T1040 Network Sniffing Mappings

Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1040 Network Sniffing
AC-17 Remote Access Protects T1040 Network Sniffing
AC-18 Wireless Access Protects T1040 Network Sniffing
AC-19 Access Control for Mobile Devices Protects T1040 Network Sniffing
IA-2 Identification and Authentication (organizational Users) Protects T1040 Network Sniffing
IA-5 Authenticator Management Protects T1040 Network Sniffing
SC-4 Information in Shared System Resources Protects T1040 Network Sniffing
SC-8 Transmission Confidentiality and Integrity Protects T1040 Network Sniffing
SI-12 Information Management and Retention Protects T1040 Network Sniffing
SI-4 System Monitoring Protects T1040 Network Sniffing
SI-7 Software, Firmware, and Information Integrity Protects T1040 Network Sniffing
CVE-2019-1715 Cisco Adaptive Security Appliance (ASA) Software primary_impact T1040 Network Sniffing
CVE-2020-15094 symfony exploitation_technique T1040 Network Sniffing
CVE-2020-11035 GLPI primary_impact T1040 Network Sniffing
CVE-2020-5261 Saml2 exploitation_technique T1040 Network Sniffing
CVE-2020-15093 tough primary_impact T1040 Network Sniffing
CVE-2018-14781 Medtronic insulin pump exploitation_technique T1040 Network Sniffing
CVE-2020-0884 Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8) exploitation_technique T1040 Network Sniffing
CVE-2018-11749 Puppet Enterprise uncategorized T1040 Network Sniffing
CVE-2018-7259 n/a uncategorized T1040 Network Sniffing
action.malware.variety.Packet sniffer Packet sniffer (capture data from network) related-to T1040 Network Sniffing
action.malware.variety.Scan network Scan or footprint network related-to T1040 Network Sniffing
aws_rds AWS RDS technique_scores T1040 Network Sniffing
aws_config AWS Config technique_scores T1040 Network Sniffing
aws_iot_device_defender AWS IoT Device Defender technique_scores T1040 Network Sniffing
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1040 Network Sniffing
aws_cloudwatch AWS CloudWatch technique_scores T1040 Network Sniffing