Description
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as Name Resolution Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Stealth activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
Platforms
Mitigations (4)
User Account ManagementM1018
In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.
Multi-factor AuthenticationM1032
Use multi-factor authentication wherever possible.
Encrypt Sensitive InformationM1041
Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
Network SegmentationM1030
Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as Name Resolution Poisoning and SMB Relay
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used intercepter-NG to sniff passwords in network traffic.(Citation: ESET Telebots Dec 2016... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.(Ci... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has used a custom tool, "VELVETTAP", to perform packet capture from compromised F5 BIG-IP devices.... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has used a variety of tools and techniques to capture packet data between network interfaces.(Ci... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used SniffPass to collect credentials by sniffing network traffic.(Citation: Symantec Elfin Mar 201... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used the LOOKOVER sniffer to sniff TACACS+ authentication packets.(Citation: Google Cloud Mandian... |
| G0105 | DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) used network sniffing to obtain login data. (Citation: Securelist DarkVishnya Dec 2018) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usern... |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S0357 | Impacket | Tool | [Impacket](https://attack.mitre.org/software/S0357) can be used to sniff network traffic via an interface or raw socket.(Citation: Impacket Tools) |
| S0590 | NBTscan | Tool | [NBTscan](https://attack.mitre.org/software/S0590) can dump and print whole packet content.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbts... |
| S0443 | MESSAGETAP | Malware | [MESSAGETAP](https://attack.mitre.org/software/S0443) uses the libpcap library to listen to all traffic and parses network protocols starting with Eth... |
| S1206 | JumbledPath | Malware | [JumbledPath](https://attack.mitre.org/software/S1206) has the ability to perform packet capture on remote devices via actor-defined jump-hosts.(Citat... |
| S1224 | CASTLETAP | Malware | [CASTLETAP](https://attack.mitre.org/software/S1224) has the ability to create a raw promiscuous socket to sniff network traffic.(Citation: Mandiant F... |
| S0587 | Penquin | Malware | [Penquin](https://attack.mitre.org/software/S0587) can sniff network traffic to look for packets matching specific conditions.(Citation: Leonardo Turl... |
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661) can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent t... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can be used to conduct packet captures on target hosts.(Citation: Github PowerShell Empire) |
| S0174 | Responder | Tool | [Responder](https://attack.mitre.org/software/S0174) captures hashes and credentials that are sent to the system after the name services have been poi... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has monitored and filtered network traffic on compromised edge devices, allowing legitimate tr... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been observed to hook network APIs to monitor network traffic. (Citation: Trend Micro Banking Ma... |
| S1204 | cd00r | Malware | [cd00r](https://attack.mitre.org/software/S1204) can use the libpcap library to monitor captured packets for specifc sequences.(Citation: Hartrell cd0... |
| S1186 | Line Dancer | Malware | [Line Dancer](https://attack.mitre.org/software/S1186) can create and exfiltrate packet captures from compromised environments.(Citation: Cisco Arcane... |
| S1203 | J-magic | Malware | [J-magic](https://attack.mitre.org/software/S1203) has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains a module for taking packet captures on compromised hosts.(Citation: GitHub PoshC2) |
| S1154 | VersaMem | Malware | [VersaMem](https://attack.mitre.org/software/S1154) hooked the Catalina application filter chain `doFilter` on compromised systems to monitor all inbo... |
| S0019 | Regin | Malware | [Regin](https://attack.mitre.org/software/S0019) appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.(Citation: Kas... |
References
- Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.
- Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.
- Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
- Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.
- Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.
- Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1040 (Network Sniffing)?
T1040 is a MITRE ATT&CK technique named 'Network Sniffing'. It belongs to the Credential Access, Discovery tactic(s). Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network int...
How can T1040 be detected?
Detection of T1040 (Network Sniffing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1040?
There are 4 documented mitigations for T1040. Key mitigations include: User Account Management, Multi-factor Authentication, Encrypt Sensitive Information, Network Segmentation.
Which threat groups use T1040?
Known threat groups using T1040 include: Sandworm Team, Kimsuky, Velvet Ant, Salt Typhoon, APT33, UNC3886, DarkVishnya, APT28.