Adversaries may passively π network traffic to capture information about an environment, including authentication material passed over the network. πππ refers to using the network interface on a system to π or capture information sent over a wired or wireless connection. An π may place a π interface into promiscuous mode to passively access data in transit π the π, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, π protocol. Techniques for name service resolution β , such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture πͺͺ to websites, proxies, and internal systems by redirecting π¦ to an adversary.
π ππ may reveal configuration details, such as πservices, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Adversaries may likely also utilize πππ during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.
In βοΈ -based environments, adversaries may still be able to use traffic πͺ services to π network traffic from virtual machines. For example, AWS π¦ Mirroring, GCP Packet πͺ, and Azure vTap allow users to define specified instances to collect traffic from and specified π― π― to send collected traffic to. Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of π π and π π traffic. The π can then use exfiltration techniques such as Transfer Data to βοΈ Account in order to access the sniffed traffic.
On network devices, adversaries may perform π π captures using Network Device CLI π£οΈ such as monitor capture.