mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 22:39:27 +01:00
Create pktmon.yml
This commit is contained in:
parent
689c3b1fea
commit
eb0279838b
35
yml/OSBinaries/pktmon.yml
Normal file
35
yml/OSBinaries/pktmon.yml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
Name: pktmon.exe
|
||||
Description: Capture Network Packets on the windows 10 with October 2018 Update or later.
|
||||
Author: Derek Johnson
|
||||
Created: '2020-08-12'
|
||||
Commands:
|
||||
- Command: pktmon.exe start --etw
|
||||
Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop
|
||||
Usecase: use this a built in network sniffer on windows 10 to capture senstive traffic
|
||||
Category: Reconnaissance
|
||||
Privileges: Administrator
|
||||
MitreID: T1040
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1040
|
||||
OperatingSystem: Windows 10 1809 and later
|
||||
- Command: pktmon.exe filter add -p 445
|
||||
Description: Select Desired ports for packet capture
|
||||
Usecase: Look for interesting traffic such as telent or FTP
|
||||
Category: Reconnaissance
|
||||
Privileges: Administrator
|
||||
MitreID: T1040
|
||||
MitreLink: https://attack.mitre.org/wiki/Technique/T1040
|
||||
OperatingSystem: Windows 10 1809 and later
|
||||
Full_Path:
|
||||
- Path: c:\windows\system32\pktmon.exe
|
||||
- Path: c:\windows\syswow64\pktmon.exe
|
||||
Code_Sample:
|
||||
- Code: http://url.com/git.txt
|
||||
Detection:
|
||||
- IOC: .etl files found on system
|
||||
Resources:
|
||||
- Link: https://binar-x79.com/windows-10-secret-sniffer/
|
||||
Acknowledgement:
|
||||
- Person:
|
||||
Handle:
|
||||
---
|
Loading…
Reference in New Issue
Block a user