Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1040 | Network Sniffing |
| AC-17 | Remote Access | Protects | T1040 | Network Sniffing |
| AC-18 | Wireless Access | Protects | T1040 | Network Sniffing |
| AC-19 | Access Control for Mobile Devices | Protects | T1040 | Network Sniffing |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1040 | Network Sniffing |
| IA-5 | Authenticator Management | Protects | T1040 | Network Sniffing |
| SC-4 | Information in Shared System Resources | Protects | T1040 | Network Sniffing |
| SC-8 | Transmission Confidentiality and Integrity | Protects | T1040 | Network Sniffing |
| SI-12 | Information Management and Retention | Protects | T1040 | Network Sniffing |
| SI-4 | System Monitoring | Protects | T1040 | Network Sniffing |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1040 | Network Sniffing |