# T1040 Network Sniffing

-----------------------------------------------------------------------

## Technique Description

Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.

In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring)

## Technique Detection

Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.

In cloud-based environments, monitor for the creation of new traffic mirrors or modification of existing traffic mirrors.

-----------------------------------------------------------------------

### Tactics:

  * Credential-Access

  * Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

  * IaaS

### System Requirements:

  * Network interface access and packet capture driver

### Data Sources:

  * **Command:** Command Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) used network sniffing to obtain login data. (Citation: Securelist DarkVishnya Dec 2018)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)| 
| Stolen Pencil | [Stolen Pencil](https://attack.mitre.org/groups/G0086) has a tool to sniff the network for passwords. (Citation: Netscout Stolen Pencil Dec 2018)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used SniffPass to collect credentials by sniffing network traffic.(Citation: Symantec Elfin Mar 2019)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used intercepter-NG to sniff passwords in network traffic.(Citation: ESET Telebots Dec 2016)	| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017) [APT28](https://attack.mitre.org/groups/G0007) close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.(Citation: US District Court Indictment GRU Oct 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1040)

  * [Aws Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html), Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.

  * [Gcp Packet Mirroring](https://cloud.google.com/vpc/docs/packet-mirroring), Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.

  * [Specterops Aws Traffic Mirroring](https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512), Luke Paine. (2020, March 11). Through the Looking Glass — Part 1. Retrieved March 17, 2022.

  * [Azure Virtual Network Tap](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview), Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.

  * [Rhino Security Labs Aws Vpc Traffic Mirroring](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/), Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.

  * [Capec](https://capec.mitre.org/data/definitions/158.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 29 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Detecting the events leading up to sniffing network traffic may be the best method of detection. Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled or active by security policy.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | X | 2 |

#### APT28
- APT28 has used open source tool Responder (LLMNR and NBT-NS Poisoning) and Wi-Fi pineapples to capture usernames and hashed passwords
    
- APT28 has been known to use NetBIOS Name Service Poisoning using open source tools like Responder, it is used to poison name services to gather hashes and credentials from systems within a local network. APT 28 uses this technique to listen for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT 28 would likely need to perform attacks against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. Offline hash cracking may be conducted after the adversary has acquired user names and password hashes from sniffing network traffic returning hours later to access a system with those credentials. Devices that control the flow of traffic may be of significant interest as modifying routing tables, enabling port-mirroring would allow for greater visibility of network traffic.

## Detection Blindspots

- Sensor placement may not allow for detection of this TTP if sensor is not seeing the required traffic.

- Encrypted traffic may not allow for analysis of traffic payload. Close attention should be in analyzing the connection metadata. 

## Analytical References

  * [FireEye - APT28: A Window Into Russia's Cyber Espionage Operations?](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf)
  * [FireEye - APT28 Targets Hospitality Sector, Presents Threat to Travelers](https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html)
  * [LLMNR and NBT-NS Poisoning](https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/)
  * [Atomic Red Team T1040 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md)
  * [Responder - spiderlabs (github)](https://github.com/SpiderLabs/Responder)
  * [Responder - lgandx (github)](https://github.com/lgandx/Responder)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network to capture traffic that was not to or from the current compromised system.
- While APT28’s deployment of Responder should cause an operator to look for this program, note the characteristics of Responder and look for similar behavior (command options on GitHub page) as Responder can easily be renamed.
    - Responder listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.
    - Responder is not meant to work on Windows
    - /etc/NetworkManager/NetworkManager.conf should have “dns=dnsmasq” line commented

#### Analytic 1

  * **Information:** LLMNR and NBT-NS

  * **Source:** Windows Audits

  * **Tool:** Kibana

  * **Notes:** Identify NetBIOS name service and LLMNR. Answers should come from identified host with the proper service. (ex: printer)

  * **Query:** ```destination.port: (137 or 5355)```

#### Analytic 2

  * **Information:** Identify network connection events to any DestinationIP other than server addresses over ports 135 and 445

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```winlog.event_id: 3 AND destination.portt: (135 or 445) AND NOT destination.ip: <server IP>```
  
#### Analytic 3

  * **Information:** Depending on device environment, running these processes should almost never happen.

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id : (1 or 4688) and process.name : (tshark.exe or wireshark.exe or windump.exe or winpdump.exe)```
  
#### Analytic 4

  * **Information:** Running 'netsh trace' is an extremely loud sequence of events. Look for file creations and a plethora of inferred commands run from netsh (mostly queries).

  * **Source:** Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : netsh.exe AND process.command.line : *trace*```


-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Due to the phase, technique will be difficult to detect if MCA has advanced to a later phase

- Analyze traffic for significant number of Kerboros authentication to multiple hosts with a single username

- Host tools will assist with hunting for this TTP. Teamwork makes the dream work :)

#### Analytic 1

  * **Information:** 'Identify any Kerberos authentication attempts'

  * **Source:** 'PCAP, sessions*'

  * **Tool:** 'Arkime, Kibana'

  * **Notes:** 'Coordination with Host will be need to verify if logons are a success or failure'

  * **Arkime Query:** `protocols == krb5 && (krb5.realm == EXISTS! || krb5.cname == EXISTS! || krb5.sname == EXISTS!)`

  * **Kibana Query:** `protocol: "krb5" AND (krb5.cname: * OR krb5.sname: *)`

#### Analytic 2

  * **Information:** 'Identify NetBIOS Name Service poisoning TTP'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'APT28 has used this TTP to capture usernames and hashed passwords'

  * **Query:** `port.dst == [137, 5355]`

#### Analytic 3 (APT 28)

  * **Information:** Identify possible malicious use of Responder by detecting CLIENT to CLIENT connections over TCP 445 (SMB) or UDP 137 (NetBIOS)

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** 
  
  * **Query Arkime:** ```(protocols == smb || port.dst == 137) && ip != <internal server IP>```

  * **Query Kibana:** ```dstPort: (137 OR 445) AND NOT (dstIp: <internal server IP> OR srcIp: <internal server IP>)```
  
#### Analytic 4 (APT 28)

  * **Information:** Identify Possible use of Responder by identifying LLMNR

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** 

  * **Query Arkime:** ```protocols == llmnr || port == 5355```
  
  * **Query Kibana:** ```protocol: llmnr OR scrPort: 5355 OR dstPort: 5355```
  
#### Analytic 5 (APT 28)

  * **Information:** After identifying systems of interest, you can enumerate the SMB shares

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** 

  * **Query Arkime:** ```ip == <IP of interest> && protocols == smb && smb.share == "*/IPC$"```
  
  * **Query Kibana:** ```protocol: smb AND srcIp: <IP of interest> OR dstIp: <IP of interest>```