Query Details

Windows Network Sniffing

Query

DeviceProcessEvents
| where FileName == "PktMon.exe"
| project TimeGenerated, DeviceName, ProcessCommandLine

About this query

Windows Network Sniffing

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1040Network Sniffinghttps://attack.mitre.org/techniques/T1040

Description

In Windows the default tool Packet Monitor can be used to capture network traffic. This traffic might contain valueble information that an attacker can use. Valueble information can be found in HTTP traffic, because it goes unencrypted over the wire.

Risk

Actor can use network sniffing to capture information. If data (passwords) is send unencrypted they can also be collected ans used to collect credentials.

References

Defender XDR

DeviceProcessEvents
| where FileName == "PktMon.exe"
| project Timestamp, DeviceName, ProcessCommandLine

Sentinel

Explanation

This query is designed to detect the use of a specific tool called "PktMon.exe" on Windows systems. PktMon.exe is a packet monitoring tool that can be used for network sniffing, which involves capturing network traffic to potentially gather sensitive information. The query is relevant to the MITRE ATT&CK technique T1040, which is associated with network sniffing.

Here's a simple breakdown of the query:

  1. Purpose: The query aims to identify instances where the Packet Monitor tool (PktMon.exe) is executed on a device. This tool can be used to capture network traffic, which might include unencrypted data such as passwords.

  2. Risk: If an attacker uses this tool, they could capture sensitive information transmitted over the network, especially if the data is not encrypted.

  3. Query Details:

    • The query is run on a dataset called DeviceProcessEvents.
    • It filters events to find those where the process name is "PktMon.exe".
    • It then extracts and displays specific details about these events, such as the timestamp, the name of the device where the tool was run, and the command line used to execute the process.
  4. Output: The output will show when and where PktMon.exe was used, helping security teams identify potential unauthorized network sniffing activities.

This query is useful for security monitoring and incident response, as it helps detect potential misuse of network monitoring tools that could lead to data breaches.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEvents

Keywords

Device

Operators

where==project

MITRE Techniques

Actions

GitHub