Network Sniffing

From ATT&CK
Jump to: navigation, search
Network Sniffing
Technique
ID T1040
Tactic Credential Access
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
System Requirements Network interface access and packet capture driver
Permissions Required Administrator, SYSTEM
Data Sources Network device logs, Host network interface, Netflow/Enclave netflow
CAPEC ID CAPEC-158

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.

User credentials may be sent over an insecure, unencrypted protocol that can be captured and obtained through network packet analysis. An adversary may place a network interface into promiscuous mode, using a utility to capture traffic in transit over the network or use span ports to capture a larger amount of data. In addition, Address Resolution Protocol (ARP) and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Examples

  • Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.1

Mitigation

Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.

Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting2 tools, like AppLocker,34 or Software Restriction Policies5 where appropriate.6

Detection

Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.