T1040

Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over insecure, unencrypted protocols such as FTP, HTTP Basic Auth, Telnet, POP3, IMAP, and LDAP. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and Defense Evasion activities. In cloud-based environments, adversaries may use traffic mirroring services (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTap) to sniff network traffic from virtual machines. On network devices, adversaries may perform network captures using Network Device CLI commands such as 'monitor capture'. Threat actors including Sandworm Team, Kimsuky, APT33, and Salt Typhoon have used this technique with tools such as Intercepter-NG, SniffPass, Impacket, and custom sniffers.

Microsoft Sentinel / Defender

kusto

let SniffingToolNames = dynamic([
  "tcpdump", "tshark", "wireshark", "windump", "dumpcap",
  "rawshark", "networkMiner", "intercepter-ng", "sniffpass",
  "pcapdump", "ntopng", "capinfos", "editcap", "ssldump"
]);
let RawSocketPatterns = dynamic([
  "socket.AF_PACKET", "SOCK_RAW", "ETH_P_ALL",
  "pcap_open", "pcap_loop", "pcap_next", "libpcap",
  "scapy", "impacket"
]);
// Detection 1: Known packet capture tool execution
let SniffingProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SniffingToolNames)
   or ProcessCommandLine has_any (SniffingToolNames)
| extend DetectionType = "KnownSniffingTool"
| extend CaptureToFile = ProcessCommandLine has "-w "
| extend PromiscuousMode = ProcessCommandLine has_any ("-i any", "promisc", "--promiscuous")
| extend TargetingCleartext = ProcessCommandLine has_any ("port 21", "port 23", "port 80", "port 110", "port 143", "port 389", "ftp", "telnet", "smtp", "ldap")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, DetectionType,
         CaptureToFile, PromiscuousMode, TargetingCleartext;
// Detection 2: WinPcap / Npcap capture library loading by non-standard parents
let PcapDriverLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any ("wpcap.dll", "npcap.dll", "Packet.dll", "npf.sys", "npcap.sys", "winpcap.sys")
   or FolderPath has_any ("\\npcap\\", "\\WinPcap\\")
| where InitiatingProcessFileName !in~ ("Wireshark.exe", "tshark.exe", "dumpcap.exe",
         "rawshark.exe", "capinfos.exe", "editcap.exe", "mergecap.exe")
| extend DetectionType = "PacketCaptureDriverLoad"
| extend CaptureToFile = false
| extend PromiscuousMode = false
| extend TargetingCleartext = false
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         AccountDomain = InitiatingProcessAccountDomain,
         FileName, ProcessCommandLine = InitiatingProcessCommandLine,
         FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, DetectionType,
         CaptureToFile, PromiscuousMode, TargetingCleartext;
// Detection 3: Scripting languages using raw socket / pcap patterns
let RawSocketScripts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python.exe", "python3", "python3.exe", "perl.exe", "ruby.exe", "pwsh.exe", "powershell.exe")
| where ProcessCommandLine has_any (RawSocketPatterns)
| extend DetectionType = "RawSocketOrPcapViaScriptingLanguage"
| extend CaptureToFile = ProcessCommandLine has_any ("-w ", "wrpcap", "pcap_dump")
| extend PromiscuousMode = ProcessCommandLine has_any ("promisc", "AF_PACKET", "ETH_P_ALL")
| extend TargetingCleartext = ProcessCommandLine has_any ("port 21", "port 23", "port 80", "port 110", "port 389")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, DetectionType,
         CaptureToFile, PromiscuousMode, TargetingCleartext;
union SniffingProcesses, PcapDriverLoads, RawSocketScripts
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Module: Module Load Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceImageLoadEvents

False Positives

Network administrators and security engineers using Wireshark, tshark, or tcpdump for legitimate network troubleshooting, packet analysis, or application protocol debugging
Vulnerability scanners (Nessus, Qualys, Rapid7) that load WinPcap/Npcap libraries during network discovery and host enumeration phases
Developer workstations where Wireshark, Scapy, or Impacket are installed for protocol research, application debugging, or CTF competitions
Dedicated network performance monitoring hosts (SolarWinds NPM, PRTG, ntopng) that continuously capture traffic for baseline analysis and alerting
Security Operations Center analyst machines running authorized packet captures during active incident response investigations

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=7 OR EventCode=11))
  OR
  (sourcetype="WinEventLog:System" EventCode=7045)
)
// Pattern 1: Sysmon EventCode 1 — Known sniffing tool process creation
| eval IsSniffProcess=if(
    EventCode=1 AND (
      match(lower(Image), "(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter|sniffpass|pcapdump|ssldump)") OR
      match(lower(CommandLine), "(tcpdump|tshark|wireshark|windump|dumpcap|networkminer|intercepter|sniffpass|scapy\.all|pcap_open|pcap_loop|sock_raw|af_packet)")
    ), 1, 0)
// Pattern 2: Sysmon EventCode 7 — WinPcap/Npcap DLL or driver loaded by non-Wireshark parent
| eval IsPcapDriverLoad=if(
    EventCode=7 AND
    match(lower(ImageLoaded), "(wpcap\.dll|npcap\.dll|packet\.dll|npf\.sys|npcap\.sys|winpcap\.sys)") AND
    NOT match(lower(Image), "(wireshark\.exe|tshark\.exe|dumpcap\.exe|rawshark\.exe|capinfos\.exe|editcap\.exe|mergecap\.exe)"),
    1, 0)
// Pattern 3: Windows System EventCode 7045 — NPF/Npcap packet filter service installed
| eval IsNpfServiceInstall=if(
    EventCode=7045 AND
    match(lower(ServiceName), "(npf|npcap|winpcap|ndiscap|netgroup packet)"),
    1, 0)
| where IsSniffProcess=1 OR IsPcapDriverLoad=1 OR IsNpfServiceInstall=1
| eval DetectionType=case(
    IsSniffProcess=1, "KnownSniffingToolExecution",
    IsPcapDriverLoad=1, "PacketCaptureDriverLoad",
    IsNpfServiceInstall=1, "PacketCaptureServiceInstalled",
    true(), "Unknown"
  )
| eval ActingProcess=coalesce(Image, ServiceName, "unknown")
| eval CmdLine=coalesce(CommandLine, ServiceFileName, "")
| eval LoadedLib=coalesce(ImageLoaded, "")
| eval ActingUser=coalesce(User, SubjectUserName, "unknown")
| eval CaptureToFile=if(match(CmdLine, "-w\s"), 1, 0)
| eval TargetingCleartext=if(match(CmdLine, "(port (21|23|80|110|143|389|25|110)|ftp|telnet|ldap|smtp|pop3|imap)"), 1, 0)
| table _time, host, ActingUser, ActingProcess, CmdLine, LoadedLib, DetectionType, EventCode, CaptureToFile, TargetingCleartext
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Module: Module Load Service: Service Creation Sysmon Event IDs 1, 7, 11 Windows System Event ID 7045

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:System

False Positives

Network administrators and security engineers using Wireshark, tshark, or tcpdump for authorized troubleshooting and analysis
Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) that install and use WinPcap/Npcap during network discovery
Developer machines with Wireshark, Scapy, or Impacket installed for protocol development, testing, or CTF work
Dedicated network monitoring appliances (SolarWinds, PRTG, ntopng) that continuously capture and analyze traffic
Red team or penetration testing engagements where packet capture is an authorized test activity

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
[
  any where (
    (event.category == "process" and event.type == "start" and (
      process.name in~ ("tcpdump", "tshark", "wireshark", "windump", "dumpcap", "rawshark", "networkminer", "intercepter-ng", "sniffpass", "pcapdump", "ntopng", "capinfos", "editcap", "ssldump") or
      process.args like~ "*tcpdump*" or process.args like~ "*tshark*" or process.args like~ "*wireshark*" or
      process.args like~ "*pcap_open*" or process.args like~ "*pcap_loop*" or process.args like~ "*AF_PACKET*" or
      process.args like~ "*SOCK_RAW*" or process.args like~ "*scapy*" or process.args like~ "*impacket*"
    )) or
    (event.category == "library" and event.type == "load" and (
      file.name in~ ("wpcap.dll", "npcap.dll", "Packet.dll", "npf.sys", "npcap.sys", "winpcap.sys") and
      not process.name in~ ("Wireshark.exe", "tshark.exe", "dumpcap.exe", "rawshark.exe", "capinfos.exe", "editcap.exe", "mergecap.exe")
    ))
  )
] by host.hostname

/* Alternative: script-based raw socket detection */
process where event.type == "start" and
  process.name in~ ("python.exe", "python3", "python3.exe", "perl.exe", "ruby.exe", "pwsh.exe", "powershell.exe") and
  (
    process.args like~ "*socket.AF_PACKET*" or
    process.args like~ "*SOCK_RAW*" or
    process.args like~ "*ETH_P_ALL*" or
    process.args like~ "*pcap_open*" or
    process.args like~ "*pcap_loop*" or
    process.args like~ "*libpcap*" or
    process.args like~ "*scapy*" or
    process.args like~ "*impacket*"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (auditd module) Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.library-* winlogbeat-*

False Positives

Legitimate network engineers or security teams running Wireshark, tcpdump, or tshark during authorized network diagnostics or troubleshooting sessions
Security products such as EDR sensors, packet brokers, or network performance monitoring tools that load WinPcap/Npcap libraries as part of normal operation
Python-based automation scripts using Scapy or Impacket for authorized penetration testing engagements or purple team exercises

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Hostname" AS host,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "Process Name" AS acting_process,
  "Command" AS command_line,
  "Image Loaded" AS loaded_library,
  CASE
    WHEN LOWER("Process Name") SIMILAR TO '%(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter|sniffpass|pcapdump|ssldump)%'
      OR LOWER("Command") SIMILAR TO '%(tcpdump|tshark|wireshark|windump|dumpcap|networkminer|intercepter|sniffpass|scapy|pcap_open|pcap_loop|sock_raw|af_packet|impacket)%'
      THEN 'KnownSniffingTool'
    WHEN LOWER("Image Loaded") SIMILAR TO '%(wpcap.dll|npcap.dll|packet.dll|npf.sys|npcap.sys|winpcap.sys)%'
      AND NOT LOWER("Process Name") SIMILAR TO '%(wireshark|tshark|dumpcap|rawshark|capinfos|editcap|mergecap)%'
      THEN 'PacketCaptureDriverLoad'
    WHEN LOWER("Process Name") SIMILAR TO '%(python|perl|ruby|pwsh|powershell)%'
      AND LOWER("Command") SIMILAR TO '%(af_packet|sock_raw|eth_p_all|pcap_open|pcap_loop|libpcap|scapy|impacket)%'
      THEN 'RawSocketViaScriptingLanguage'
    ELSE 'Unknown'
  END AS detection_type,
  CASE WHEN LOWER("Command") SIMILAR TO '%\-w %' THEN 1 ELSE 0 END AS capture_to_file,
  CASE WHEN LOWER("Command") SIMILAR TO '%(port 21|port 23|port 80|port 110|port 143|port 389|ftp|telnet|ldap|smtp)%' THEN 1 ELSE 0 END AS targeting_cleartext
FROM events
WHERE
  starttime > NOW() - 1 DAYS
  AND (
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
    OR LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
    OR LOGSOURCETYPENAME(devicetype) LIKE '%Linux%'
  )
  AND (
    LOWER("Process Name") SIMILAR TO '%(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter|sniffpass|pcapdump|ssldump)%'
    OR LOWER("Command") SIMILAR TO '%(tcpdump|tshark|wireshark|pcap_open|pcap_loop|sock_raw|af_packet|scapy|impacket|libpcap)%'
    OR (
      LOWER("Image Loaded") SIMILAR TO '%(wpcap.dll|npcap.dll|packet.dll|npf.sys|npcap.sys|winpcap.sys)%'
      AND NOT LOWER("Process Name") SIMILAR TO '%(wireshark|tshark|dumpcap|rawshark|capinfos|editcap|mergecap)%'
    )
    OR (
      LOWER("Process Name") SIMILAR TO '%(python|perl|ruby|pwsh|powershell)%'
      AND LOWER("Command") SIMILAR TO '%(af_packet|sock_raw|eth_p_all|pcap_open|pcap_loop|libpcap|scapy|impacket)%'
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Microsoft Sysmon (QRadar DSM) Linux OS (QRadar DSM)

Required Tables

events

False Positives

Authorized network diagnostics by IT or NOC teams using standard tools like Wireshark or tcpdump during scheduled maintenance windows
Security monitoring tools and EDR agents that internally load packet capture libraries (npcap.dll, wpcap.dll) as part of traffic inspection features
Red team or penetration testing activity using Impacket or Scapy against pre-authorized targets, which may be indistinguishable from malicious use without context

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/system" OR _sourceCategory="linux/syslog" OR _sourceCategory="linux/auditd")
// Parse Sysmon fields from XML or structured log
| parse "Image=*\n" as image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "ImageLoaded=*\n" as image_loaded nodrop
| parse "ServiceName=*\n" as service_name nodrop
| parse "User=*\n" as acting_user nodrop
| parse "Computer=*\n" as host nodrop
| parse "EventID=*\n" as event_id nodrop
// Normalize for case-insensitive matching
| toLowerCase(image) as image_lower
| toLowerCase(command_line) as cmd_lower
| toLowerCase(image_loaded) as loaded_lower
// Detection 1: Known sniffing tool process creation
| eval is_sniff_process = if(
    image_lower matches /.*?(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter|sniffpass|pcapdump|ssldump).*?/ OR
    cmd_lower matches /.*?(tcpdump|tshark|wireshark|windump|dumpcap|networkminer|intercepter|sniffpass|scapy|pcap_open|pcap_loop|sock_raw|af_packet|impacket|libpcap).*?/,
    1, 0)
// Detection 2: WinPcap / Npcap driver loaded by non-standard parent
| eval is_pcap_driver_load = if(
    loaded_lower matches /.*?(wpcap\.dll|npcap\.dll|packet\.dll|npf\.sys|npcap\.sys|winpcap\.sys).*?/ AND
    NOT (image_lower matches /.*?(wireshark\.exe|tshark\.exe|dumpcap\.exe|rawshark\.exe|capinfos\.exe|editcap\.exe|mergecap\.exe).*?/),
    1, 0)
// Detection 3: Scripting language with raw socket / pcap API usage
| eval is_raw_socket_script = if(
    image_lower matches /.*?(python|perl\.exe|ruby\.exe|pwsh\.exe|powershell\.exe).*?/ AND
    cmd_lower matches /.*?(af_packet|sock_raw|eth_p_all|pcap_open|pcap_loop|libpcap|scapy|impacket).*?/,
    1, 0)
| where is_sniff_process = 1 OR is_pcap_driver_load = 1 OR is_raw_socket_script = 1
| eval detection_type = if(is_sniff_process = 1, "KnownSniffingTool",
    if(is_pcap_driver_load = 1, "PacketCaptureDriverLoad",
    if(is_raw_socket_script = 1, "RawSocketViaScripting", "Unknown")))
| eval capture_to_file = if(cmd_lower matches /.*?-w .*?/, 1, 0)
| eval targeting_cleartext = if(cmd_lower matches /.*?(port 21|port 23|port 80|port 110|port 143|port 389|ftp|telnet|ldap|smtp|pop3|imap).*?/, 1, 0)
| fields _messageTime, host, acting_user, image, command_line, image_loaded, event_id, detection_type, capture_to_file, targeting_cleartext
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Sysmon source (Windows) Sumo Logic Windows System Event Logs Linux syslog/auditd via Sumo Logic agent

Required Tables

windows/sysmon windows/system linux/syslog linux/auditd

False Positives

Network operations teams running tcpdump or tshark on Linux servers during authorized packet capture for latency analysis or protocol debugging
Security monitoring tools such as CrowdStrike Falcon or Carbon Black that load npcap.dll or wpcap.dll as part of kernel-level traffic inspection
Authorized purple team or red team exercises using Impacket tools (e.g., secretsdump.py) against dedicated lab or test environments

Google Chronicle / SecOps

yaral

rule t1040_network_sniffing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects network sniffing activity (T1040) including known packet capture tool execution, WinPcap/Npcap driver loading by non-standard processes, and scripting-language-based raw socket or libpcap usage"
    technique = "T1040"
    tactic = "Discovery, Credential Access"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-16"

  events:
    (
      // Detection 1: Known sniffing tool executed by process name
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.principal.process.file.full_path, `(?i)(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter-ng|sniffpass|pcapdump|ntopng|capinfos|editcap|ssldump)`) or
        re.regex($e.target.process.command_line, `(?i)(tcpdump|tshark|wireshark|windump|dumpcap|networkminer|intercepter|sniffpass|scapy\.all|pcap_open|pcap_loop|sock_raw|af_packet|libpcap|impacket)`)
      )
    ) or
    (
      // Detection 2: WinPcap/Npcap library loaded by non-standard process
      $e.metadata.event_type = "PROCESS_MODULE_LOAD" and
      re.regex($e.target.file.full_path, `(?i)(wpcap\.dll|npcap\.dll|packet\.dll|npf\.sys|npcap\.sys|winpcap\.sys)`) and
      not re.regex($e.principal.process.file.full_path, `(?i)(wireshark\.exe|tshark\.exe|dumpcap\.exe|rawshark\.exe|capinfos\.exe|editcap\.exe|mergecap\.exe)`)
    ) or
    (
      // Detection 3: Scripting language using raw socket or libpcap API
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path, `(?i)(python\.exe|python3|perl\.exe|ruby\.exe|pwsh\.exe|powershell\.exe)`) and
      re.regex($e.target.process.command_line, `(?i)(socket\.AF_PACKET|SOCK_RAW|ETH_P_ALL|pcap_open|pcap_loop|pcap_next|libpcap|scapy|impacket)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle Endpoint Telemetry (Windows Sysmon via forwarder) Chronicle UDM - PROCESS_LAUNCH events Chronicle UDM - PROCESS_MODULE_LOAD events

Required Tables

process_launch UDM events process_module_load UDM events

False Positives

Authorized IT staff or network engineers executing tcpdump or tshark on production systems for legitimate packet capture during incident response or performance troubleshooting
Commercial security products (EDR platforms, packet brokers, NPMD tools) that load npcap.dll or wpcap.dll as part of their standard network visibility features
Scripted automation in CI/CD pipelines or test environments that invoke Scapy or Impacket for network protocol testing against non-production infrastructure

CrowdStrike LogScale (CQL)

cql

// Detection 1: Known packet capture tool process execution
(
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(?i)(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter-ng|sniffpass|pcapdump|ntopng|capinfos|editcap|ssldump)/
  OR CommandLine = /(?i)(tcpdump|tshark|wireshark|windump|dumpcap|networkminer|intercepter|sniffpass|scapy\.all|pcap_open|pcap_loop|sock_raw|af_packet|libpcap|impacket)/
  | eval DetectionType = "KnownSniffingTool"
  | eval CaptureToFile = if(CommandLine = /\-w /, "true", "false")
  | eval PromiscuousMode = if(CommandLine = /(?i)(\-i any|promisc|\-\-promiscuous)/, "true", "false")
  | eval TargetingCleartext = if(CommandLine = /(?i)(port (21|23|80|110|143|389)|ftp|telnet|ldap|smtp|pop3|imap)/, "true", "false")
  | table([@timestamp, ComputerName, UserName, UserSid, FileName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, CaptureToFile, PromiscuousMode, TargetingCleartext])
)

// Detection 2: WinPcap/Npcap driver or DLL loaded by non-standard process
OR
(
  #event_simpleName = "ClassifiedModuleLoad"
  | ModuleFileName = /(?i)(wpcap\.dll|npcap\.dll|packet\.dll|npf\.sys|npcap\.sys|winpcap\.sys)/
  | ImageFileName != /(?i)(wireshark\.exe|tshark\.exe|dumpcap\.exe|rawshark\.exe|capinfos\.exe|editcap\.exe|mergecap\.exe)/
  | eval DetectionType = "PacketCaptureDriverLoad"
  | eval CaptureToFile = "false"
  | eval TargetingCleartext = "false"
  | table([@timestamp, ComputerName, UserName, ImageFileName, ModuleFileName, DetectionType, CaptureToFile, TargetingCleartext])
)

// Detection 3: Scripting languages invoking raw socket or pcap APIs
OR
(
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(?i)(python(\.exe|3)?|perl\.exe|ruby\.exe|pwsh\.exe|powershell\.exe)/
  | CommandLine = /(?i)(socket\.AF_PACKET|SOCK_RAW|ETH_P_ALL|pcap_open|pcap_loop|pcap_next|libpcap|scapy|impacket)/
  | eval DetectionType = "RawSocketViaScripting"
  | eval CaptureToFile = if(CommandLine = /(?i)(\-w |wrpcap|pcap_dump)/, "true", "false")
  | eval TargetingCleartext = if(CommandLine = /(?i)(port (21|23|80|110|389))/, "true", "false")
  | table([@timestamp, ComputerName, UserName, UserSid, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, CaptureToFile, TargetingCleartext])
)

| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) CrowdStrike Falcon EDR (ClassifiedModuleLoad) CrowdStrike Falcon EDR (DnsRequest)

Required Tables

ProcessRollup2 ClassifiedModuleLoad

False Positives

Authorized security operations personnel running Wireshark or tshark on endpoints during network forensics or incident response investigations with management approval
Endpoint security sensors or network monitoring agents (e.g., CrowdStrike Falcon sensor itself) loading WinPcap/Npcap libraries as part of their packet inspection capabilities
DevOps or automation engineers running Python scripts that use Scapy or Impacket for network protocol testing, fuzzing, or integration tests in non-production environments

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1040 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Network Sniffing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Credential Access

Popular Detections