EXPLORE
Sign In
← Back to Explore
T1040

Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this techniqu...

LinuxmacOSWindowsNetwork DevicesIaaS
15
Detections
3
Sources
8
Threat Actors

BY SOURCE

9sigma4elastic2splunk_escu

PROCEDURES (10)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Container2 detections

Auto-extracted: 2 detections for container

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Dump1 detections

Auto-extracted: 1 detections for dump

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

THREAT ACTORS (8)

APT28APT33DarkVishnyaKimsukySalt TyphoonSandworm TeamUNC3886Velvet Ant

DETECTIONS (15)

AWS EC2 Full Network Packet Capture Detected
elasticmedium
Azure VNet Full Network Packet Capture Enabled
elasticmedium
Cisco ASA - Packet Capture Activity
splunk_escu
Cisco Sniffing
sigmamedium
Cisco SNMP Community String Configuration Changes
splunk_escu
Harvesting Of Wifi Credentials Via Netsh.EXE
sigmamedium
Network Sniffing - Linux
sigmalow
Network Sniffing - MacOs
sigmainformational
New Network Trace Capture Started Via Netsh.EXE
sigmamedium
PktMon.EXE Execution
sigmamedium
Potential Network Sniffing Activity Using Network Tools
sigmamedium
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
sigmamedium
Suspicious Network Tool Launch Detected via Defend for Containers
elasticlow
Suspicious Network Tool Launched Inside A Container
elasticlow
Windows Pcap Drivers
sigmamedium