From dd57246fded9a63a023ad086205c78edd41e76be Mon Sep 17 00:00:00 2001 From: keyboardcrunch Date: Wed, 17 Mar 2021 19:19:22 -0500 Subject: [PATCH] Revert "T1040 network sniffing" This reverts commit 50959302ed15e36a6989f74b535fe95921db2fb6. --- queries/linux/nix_network_sniffing.yml | 15 --------------- queries/windows/network_sniffing.yml | 15 --------------- 2 files changed, 30 deletions(-) delete mode 100644 queries/linux/nix_network_sniffing.yml delete mode 100644 queries/windows/network_sniffing.yml diff --git a/queries/linux/nix_network_sniffing.yml b/queries/linux/nix_network_sniffing.yml deleted file mode 100644 index fce33d2..0000000 --- a/queries/linux/nix_network_sniffing.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: Linux Network Sniffing -description: Detect scripted packet capture using tcpdump or tshark, not limited by packet count or interface. -author: keyboardcrunch -date: 17/03/2021 -modified: null -mitre: - tactic: Credential Access - technique: T1040 - subtechnique: null -operating_system: linux -query: TgtProcName In AnyCase ("tcpdump","tshark") -false_positives: null -tags: null -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md \ No newline at end of file diff --git a/queries/windows/network_sniffing.yml b/queries/windows/network_sniffing.yml deleted file mode 100644 index ad8fe23..0000000 --- a/queries/windows/network_sniffing.yml +++ /dev/null @@ -1,15 +0,0 @@ -title: Windows Network Sniffing -description: Detect scripted packet capture using tshark or netsh, not limited by packet count or interface. -author: keyboardcrunch -date: 17/03/2021 -modified: null -mitre: - tactic: Credential Access - technique: T1040 - subtechnique: null -operating_system: windows -query: TgtProcName = "netsh.exe" and TgtProcCmdLine ContainsCIS "trace start" ) OR ProcessName = "tshark.exe" -false_positives: null -tags: null -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md \ No newline at end of file