ -0,0 +1,15 @@
+title: Linux Network Sniffing
+description: Detect scripted packet capture using tcpdump or tshark, not limited by packet count or interface.
+author: keyboardcrunch
+date: 17/03/2021
+modified: null
+mitre: 
+   tactic: Credential Access
+   technique: T1040
+   subtechnique: null
+operating_system: linux
+query: TgtProcName In AnyCase ("tcpdump","tshark")
+false_positives: null
+tags: null
+references:
+   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
\ No newline at end of file
diff --git a/queries/windows/network_sniffing.yml b/queries/windows/network_sniffing.yml
new file mode 100644
index 0000000..ad8fe23
--- /dev/null
+++ b/queries/windows/network_sniffing.yml
@@ -0,0 +1,15 @@
+title: Windows Network Sniffing
+description: Detect scripted packet capture using tshark or netsh, not limited by packet count or interface.
+author: keyboardcrunch
+date: 17/03/2021
+modified: null
+mitre: 
+   tactic: Credential Access
+   technique: T1040
+   subtechnique: null
+operating_system: windows
+query: TgtProcName = "netsh.exe" and TgtProcCmdLine ContainsCIS "trace start" ) OR ProcessName = "tshark.exe"
+false_positives: null
+tags: null
+references:
+   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
\ No newline at end of file