title: Windows Network Sniffing
description: Detect scripted packet capture using tshark or netsh, not limited by packet count or interface.
author: keyboardcrunch
date: 17/03/2021
modified: null
mitre: 
   tactic: Credential Access
   technique: T1040
   subtechnique: null
operating_system: windows
query: TgtProcName = "netsh.exe" and TgtProcCmdLine ContainsCIS "trace start" ) OR ProcessName = "tshark.exe"
false_positives: null
tags: null
references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md