From 9823ed9f3dc2465351b152e07138628f63f2d2a6 Mon Sep 17 00:00:00 2001
From: jtothej <jakubjozwiak@google.com>
Date: Thu, 3 Aug 2023 16:22:39 +0800
Subject: [PATCH] Add capture-packets-using-sharppcap.yml

---
 .../network/capture-packets-using-sharppcap.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 collection/network/capture-packets-using-sharppcap.yml

diff --git a/collection/network/capture-packets-using-sharppcap.yml b/collection/network/capture-packets-using-sharppcap.yml
new file mode 100644
index 000000000..853016008
--- /dev/null
+++ b/collection/network/capture-packets-using-sharppcap.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: capture packets using SharpPcap
+    namespace: collection/network
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scope: function
+    att&ck:
+      - Discovery::Network Sniffing [T1040]
+    references:
+      - https://github.com/dotpcap/sharppcap
+    examples:
+      - aefae71bca4bbaa2c013ddf040d797628c8d3da7346108c12735239a86fdfa71:0x6000038
+  features:
+    - and:
+      - format: dotnet
+      - api: SharpPcap.LibPcap.PcapDevice::add_OnPacketArrival