From eb0279838bcbce541360cd8f576700c3dfcb4c7d Mon Sep 17 00:00:00 2001
From: binar-x79 <45055730+binar-x79@users.noreply.github.com>
Date: Wed, 12 Aug 2020 22:04:03 -0700
Subject: [PATCH] Create pktmon.yml

---
 yml/OSBinaries/pktmon.yml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 yml/OSBinaries/pktmon.yml

diff --git a/yml/OSBinaries/pktmon.yml b/yml/OSBinaries/pktmon.yml
new file mode 100644
index 0000000..6eb22f4
--- /dev/null
+++ b/yml/OSBinaries/pktmon.yml
@@ -0,0 +1,35 @@
+---
+Name: pktmon.exe
+Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
+Author: Derek Johnson
+Created: '2020-08-12'
+Commands:
+  - Command: pktmon.exe start --etw
+    Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
+    Usecase: use this a built in network sniffer on windows 10 to capture senstive traffic
+    Category: Reconnaissance
+    Privileges: Administrator
+    MitreID: T1040
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1040
+    OperatingSystem: Windows 10 1809 and later
+- Command: pktmon.exe filter add -p 445
+    Description: Select Desired ports for packet capture
+    Usecase: Look for interesting traffic such as telent or FTP
+    Category: Reconnaissance
+    Privileges: Administrator
+    MitreID: T1040
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1040
+    OperatingSystem: Windows 10 1809 and later
+Full_Path:
+  - Path: c:\windows\system32\pktmon.exe
+  - Path: c:\windows\syswow64\pktmon.exe
+Code_Sample: 
+  - Code: http://url.com/git.txt
+Detection: 
+  - IOC: .etl files found on system
+Resources:
+  - Link: https://binar-x79.com/windows-10-secret-sniffer/
+Acknowledgement:
+  - Person: 
+    Handle:
+---