Windows Network Sniffing
Query
DeviceProcessEvents
| where FileName == "PktMon.exe"
| project TimeGenerated, DeviceName, ProcessCommandLineAbout this query
Windows Network Sniffing
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1040 | Network Sniffing | https://attack.mitre.org/techniques/T1040 |
Description
In Windows the default tool Packet Monitor can be used to capture network traffic. This traffic might contain valueble information that an attacker can use. Valueble information can be found in HTTP traffic, because it goes unencrypted over the wire.
Risk
Actor can use network sniffing to capture information. If data (passwords) is send unencrypted they can also be collected ans used to collect credentials.
References
Defender XDR
DeviceProcessEvents
| where FileName == "PktMon.exe"
| project Timestamp, DeviceName, ProcessCommandLine
Sentinel
Explanation
This query is designed to detect the use of a specific tool called "PktMon.exe" on Windows systems. PktMon.exe is a packet monitoring tool that can be used for network sniffing, which involves capturing network traffic to potentially gather sensitive information. The query is relevant to the MITRE ATT&CK technique T1040, which is associated with network sniffing.
Here's a simple breakdown of the query:
-
Purpose: The query aims to identify instances where the Packet Monitor tool (PktMon.exe) is executed on a device. This tool can be used to capture network traffic, which might include unencrypted data such as passwords.
-
Risk: If an attacker uses this tool, they could capture sensitive information transmitted over the network, especially if the data is not encrypted.
-
Query Details:
- The query is run on a dataset called
DeviceProcessEvents. - It filters events to find those where the process name is "PktMon.exe".
- It then extracts and displays specific details about these events, such as the timestamp, the name of the device where the tool was run, and the command line used to execute the process.
- The query is run on a dataset called
-
Output: The output will show when and where PktMon.exe was used, helping security teams identify potential unauthorized network sniffing activities.
This query is useful for security monitoring and incident response, as it helps detect potential misuse of network monitoring tools that could lead to data breaches.
