.. /Nmcap.exe

Star

Paths:

• C:\Program Files\Microsoft Network Monitor 3\nmcap.exe
• C:\Program Files (x86)\Microsoft Network Monitor 3\nmcap.exe

Resources:

• https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/network-monitor-3

Acknowledgements:

• Avihay Eldad (@AvihayEldad)

Reconnaissance

1. Start capture on all network adapters and save to specified .cap (circular) file. Optionally, one can add:

   • /TerminateWhen /TimeAfter 30 seconds to auto-terminate after a relative times (e.g. 30 seconds);
   • /TerminateWhen /Time 04:52:00 AM 9/17/2025 to auto-terminate after a specific date/time;
   • /TerminateWhen /KeyPress x to terminate when a specific key is pressed.

   nmcap.exe /network * /capture /file {PATH_ABSOLUTE:.cap}

   Use case

   Capture network traffic on windows to collect sensitive data.

   Privileges required

   Administrator

   Operating systems

   Windows

   ATT&CK® technique

   T1040