Network Sniffing

Adversaries may sniff network traffic to capture information about an environment, including machine identities and authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include machine identities or user credentials, especially those sent over an insecure, unencrypted protocol.

Procedure Examples

Name Description
Sandworm Team

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.

References

Attachments

ID
VT0019
MITRE ID
Sub-techniques
No sub-techniques
Tactics
Credential Access
Discovery
Platforms
Linux
Windows
macOS
System Requirements
Network interface access and packet capture driver
Permissions Required
Administrator
SYSTEM
Data Sources
Host network interface
Netflow/Enclave netflow
Network device logs
Process monitoring
CAPEC ID
Version
1.1

Created: 29 December 2020

Last Modified: 29 December 2020