MITRE ATT&CK  /  T1040

T1040

Network Sniffing

Description

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Stealth](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network t…

Platforms

Mitigations

• M1018 — User Account Management
• M1032 — Multi-factor Authentication
• M1041 — Encrypt Sensitive Information
• M1030 — Network Segmentation

Our coverage

• UAT-8302 China APT Malware Analysis: Shared Implants, IOCs, and Detection Rules
• PRC State-Sponsored Telecom Router Compromise Detection: CISA AA25-239a Breakdown
• What is Information Gathering

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →