Detects suspicious execution of network monitoring tools (e.g., Wireshark, tshark, Microsoft Message Analyzer), driver loading indicative of promiscuous mode, or non-admin user privilege escalation to access NICs for capture.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Service Creation (DC0060) | WinEventLog:System | EventCode=7045 |
| Field | Description |
|---|---|
| ToolNames | Adjust list of known sniffing tools based on environment and known administrator usage. |
| TimeWindow | Tune time of day or frequency of capture sessions to reduce false positives from authorized use. |
Correlates interface mode changes to promiscuous with execution of sniffing tools like tcpdump, tshark, or custom pcap libraries. Detects abnormal NIC configurations and unauthorized sniffing from non-root sessions.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve, setifflags |
| Command Execution (DC0064) | auditd:SYSCALL | promiscuous mode transitions (ioctl or ifconfig) |
| Network Traffic Content (DC0085) | networkconfig | interface flag PROMISC, netstat | ip link | ethtool |
| Field | Description |
|---|---|
| InterfaceList | Limit analysis to external interfaces (e.g., eth0, wlan0) and exclude virtual adapters. |
| PromiscuousSessionThreshold | Raise alerts if interface remains in PROMISC longer than threshold duration. |
Detects enabling of interface sniffing via packet capture tools or AppleScript triggering tcpdump. Leverages Unified Logs and process lineage to identify suspicious use of pfctl, tcpdump, or libpcap libraries.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | eventMessage = 'promiscuous' |
| Process Creation (DC0032) | macos:osquery | process_events where path like '%tcpdump%' |
| Command Execution (DC0064) | fs:fsusage | access to BPF devices or interface IOCTLs |
| Field | Description |
|---|---|
| AllowedTools | Whitelist Apple-native tools used by IT admins and mobile device management (MDM). |
| UserContext | Prioritize detections from non-admin or low-privilege users performing packet captures. |
Detects creation of traffic mirroring sessions (e.g., AWS VPC Traffic Mirroring, Azure vTAP) that redirect traffic from critical assets to other virtual instances, often followed by file creation or session establishment.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | CreateTrafficMirrorSession / ModifyTrafficMirrorTarget |
| Field | Description |
|---|---|
| MirrorSourceList | Identify VMs or containers where mirror sessions are abnormal or unexpected. |
| TargetIAMRole | Monitor whether mirror target roles match administrative expectations. |
Detects execution of capture commands via CLI (monitor capture, debug packet, etc.) or unauthorized CLI access followed by logging configuration changes on Cisco/Juniper/Arista gear.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | networkdevice:syslog | admin login events |
| Command Execution (DC0064) | networkdevice:syslog | exec command='monitor capture' |
| Network Traffic Content (DC0085) | networkdevice:syslog | config change (e.g., logging buffered, pcap buffers) |
| Field | Description |
|---|---|
| AdminSessionDuration | Tunable alerting threshold for interactive CLI sessions. |
| CaptureCommandList | Define set of known capture/debug commands per vendor to flag unexpected usage. |