From 7405955988999f3fe4e89d90c056614abf948d4e Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Wed, 17 Sep 2025 15:04:18 +0300
Subject: [PATCH 1/7] Create Nmcap.yml

---
 yml/OtherMSBinaries/Nmcap.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Nmcap.yml

diff --git a/yml/OtherMSBinaries/Nmcap.yml b/yml/OtherMSBinaries/Nmcap.yml
new file mode 100644
index 000000000..8fd11ed33
--- /dev/null
+++ b/yml/OtherMSBinaries/Nmcap.yml
@@ -0,0 +1,34 @@
+---
+Name: Nmcap.exe
+Description: Command-line packet capture utility from Microsoft Network Monitor 3.x.
+Author: Avihay Eldad
+Created: 2025-09-16
+Commands:
+  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap
+    Description: Start capture on all adapters and save to nmcap.cap (circular file).
+    Usecase: Capture network traffic on windows to capture senstive traffic.
+    Category: Reconnaissance
+    Privileges: User
+    MitreID: T1040
+    OperatingSystem: Windows
+  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /TimeAfter 30 seconds.
+    Description: Start capture and auto-terminate after a relative time period (seconds/minutes/hours/days).
+    Usecase: Capture network traffic on windows to capture senstive traffic.
+    Category: Reconnaissance
+    Privileges: User
+    MitreID: T1040
+    OperatingSystem: Windows
+  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /Time 04:52:00 AM 9/17/2025
+    Description: Start capture and auto-terminate at a specific time/date.
+    Usecase: Capture network traffic on windows to capture senstive traffic.
+    Category: Reconnaissance
+    Privileges: User
+    MitreID: T1040
+Full_Path:
+  - Path: C:\Program Files\Microsoft Network Monitor 3\nmcap.exe
+  - Path: C:\Program Files (x86)\Microsoft Network Monitor 3\nmcap.exe
+Resources:
+  - Link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/network-monitor-3
+Acknowledgement:
+  - Person: Avihay Eldad
+    Handle: '@AvihayEldad'

From eaf7555bddb78d3b08bf0331da1495e984572a5e Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Wed, 17 Sep 2025 15:11:00 +0300
Subject: [PATCH 2/7] Update Nmcap.yml

---
 yml/OtherMSBinaries/Nmcap.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/yml/OtherMSBinaries/Nmcap.yml b/yml/OtherMSBinaries/Nmcap.yml
index 8fd11ed33..1e635b93e 100644
--- a/yml/OtherMSBinaries/Nmcap.yml
+++ b/yml/OtherMSBinaries/Nmcap.yml
@@ -6,21 +6,21 @@ Created: 2025-09-16
 Commands:
   - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap
     Description: Start capture on all adapters and save to nmcap.cap (circular file).
-    Usecase: Capture network traffic on windows to capture senstive traffic.
+    Usecase: Capture network traffic on windows to collect senstive traffic.
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040
     OperatingSystem: Windows
   - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /TimeAfter 30 seconds.
     Description: Start capture and auto-terminate after a relative time period (seconds/minutes/hours/days).
-    Usecase: Capture network traffic on windows to capture senstive traffic.
+    Usecase: Capture network traffic on windows to collect senstive traffic.
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040
     OperatingSystem: Windows
   - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /Time 04:52:00 AM 9/17/2025
     Description: Start capture and auto-terminate at a specific time/date.
-    Usecase: Capture network traffic on windows to capture senstive traffic.
+    Usecase: Capture network traffic on windows to collect senstive traffic.
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040

From 62eab8967bea6cab24d9b9b17f6da30c570ecaae Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Wed, 17 Sep 2025 15:13:49 +0300
Subject: [PATCH 3/7] Update Nmcap.yml

---
 yml/OtherMSBinaries/Nmcap.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/yml/OtherMSBinaries/Nmcap.yml b/yml/OtherMSBinaries/Nmcap.yml
index 1e635b93e..f0fa5f96e 100644
--- a/yml/OtherMSBinaries/Nmcap.yml
+++ b/yml/OtherMSBinaries/Nmcap.yml
@@ -6,21 +6,27 @@ Created: 2025-09-16
 Commands:
   - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap
     Description: Start capture on all adapters and save to nmcap.cap (circular file).
-    Usecase: Capture network traffic on windows to collect senstive traffic.
+    Usecase: Capture network traffic on windows to collect sensitive data.
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040
     OperatingSystem: Windows
   - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /TimeAfter 30 seconds.
     Description: Start capture and auto-terminate after a relative time period (seconds/minutes/hours/days).
-    Usecase: Capture network traffic on windows to collect senstive traffic.
+    Usecase: Capture network traffic on windows to collect sensitive data.
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040
     OperatingSystem: Windows
   - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /Time 04:52:00 AM 9/17/2025
     Description: Start capture and auto-terminate at a specific time/date.
-    Usecase: Capture network traffic on windows to collect senstive traffic.
+    Usecase: Capture network traffic on windows to collect sensitive data.
+    Category: Reconnaissance
+    Privileges: User
+    MitreID: T1040
+  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /KeyPress x
+    Description: Start capture and terminate when the specified key is pressed.
+    Usecase: Capture network traffic on windows to collect sensitive data.
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040

From 272b2e1e0e48036d27998c2061f5a3effea441c3 Mon Sep 17 00:00:00 2001
From: Avihay Eldad <46644022+avihayeldad@users.noreply.github.com>
Date: Wed, 17 Sep 2025 15:19:13 +0300
Subject: [PATCH 4/7] Update Nmcap.yml

---
 yml/OtherMSBinaries/Nmcap.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/yml/OtherMSBinaries/Nmcap.yml b/yml/OtherMSBinaries/Nmcap.yml
index f0fa5f96e..6ac13e3f8 100644
--- a/yml/OtherMSBinaries/Nmcap.yml
+++ b/yml/OtherMSBinaries/Nmcap.yml
@@ -24,12 +24,14 @@ Commands:
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040
+    OperatingSystem: Windows
   - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /KeyPress x
     Description: Start capture and terminate when the specified key is pressed.
     Usecase: Capture network traffic on windows to collect sensitive data.
     Category: Reconnaissance
     Privileges: User
     MitreID: T1040
+    OperatingSystem: Windows
 Full_Path:
   - Path: C:\Program Files\Microsoft Network Monitor 3\nmcap.exe
   - Path: C:\Program Files (x86)\Microsoft Network Monitor 3\nmcap.exe

From 526904d7e3f8814fb239cbcdb613000ee4f52ee2 Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Mon, 16 Mar 2026 13:50:13 +0000
Subject: [PATCH 5/7] Update Nmcap.yml

---
 yml/OtherMSBinaries/Nmcap.yml | 32 ++++++++------------------------
 1 file changed, 8 insertions(+), 24 deletions(-)

diff --git a/yml/OtherMSBinaries/Nmcap.yml b/yml/OtherMSBinaries/Nmcap.yml
index 6ac13e3f8..a807feb4c 100644
--- a/yml/OtherMSBinaries/Nmcap.yml
+++ b/yml/OtherMSBinaries/Nmcap.yml
@@ -4,32 +4,16 @@ Description: Command-line packet capture utility from Microsoft Network Monitor
 Author: Avihay Eldad
 Created: 2025-09-16
 Commands:
-  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap
-    Description: Start capture on all adapters and save to nmcap.cap (circular file).
+  - Command: nmcap.exe /network * /capture /file {PATH_ABSOLUTE:.cap}
+    Description:|
+      Start capture on all network adapters and save to specified .cap (circular) file.
+      Optionally, one can add:
+      - `/TerminateWhen /TimeAfter 30 seconds` to auto-terminate after a relative times (e.g. 30 seconds);
+      - `/TerminateWhen /Time 04:52:00 AM 9/17/2025` to auto-terminate after a specific date/time;
+      - `/TerminateWhen /KeyPress x` to terminate when a specific key is pressed.
     Usecase: Capture network traffic on windows to collect sensitive data.
     Category: Reconnaissance
-    Privileges: User
-    MitreID: T1040
-    OperatingSystem: Windows
-  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /TimeAfter 30 seconds.
-    Description: Start capture and auto-terminate after a relative time period (seconds/minutes/hours/days).
-    Usecase: Capture network traffic on windows to collect sensitive data.
-    Category: Reconnaissance
-    Privileges: User
-    MitreID: T1040
-    OperatingSystem: Windows
-  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /Time 04:52:00 AM 9/17/2025
-    Description: Start capture and auto-terminate at a specific time/date.
-    Usecase: Capture network traffic on windows to collect sensitive data.
-    Category: Reconnaissance
-    Privileges: User
-    MitreID: T1040
-    OperatingSystem: Windows
-  - Command: nmcap.exe /network * /capture /file C:\Users\Public\nmcap.cap /TerminateWhen /KeyPress x
-    Description: Start capture and terminate when the specified key is pressed.
-    Usecase: Capture network traffic on windows to collect sensitive data.
-    Category: Reconnaissance
-    Privileges: User
+    Privileges: Reconnaissance
     MitreID: T1040
     OperatingSystem: Windows
 Full_Path:

From de6ad1f37ee3cd6231614d9fa6559124db862d53 Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Mon, 16 Mar 2026 13:50:30 +0000
Subject: [PATCH 6/7] Fix formatting of command description in Nmcap.yml

---
 yml/OtherMSBinaries/Nmcap.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/Nmcap.yml b/yml/OtherMSBinaries/Nmcap.yml
index a807feb4c..25d8c0c9d 100644
--- a/yml/OtherMSBinaries/Nmcap.yml
+++ b/yml/OtherMSBinaries/Nmcap.yml
@@ -5,7 +5,7 @@ Author: Avihay Eldad
 Created: 2025-09-16
 Commands:
   - Command: nmcap.exe /network * /capture /file {PATH_ABSOLUTE:.cap}
-    Description:|
+    Description: |
       Start capture on all network adapters and save to specified .cap (circular) file.
       Optionally, one can add:
       - `/TerminateWhen /TimeAfter 30 seconds` to auto-terminate after a relative times (e.g. 30 seconds);

From 615df597827c388dd4e743eb5c5d958af3bd6753 Mon Sep 17 00:00:00 2001
From: Wietze <wietze@users.noreply.github.com>
Date: Mon, 16 Mar 2026 13:50:47 +0000
Subject: [PATCH 7/7] Change privileges from 'Reconnaissance' to
 'Administrator'

---
 yml/OtherMSBinaries/Nmcap.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/Nmcap.yml b/yml/OtherMSBinaries/Nmcap.yml
index 25d8c0c9d..8235a26e6 100644
--- a/yml/OtherMSBinaries/Nmcap.yml
+++ b/yml/OtherMSBinaries/Nmcap.yml
@@ -13,7 +13,7 @@ Commands:
       - `/TerminateWhen /KeyPress x` to terminate when a specific key is pressed.
     Usecase: Capture network traffic on windows to collect sensitive data.
     Category: Reconnaissance
-    Privileges: Reconnaissance
+    Privileges: Administrator
     MitreID: T1040
     OperatingSystem: Windows
 Full_Path: