Network Sniffing, Technique T1040 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Network Sniffing, Technique T1040 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Network Sniffing</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Network Sniffing </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.</p><p>Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.</p><p>Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent <a href="https://attack.mitre.org/tactics/TA0008">Lateral Movement</a> and/or <a href="https://attack.mitre.org/tactics/TA0005">Defense Evasion</a> activities. Adversaries may likely also utilize network sniffing during <a href="/techniques/T1557">Adversary-in-the-Middle</a> (AiTM) to passively gain additional knowledge about the environment.</p><p>In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022."data-reference="AWS Traffic Mirroring"><sup><a href="https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022."data-reference="GCP Packet Mirroring"><sup><a href="https://cloud.google.com/vpc/docs/packet-mirroring" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022."data-reference="Azure Virtual Network TAP"><sup><a href="https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022."data-reference="Rhino Security Labs AWS VPC Traffic Mirroring"><sup><a href="https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022."data-reference="SpecterOps AWS Traffic Mirroring"><sup><a href="https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022."data-reference="Rhino Security Labs AWS VPC Traffic Mirroring"><sup><a href="https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p><p>On network devices, adversaries may perform network captures using <a href="/techniques/T1059/008">Network Device CLI</a> commands such as <code>monitor capture</code>.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020."data-reference="US-CERT-TA18-106A"><sup><a href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022."data-reference="capture_embedded_packet_on_software"><sup><a href="https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1040 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques: </span> No sub-techniques </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/tactics/TA0006">Credential Access</a>, <a href="/tactics/TA0007">Discovery</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>IaaS, Linux, Network, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the (sub-)technique to work">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">System Requirements: </span>Network interface access and packet capture driver </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>Austin Clark, @c2defense; Eliraz Levi, Hunters; Itamar Mizrahi, Cymptom; Oleg Kolesnikov, Securonix; Tiago Faria, 3CORESec </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>15 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1040" href="/versions/v16/techniques/T1040/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1040" href="/versions/v16/techniques/T1040/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/campaigns/C0028"> C0028 </a> </td> <td> <a href="/campaigns/C0028"> 2015 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/groups/G0034">Sandworm Team</a> used <a href="/software/S0089">BlackEnergy</a>’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023."data-reference="Charles McLellan March 2016"><sup><a href="https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <p><a href="/groups/G0007">APT28</a> deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28"><sup><a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017."data-reference="FireEye APT28 Hospitality Aug 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span> <a href="/groups/G0007">APT28</a> close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018"><sup><a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0064"> G0064 </a> </td> <td> <a href="/groups/G0064"> APT33 </a> </td> <td> <p><a href="/groups/G0064">APT33</a> has used SniffPass to collect credentials by sniffing network traffic.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."data-reference="Symantec Elfin Mar 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0105"> G0105 </a> </td> <td> <a href="/groups/G0105"> DarkVishnya </a> </td> <td> <p><a href="/groups/G0105">DarkVishnya</a> used network sniffing to obtain login data. <span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020."data-reference="Securelist DarkVishnya Dec 2018"><sup><a href="https://securelist.com/darkvishnya/89169/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0367"> S0367 </a> </td> <td> <a href="/software/S0367"> Emotet </a> </td> <td> <p><a href="/software/S0367">Emotet</a> has been observed to hook network APIs to monitor network traffic. <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019."data-reference="Trend Micro Banking Malware Jan 2019"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0363"> S0363 </a> </td> <td> <a href="/software/S0363"> Empire </a> </td> <td> <p><a href="/software/S0363">Empire</a> can be used to conduct packet captures on target hosts.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire"><sup><a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0661"> S0661 </a> </td> <td> <a href="/software/S0661"> FoggyWeb </a> </td> <td> <p><a href="/software/S0661">FoggyWeb</a> can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021."data-reference="MSTIC FoggyWeb September 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0357"> S0357 </a> </td> <td> <a href="/software/S0357"> Impacket </a> </td> <td> <p><a href="/software/S0357">Impacket</a> can be used to sniff network traffic via an interface or raw socket.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="SecureAuth. (n.d.). Retrieved January 15, 2019."data-reference="Impacket Tools"><sup><a href="https://www.secureauth.com/labs/open-source-tools/impacket" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/groups/G0094">Kimsuky</a> has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020."data-reference="CISA AA20-301A Kimsuky"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019."data-reference="Netscout Stolen Pencil Dec 2018"><sup><a href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0443"> S0443 </a> </td> <td> <a href="/software/S0443"> MESSAGETAP </a> </td> <td> <p><a href="/software/S0443">MESSAGETAP</a> uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020."data-reference="FireEye MESSAGETAP October 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0590"> S0590 </a> </td> <td> <a href="/software/S0590"> NBTscan </a> </td> <td> <p><a href="/software/S0590">NBTscan</a> can dump and print whole packet content.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021."data-reference="Debian nbtscan Nov 2019"><sup><a href="https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021."data-reference="SecTools nbtscan June 2003"><sup><a href="https://sectools.org/tool/nbtscan/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/software/S0587"> S0587 </a> </td> <td> <a href="/software/S0587"> Penquin </a> </td> <td> <p><a href="/software/S0587">Penquin</a> can sniff network traffic to look for packets matching specific conditions.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA "Penquin_x64". Retrieved March 11, 2021."data-reference="Leonardo Turla Penquin May 2020"><sup><a href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021."data-reference="Kaspersky Turla Penquin December 2014"><sup><a href="https://securelist.com/the-penquin-turla-2/67962/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0378"> S0378 </a> </td> <td> <a href="/software/S0378"> PoshC2 </a> </td> <td> <p><a href="/software/S0378">PoshC2</a> contains a module for taking packet captures on compromised hosts.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019."data-reference="GitHub PoshC2"><sup><a href="https://github.com/nettitude/PoshC2_Python" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0019"> S0019 </a> </td> <td> <a href="/software/S0019"> Regin </a> </td> <td> <p><a href="/software/S0019">Regin</a> appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014."data-reference="Kaspersky Regin"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0174"> S0174 </a> </td> <td> <a href="/software/S0174"> Responder </a> </td> <td> <p><a href="/software/S0174">Responder</a> captures hashes and credentials that are sent to the system after the name services have been poisoned.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017."data-reference="GitHub Responder"><sup><a href="https://github.com/SpiderLabs/Responder" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/groups/G0034">Sandworm Team</a> has used intercepter-NG to sniff passwords in network traffic.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016"><sup><a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/software/S1154"> S1154 </a> </td> <td> <a href="/software/S1154"> VersaMem </a> </td> <td> <p><a href="/software/S1154">VersaMem</a> hooked the Catalina application filter chain <code>doFilter</code> on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024."data-reference="Lumen Versa 2024"><sup><a href="https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1041"> M1041 </a> </td> <td> <a href="/mitigations/M1041"> Encrypt Sensitive Information </a> </td> <td> <p>Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1032"> M1032 </a> </td> <td> <a href="/mitigations/M1032"> Multi-factor Authentication </a> </td> <td> <p>Use multi-factor authentication wherever possible.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1030"> M1030 </a> </td> <td> <a href="/mitigations/M1030"> Network Segmentation </a> </td> <td> <p>Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a></p> </td> </tr> <tr> <td> <a href="/mitigations/M1018"> M1018 </a> </td> <td> <a href="/mitigations/M1018"> User Account Management </a> </td> <td> <p>In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network.</p><p>Analytic 1 - Unexpected command execution of network sniffing tools.</p><p><code> index=security (sourcetype="Powershell" EventCode=4104) | eval CommandLine=coalesce(Command_Line, CommandLine)| where ExecutingProcess IN ("<em>tshark.exe", "</em>windump.exe", "<em>tcpdump.exe", "</em>wprui.exe", "*wpr.exe")</code></p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network </p><p>Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.</p><p>Analytic 1 - Unexpected execution of network sniffing tools.</p><p><code>index=security sourcetype="WinEventLog:Security" EventCode=4688 OR index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Image IN ("<em>tshark.exe", "</em>windump.exe", "*tcpdump.exe", "wprui.exe", "wpr.exe") AND ParentImage!="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe"</code></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html" target="_blank"> Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://cloud.google.com/vpc/docs/packet-mirroring" target="_blank"> Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview" target="_blank"> Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/" target="_blank"> Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512" target="_blank"> Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank"> US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html" target="_blank"> Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" target="_blank"> Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html" target="_blank"> Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank"> Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://securelist.com/darkvishnya/89169/" target="_blank"> Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" target="_blank"> Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="16.0"> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank"> Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.secureauth.com/labs/open-source-tools/impacket" target="_blank"> SecureAuth. (n.d.). Retrieved January 15, 2019. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank"> ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" target="_blank"> Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html" target="_blank"> Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://sectools.org/tool/nbtscan/" target="_blank"> SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://securelist.com/the-penquin-turla-2/67962/" target="_blank"> Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://github.com/nettitude/PoshC2_Python" target="_blank"> Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://github.com/SpiderLabs/Responder" target="_blank"> Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/" target="_blank"> Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Network Sniffing, Technique T1040 - Enterprise | MITRE ATT&CK®