T1040: Network Sniffing
| View on MITRE ATT&CK | T1040 |
|---|---|
| Tactic(s) | Credential Access, Discovery |
| Associated CAPEC Patterns | Sniff Application Code (CAPEC-65) , Utilizing REST's Trust in the System Resource to Obtain Sensitive Data (CAPEC-57) , Sniffing Network Traffic (CAPEC-158) |
Data from MITRE ATT&CK®:
Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Encrypt Sensitive Information
Protect sensitive information with strong encryption.Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
Packet Capture Linux using tshark or tcpdump
Packet Capture Windows Command Prompt
Packet Capture macOS using tcpdump or tshark
PowerShell Network Sniffing
Windows Internal pktmon capture
Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
Packet Capture macOS using /dev/bpfN with sudo
Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
Windows Internal Packet Capture
Filtered Packet Capture macOS using /dev/bpfN with sudo
Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo
Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
Packet Capture FreeBSD using /dev/bpfN with sudo
Windows Internal pktmon set filter
Packet Capture FreeBSD using tshark or tcpdump
Sigma Detections for this Technique
Potential Network Sniffing Activity Using Network Tools
Harvesting Of Wifi Credentials Via Netsh.EXE
Windows Pcap Drivers
Network Sniffing - MacOs
PktMon.EXE Execution
Network Sniffing - Linux
Cisco Sniffing
New Network Trace Capture Started Via Netsh.EXE
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.