Network Sniffing

Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.

In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[1][2][3] Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.[4][5] The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.[4]

On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture.[6][7]

ID: T1040
Sub-techniques:  No sub-techniques
Platforms: IaaS, Linux, Network, Windows, macOS
System Requirements: Network interface access and packet capture driver
Contributors: Austin Clark, @c2defense; Itamar Mizrahi, Cymptom; Oleg Kolesnikov, Securonix; Tiago Faria, 3CORESec
Version: 1.5
Created: 31 May 2017
Last Modified: 10 July 2023

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. [8]

G0007 APT28

APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.[9][10] APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.[11]

G0064 APT33

APT33 has used SniffPass to collect credentials by sniffing network traffic.[12]

G0105 DarkVishnya

DarkVishnya used network sniffing to obtain login data. [13]

S0367 Emotet

Emotet has been observed to hook network APIs to monitor network traffic. [14]

S0363 Empire

Empire can be used to conduct packet captures on target hosts.[15]

S0661 FoggyWeb

FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.[16]

S0357 Impacket

Impacket can be used to sniff network traffic via an interface or raw socket.[17]

G0094 Kimsuky

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.[18][19]

S0443 MESSAGETAP

MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. [20]

S0590 NBTscan

NBTscan can dump and print whole packet content.[21][22]

S0587 Penquin

Penquin can sniff network traffic to look for packets matching specific conditions.[23][24]

S0378 PoshC2

PoshC2 contains a module for taking packet captures on compromised hosts.[25]

S0019 Regin

Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.[26]

S0174 Responder

Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.[27]

G0034 Sandworm Team

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[28]

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.

M1032 Multi-factor Authentication

Use multi-factor authentication wherever possible.

M1030 Network Segmentation

Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay

M1018 User Account Management

In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network

DS0009 Process Process Creation

Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network

Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.

Analytic 1 - Windows

processes = filter processes where ((event_id == "1" OR event_id == "4688") ANDexe == "tshark.exe" ORexe == "windump.exe" OR(exe == "logman.exe" AND parent_exe exists AND parent_exe!="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe") ORexe == "tcpdump.exe" ORexe == "wprui.exe" ORexe == "wpr.exe" )

References

  1. Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.
  2. Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
  3. Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.
  4. Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.
  5. Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.
  6. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  7. Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.
  8. Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.
  9. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  10. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.
  11. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  12. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  13. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020.
  14. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.