← Back to Explore
sigmamediumHunting
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Detection Query
selection:
ScriptBlockText|contains: Start-NetEventSession
condition: selection
Author
frack113
Created
2024-05-12
Data Sources
windowsps_script
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
Tags
attack.credential-accessattack.discoveryattack.t1040
Raw Content
title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
id: da34e323-1e65-42db-83be-a6725ac2caa3
status: test
description: |
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
author: frack113
date: 2024-05-12
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Start-NetEventSession'
condition: selection
falsepositives:
- Legitimate network diagnostic scripts.
level: medium