Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-16 | Security and Privacy Attributes | Protects | T1040 | Network Sniffing | |
| AC-17 | Remote Access | Protects | T1040 | Network Sniffing | |
| AC-18 | Wireless Access | Protects | T1040 | Network Sniffing | |
| AC-19 | Access Control for Mobile Devices | Protects | T1040 | Network Sniffing | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1040 | Network Sniffing | |
| IA-5 | Authenticator Management | Protects | T1040 | Network Sniffing | |
| SC-4 | Information in Shared System Resources | Protects | T1040 | Network Sniffing | |
| SC-8 | Transmission Confidentiality and Integrity | Protects | T1040 | Network Sniffing | |
| SI-12 | Information Management and Retention | Protects | T1040 | Network Sniffing | |
| SI-4 | System Monitoring | Protects | T1040 | Network Sniffing | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1040 | Network Sniffing | |
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1040 | Network Sniffing |
Comments
This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing.
This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols.
The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique.
These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1040 | Network Sniffing |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to conduct packet capture on target hosts, but does not address other procedures.
References
|
| azure_private_link | Azure Private Link | technique_scores | T1040 | Network Sniffing |
Comments
This control reduces the likelihood of a network sniffing attack for traffic between remote users, cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
References
|
| azure_policy | Azure Policy | technique_scores | T1040 | Network Sniffing |
Comments
This control may provide recommendations to enable various Azure services that route traffic through secure networks, segment all network traffic, and enable TLS encryption where available.
References
|
| azure_vpn_gateway | Azure VPN Gateway | technique_scores | T1040 | Network Sniffing |
Comments
This control encrypts traffic traversing over untrusted networks which can prevent information from being gathered via network sniffing.
References
|
| azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1040 | Network Sniffing |
Comments
This control's "Stop clear text credentials exposure" provides a recommendation to run the "Entities exposing credentials in clear text" assessment that monitors your traffic for any entities exposing credentials in clear text (via LDAP simple-bind). This assessment seems specific to LDAP simple-binds and coupled with the fact that it is a recommendation and is not enforced, results in a Minimal score.
References
|
| azure_key_vault | Azure Key Vault | technique_scores | T1040 | Network Sniffing |
Comments
This control provides secure methods for accessing secrets and passwords. This can reduce the incidences of credentials and other authentication material being transmitted in plain text or by insecure encryption methods. Any communication between applications or endpoints after access to Key Vault may not be secure.
References
|
| docker_host_hardening | Docker Host Hardening | technique_scores | T1040 | Network Sniffing |
Comments
This control may recommend usage of TLS to encrypt communication between the Docker daemon and clients. This can prevent possible leakage of sensitive information through network sniffing.
References
|