Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.
Attacker's Goals
Read raw network data over promiscuous mode, this can allow the attacker the capabilities to sniff passwords and other credentials from the organization's network, in other cases also interfere with the network.
Investigative actions
- Verify if the process is known for the IT/ User.
- Check if the driver installed recently, if it was installed with sc.exe this action can be malicious (check who ran sc.exe to verify that).
Variations
Possible use of a networking driver for network sniffingPossible use of a networking driver for network sniffing