T1040: Network Sniffing
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic. The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.
On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture
.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
eltex: PT-CR-2343: Eltex_Abnormal_Broadcast_Traffic: Abnormal broadcast traffic
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy. Analytic 1 - Windows
|
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required. |
---|
ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication wherever possible. |
---|
ID | M1041 | Name | Encrypt Sensitive Information | Description | Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. |
---|
ID | M1030 | Name | Network Segmentation | Description | Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay |
---|