Skip to content

T1040 Network Sniffing

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.

In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.135 Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.64 The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.6

On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture.72

Item Value
ID T1040
Sub-techniques
Tactics TA0006, TA0007
Platforms IaaS, Linux, Network Devices, Windows, macOS
Version 1.7
Created 31 May 2017
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy’s network sniffer module to discover user credentials being sent over the network between the local LAN and the power grid’s industrial control systems. 37
G0007 APT28 APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.3435 APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.33
G0064 APT33 APT33 has used SniffPass to collect credentials by sniffing network traffic.30
C0046 ArcaneDoor ArcaneDoor included network packet capture and sniffing for data collection in victim environments.2238
S1224 CASTLETAP CASTLETAP has the ability to create a raw promiscuous socket to sniff network traffic.16
S1204 cd00r cd00r can use the libpcap library to monitor captured packets for specifc sequences.21
G0105 DarkVishnya DarkVishnya used network sniffing to obtain login data. 32
S0367 Emotet Emotet has been observed to hook network APIs to monitor network traffic. 20
S0363 Empire Empire can be used to conduct packet captures on target hosts.11
S0661 FoggyWeb FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.19
S0357 Impacket Impacket can be used to sniff network traffic via an interface or raw socket.8
S1203 J-magic J-magic has a pcap listener function that can create an Extended Berkley Packet Filter (eBPF) on designated interfaces and ports.23
S1206 JumbledPath JumbledPath has the ability to perform packet capture on remote devices via actor-defined jump-hosts.15
G0094 Kimsuky Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.2728
S1186 Line Dancer Line Dancer can create and exfiltrate packet captures from compromised environments.22
S0443 MESSAGETAP MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. 14
S0590 NBTscan NBTscan can dump and print whole packet content.910
S0587 Penquin Penquin can sniff network traffic to look for packets matching specific conditions.1817
S0378 PoshC2 PoshC2 contains a module for taking packet captures on compromised hosts.13
C0056 RedPenguin During RedPenguin, UNC3886 used a passive backdoor to act as a libpcap-based packet sniffer.36
S0019 Regin Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.25
S0174 Responder Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.12
G1045 Salt Typhoon Salt Typhoon has used a variety of tools and techniques to capture packet data between network interfaces.15
G0034 Sandworm Team Sandworm Team has used intercepter-NG to sniff passwords in network traffic.26
G1048 UNC3886 UNC3886 has used the LOOKOVER sniffer to sniff TACACS+ authentication packets.31
G1047 Velvet Ant Velvet Ant has used a custom tool, “VELVETTAP”, to perform packet capture from compromised F5 BIG-IP devices.29
S1154 VersaMem VersaMem hooked the Catalina application filter chain doFilter on compromised systems to monitor all inbound requests to the local Tomcat web server, inspecting them for parameters like passwords and follow-on Java modules.24

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
M1032 Multi-factor Authentication Use multi-factor authentication wherever possible.
M1030 Network Segmentation Deny direct access of broadcasts and multicast sniffing, and prevent attacks such as LLMNR/NBT-NS Poisoning and SMB Relay
M1018 User Account Management In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.

References

  1. Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022. 

  2. Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022. 

  3. Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022. 

  4. Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022. 

  5. Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022. 

  6. Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022. 

  7. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. 

  8. SecureAuth. (n.d.). Retrieved January 15, 2019. 

  9. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021. 

  10. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021. 

  11. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  12. Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017. 

  13. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. 

  14. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  15. Cisco Talos. (2025, February 20). Weathering the storm: In the midst of a Typhoon. Retrieved February 24, 2025. 

  16. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023. 

  17. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021. 

  18. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  19. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  20. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. 

  21. Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018. 

  22. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025. 

  23. Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025. 

  24. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024. 

  25. Kaspersky Lab’s Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. 

  26. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. 

  27. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  28. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. 

  29. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025. 

  30. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  31. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  32. Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020. 

  33. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. 

  34. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  35. Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved November 17, 2024. 

  36. Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025. 

  37. Charles McLellan. (2016, March 4). How hackers attacked Ukraine’s power grid: Implications for Industrial IoT security. Retrieved September 27, 2023. 

  38. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.