Skip to content

T1040 Network Sniffing

T1040

Required Tables

  • process_events

Returned Fields

Field Description
username username of who created the process event
path path of the process event

Query

SELECT
    username,
    path
FROM process_events
WHERE reverse(split_part(reverse(path), '/', 1))
    IN (
        'tcpdump', 'tshark', 'bettercap', 'bittwist', 'capfuzz',
        'cdpsnarf', 'cottontail', 'creds', 'darkstat', 'dsniff', 
        'eigrp', 'ettercap', 'firstorder', 'hexinject', 'httpry',
        'httpsniff', 'hubbit', 'hungry', 'issniff', 'junkie',
        'katsnoop', 'mfsniffer', 'mitmproxy', 'mitmer', 'mots',
        'net', 'netsniff', 'nsntrace', 'ofp', 'ostinato',
        'passivedns', 'pcapteller', 'pth', 'pytacle', 'sipffer',
        'snapception', 'sniffglue', 'ssl', 'ssldump', 'sslsniff',
        'stenographer', 'tcpick', 'wifi', 'wireshark', 'xcavator'
) ORDER BY unix_nano_timestamp