Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Network Sniffing

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.

ID: T1040

Tactic: Credential Access, Discovery

Platform:  Linux, macOS, Windows

Permissions Required:  Administrator, SYSTEM

Data Sources:  Network device logs, Host network interface, Netflow/Enclave netflow, Process monitoring

CAPEC ID:  CAPEC-158

Version: 1.0

Examples

NameDescription
APT28

APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[1][2]

Regin

Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.[3]

Responder

Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.[4]

Mitigation

Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.

Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting [5] tools, like AppLocker, [6] [7] or Software Restriction Policies [8] where appropriate. [9]

Detection

Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.

References