DET0314 Detection Strategy for Network Sniffing Across Platforms

Item	Value
ID	DET0314
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1040 (Network Sniffing)

Analytics

Windows

AN0875

Detects suspicious execution of network monitoring tools (e.g., Wireshark, tshark, Microsoft Message Analyzer), driver loading indicative of promiscuous mode, or non-admin user privilege escalation to access NICs for capture.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Service Creation (DC0060)	WinEventLog:System	EventCode=7045

Mutable Elements

Field	Description
ToolNames	Adjust list of known sniffing tools based on environment and known administrator usage.
TimeWindow	Tune time of day or frequency of capture sessions to reduce false positives from authorized use.

Linux

AN0876

Correlates interface mode changes to promiscuous with execution of sniffing tools like tcpdump, tshark, or custom pcap libraries. Detects abnormal NIC configurations and unauthorized sniffing from non-root sessions.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve, setifflags
Command Execution (DC0064)	auditd:SYSCALL	promiscuous mode transitions (ioctl or ifconfig)
Network Traffic Content (DC0085)	networkconfig	interface flag PROMISC, netstat

Mutable Elements

Field	Description
InterfaceList	Limit analysis to external interfaces (e.g., eth0, wlan0) and exclude virtual adapters.
PromiscuousSessionThreshold	Raise alerts if interface remains in PROMISC longer than threshold duration.

macOS

AN0877

Detects enabling of interface sniffing via packet capture tools or AppleScript triggering tcpdump. Leverages Unified Logs and process lineage to identify suspicious use of pfctl, tcpdump, or libpcap libraries.

Log Sources

Data Component	Name	Channel
Network Traffic Content (DC0085)	macos:unifiedlog	eventMessage = ‘promiscuous’
Process Creation (DC0032)	macos:osquery	process_events where path like ‘%tcpdump%’
Command Execution (DC0064)	fs:fsusage	access to BPF devices or interface IOCTLs

Mutable Elements

Field	Description
AllowedTools	Whitelist Apple-native tools used by IT admins and mobile device management (MDM).
UserContext	Prioritize detections from non-admin or low-privilege users performing packet captures.

IaaS

AN0878

Detects creation of traffic mirroring sessions (e.g., AWS VPC Traffic Mirroring, Azure vTAP) that redirect traffic from critical assets to other virtual instances, often followed by file creation or session establishment.

Log Sources

Data Component	Name	Channel
Cloud Service Modification (DC0069)	AWS:CloudTrail	CreateTrafficMirrorSession / ModifyTrafficMirrorTarget

Mutable Elements

Field	Description
MirrorSourceList	Identify VMs or containers where mirror sessions are abnormal or unexpected.
TargetIAMRole	Monitor whether mirror target roles match administrative expectations.

Network Devices

AN0879

Detects execution of capture commands via CLI (monitor capture, debug packet, etc.) or unauthorized CLI access followed by logging configuration changes on Cisco/Juniper/Arista gear.

Log Sources

Data Component	Name	Channel
User Account Authentication (DC0002)	networkdevice:syslog	admin login events
Command Execution (DC0064)	networkdevice:syslog	exec command=’monitor capture’
Network Traffic Content (DC0085)	networkdevice:syslog	config change (e.g., logging buffered, pcap buffers)

Mutable Elements

Field	Description
AdminSessionDuration	Tunable alerting threshold for interactive CLI sessions.
CaptureCommandList	Define set of known capture/debug commands per vendor to flag unexpected usage.