Detect Network Sniffing in IBM QRadar
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over insecure, unencrypted protocols such as FTP, HTTP Basic Auth, Telnet, POP3, IMAP, and LDAP. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and Defense Evasion activities. In cloud-based environments, adversaries may use traffic mirroring services (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTap) to sniff network traffic from virtual machines. On network devices, adversaries may perform network captures using Network Device CLI commands such as 'monitor capture'. Threat actors including Sandworm Team, Kimsuky, APT33, and Salt Typhoon have used this technique with tools such as Intercepter-NG, SniffPass, Impacket, and custom sniffers.
MITRE ATT&CK
- Tactic
- Credential Access Discovery
- Technique
- T1040 Network Sniffing
- Canonical reference
- https://attack.mitre.org/techniques/T1040/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"Hostname" AS host,
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS event_category,
"Process Name" AS acting_process,
"Command" AS command_line,
"Image Loaded" AS loaded_library,
CASE
WHEN LOWER("Process Name") SIMILAR TO '%(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter|sniffpass|pcapdump|ssldump)%'
OR LOWER("Command") SIMILAR TO '%(tcpdump|tshark|wireshark|windump|dumpcap|networkminer|intercepter|sniffpass|scapy|pcap_open|pcap_loop|sock_raw|af_packet|impacket)%'
THEN 'KnownSniffingTool'
WHEN LOWER("Image Loaded") SIMILAR TO '%(wpcap.dll|npcap.dll|packet.dll|npf.sys|npcap.sys|winpcap.sys)%'
AND NOT LOWER("Process Name") SIMILAR TO '%(wireshark|tshark|dumpcap|rawshark|capinfos|editcap|mergecap)%'
THEN 'PacketCaptureDriverLoad'
WHEN LOWER("Process Name") SIMILAR TO '%(python|perl|ruby|pwsh|powershell)%'
AND LOWER("Command") SIMILAR TO '%(af_packet|sock_raw|eth_p_all|pcap_open|pcap_loop|libpcap|scapy|impacket)%'
THEN 'RawSocketViaScriptingLanguage'
ELSE 'Unknown'
END AS detection_type,
CASE WHEN LOWER("Command") SIMILAR TO '%\-w %' THEN 1 ELSE 0 END AS capture_to_file,
CASE WHEN LOWER("Command") SIMILAR TO '%(port 21|port 23|port 80|port 110|port 143|port 389|ftp|telnet|ldap|smtp)%' THEN 1 ELSE 0 END AS targeting_cleartext
FROM events
WHERE
starttime > NOW() - 1 DAYS
AND (
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
OR LOGSOURCETYPENAME(devicetype) LIKE '%Sysmon%'
OR LOGSOURCETYPENAME(devicetype) LIKE '%Linux%'
)
AND (
LOWER("Process Name") SIMILAR TO '%(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter|sniffpass|pcapdump|ssldump)%'
OR LOWER("Command") SIMILAR TO '%(tcpdump|tshark|wireshark|pcap_open|pcap_loop|sock_raw|af_packet|scapy|impacket|libpcap)%'
OR (
LOWER("Image Loaded") SIMILAR TO '%(wpcap.dll|npcap.dll|packet.dll|npf.sys|npcap.sys|winpcap.sys)%'
AND NOT LOWER("Process Name") SIMILAR TO '%(wireshark|tshark|dumpcap|rawshark|capinfos|editcap|mergecap)%'
)
OR (
LOWER("Process Name") SIMILAR TO '%(python|perl|ruby|pwsh|powershell)%'
AND LOWER("Command") SIMILAR TO '%(af_packet|sock_raw|eth_p_all|pcap_open|pcap_loop|libpcap|scapy|impacket)%'
)
)
ORDER BY starttime DESC
LIMIT 500AQL query for IBM QRadar that detects network sniffing tool execution, WinPcap/Npcap driver loading by non-standard processes, and scripting-language-based raw socket or libpcap usage. Correlates events from Windows Sysmon and Security log sources, with enrichment fields identifying capture-to-file behavior and cleartext protocol targeting.
Data Sources
Required Tables
False Positives & Tuning
- Authorized network diagnostics by IT or NOC teams using standard tools like Wireshark or tcpdump during scheduled maintenance windows
- Security monitoring tools and EDR agents that internally load packet capture libraries (npcap.dll, wpcap.dll) as part of traffic inspection features
- Red team or penetration testing activity using Impacket or Scapy against pre-authorized targets, which may be indistinguishable from malicious use without context
Other platforms for T1040
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1tcpdump Passive Capture on All Interfaces (Linux/macOS)
Expected signal: Linux auditd: execve syscall record for /usr/sbin/tcpdump with argv '-i any -w /tmp/t1040_capture_test.pcap -G 30 -W 1'. Kernel syslog/dmesg: '<interface>: entered promiscuous mode'. File creation event for /tmp/t1040_capture_test.pcap. Sysmon for Linux (if deployed) Event ID 1: Process Create with Image=/usr/sbin/tcpdump and CommandLine containing '-i any' and '-w'. File creation event (Sysmon Event ID 11) for the .pcap output.
- Test 2tshark Targeted Credential Protocol Capture (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=tshark.exe, CommandLine containing '-f "port 21 or port 23 or port 80 or port 389"', '-w', and output file path. Sysmon Event ID 7: wpcap.dll and npcap.dll loaded by tshark.exe (if not previously loaded). Sysmon Event ID 11: File Create for %TEMP%\t1040_cred_capture.pcapng. Windows System Event ID 7045 (if Npcap driver not previously installed and service is being created for first time).
- Test 3Python Scapy Raw Socket Packet Sniffing (Linux)
Expected signal: Linux auditd: execve syscall for python3 with inline script containing 'scapy', 'sniff', 'SOCK_RAW', 'AF_PACKET'. Auditd socket syscall records for raw socket creation (socket(AF_PACKET, SOCK_RAW, ETH_P_ALL)). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=python3 and CommandLine matching 'scapy.*sniff'. No file creation event since data is held in memory only.
- Test 4WinDump Windows Packet Capture with Output File
Expected signal: Sysmon Event ID 1: Process Create with Image=windump.exe, CommandLine '-i 1 -c 50 -w %TEMP%\t1040_windump_test.pcap'. Sysmon Event ID 7: wpcap.dll and Packet.dll loaded by windump.exe process. Sysmon Event ID 11: File Create for the .pcap output file. Windows System Event ID 7045 for NPF driver service installation if WinPcap was not previously installed (service name 'NPF').
References (12)
- https://attack.mitre.org/techniques/T1040/
- https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
- https://cloud.google.com/vpc/docs/packet-mirroring
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
- https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/
- https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512
- https://www.tcpdump.org/manpages/tcpdump.1.html
- https://www.wireshark.org/docs/man-pages/tshark.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
- https://www.mandiant.com/resources/fortinet-malware-ecosystem
Unlock Pro Content
Get the full detection package for T1040 including response playbook, investigation guide, and atomic red team tests.