Detectioninformationaltest

Network Sniffing - MacOs

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alejandro Ortuno, oscd.communityCreated Wed Oct 14Updated Sat Nov 26adc9bcc4-c39c-4f6b-a711-1884017bf043macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith:
            - '/tcpdump'
            - '/tshark'
    condition: selection

False Positives

Legitimate administration activities

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0007 · Discovery TA0006 · Credential Access

Techniques

T1040 · Network Sniffing

Rule Metadata

Rule ID

adc9bcc4-c39c-4f6b-a711-1884017bf043

Status

test

Level

informational

Type

Detection

Created

Wed Oct 14

Modified

Sat Nov 26

Author

Alejandro Ortuno, oscd.community

Path

rules/macos/process_creation/proc_creation_macos_network_sniffing.yml

Raw Tags

attack.discoveryattack.credential-accessattack.t1040

View on GitHub