T1040 Microsoft Sentinel · KQL

Detect Network Sniffing in Microsoft Sentinel

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over insecure, unencrypted protocols such as FTP, HTTP Basic Auth, Telnet, POP3, IMAP, and LDAP. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and Defense Evasion activities. In cloud-based environments, adversaries may use traffic mirroring services (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTap) to sniff network traffic from virtual machines. On network devices, adversaries may perform network captures using Network Device CLI commands such as 'monitor capture'. Threat actors including Sandworm Team, Kimsuky, APT33, and Salt Typhoon have used this technique with tools such as Intercepter-NG, SniffPass, Impacket, and custom sniffers.

MITRE ATT&CK

Tactic
Credential Access Discovery
Technique
T1040 Network Sniffing
Canonical reference
https://attack.mitre.org/techniques/T1040/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SniffingToolNames = dynamic([
  "tcpdump", "tshark", "wireshark", "windump", "dumpcap",
  "rawshark", "networkMiner", "intercepter-ng", "sniffpass",
  "pcapdump", "ntopng", "capinfos", "editcap", "ssldump"
]);
let RawSocketPatterns = dynamic([
  "socket.AF_PACKET", "SOCK_RAW", "ETH_P_ALL",
  "pcap_open", "pcap_loop", "pcap_next", "libpcap",
  "scapy", "impacket"
]);
// Detection 1: Known packet capture tool execution
let SniffingProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SniffingToolNames)
   or ProcessCommandLine has_any (SniffingToolNames)
| extend DetectionType = "KnownSniffingTool"
| extend CaptureToFile = ProcessCommandLine has "-w "
| extend PromiscuousMode = ProcessCommandLine has_any ("-i any", "promisc", "--promiscuous")
| extend TargetingCleartext = ProcessCommandLine has_any ("port 21", "port 23", "port 80", "port 110", "port 143", "port 389", "ftp", "telnet", "smtp", "ldap")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, DetectionType,
         CaptureToFile, PromiscuousMode, TargetingCleartext;
// Detection 2: WinPcap / Npcap capture library loading by non-standard parents
let PcapDriverLoads = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName has_any ("wpcap.dll", "npcap.dll", "Packet.dll", "npf.sys", "npcap.sys", "winpcap.sys")
   or FolderPath has_any ("\\npcap\\", "\\WinPcap\\")
| where InitiatingProcessFileName !in~ ("Wireshark.exe", "tshark.exe", "dumpcap.exe",
         "rawshark.exe", "capinfos.exe", "editcap.exe", "mergecap.exe")
| extend DetectionType = "PacketCaptureDriverLoad"
| extend CaptureToFile = false
| extend PromiscuousMode = false
| extend TargetingCleartext = false
| project Timestamp, DeviceName,
         AccountName = InitiatingProcessAccountName,
         AccountDomain = InitiatingProcessAccountDomain,
         FileName, ProcessCommandLine = InitiatingProcessCommandLine,
         FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, DetectionType,
         CaptureToFile, PromiscuousMode, TargetingCleartext;
// Detection 3: Scripting languages using raw socket / pcap patterns
let RawSocketScripts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("python.exe", "python3", "python3.exe", "perl.exe", "ruby.exe", "pwsh.exe", "powershell.exe")
| where ProcessCommandLine has_any (RawSocketPatterns)
| extend DetectionType = "RawSocketOrPcapViaScriptingLanguage"
| extend CaptureToFile = ProcessCommandLine has_any ("-w ", "wrpcap", "pcap_dump")
| extend PromiscuousMode = ProcessCommandLine has_any ("promisc", "AF_PACKET", "ETH_P_ALL")
| extend TargetingCleartext = ProcessCommandLine has_any ("port 21", "port 23", "port 80", "port 110", "port 389")
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, DetectionType,
         CaptureToFile, PromiscuousMode, TargetingCleartext;
union SniffingProcesses, PcapDriverLoads, RawSocketScripts
| sort by Timestamp desc
high severity medium confidence

Detects network sniffing activity using Microsoft Defender for Endpoint tables. Covers three distinct detection signals: (1) execution of known packet capture tools (tcpdump, tshark, Wireshark, WinDump, NetworkMiner, Intercepter-NG) by process name or command line; (2) loading of WinPcap/Npcap packet capture DLLs and drivers by non-Wireshark parent processes — high-fidelity since legitimate business apps rarely load these libraries; (3) scripting languages (Python, PowerShell, Perl) invoking raw socket libraries such as Scapy or Impacket pcap functions. Enrichment fields flag captures writing to file (-w flag), promiscuous mode activation, and targeting of cleartext credential protocols to help analysts prioritize.

Data Sources

Process: Process CreationModule: Module LoadCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceImageLoadEvents

False Positives & Tuning

  • Network administrators and security engineers using Wireshark, tshark, or tcpdump for legitimate network troubleshooting, packet analysis, or application protocol debugging
  • Vulnerability scanners (Nessus, Qualys, Rapid7) that load WinPcap/Npcap libraries during network discovery and host enumeration phases
  • Developer workstations where Wireshark, Scapy, or Impacket are installed for protocol research, application debugging, or CTF competitions
  • Dedicated network performance monitoring hosts (SolarWinds NPM, PRTG, ntopng) that continuously capture traffic for baseline analysis and alerting
  • Security Operations Center analyst machines running authorized packet captures during active incident response investigations
Download portable Sigma rule (.yml)

Other platforms for T1040

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1tcpdump Passive Capture on All Interfaces (Linux/macOS)

    Expected signal: Linux auditd: execve syscall record for /usr/sbin/tcpdump with argv '-i any -w /tmp/t1040_capture_test.pcap -G 30 -W 1'. Kernel syslog/dmesg: '<interface>: entered promiscuous mode'. File creation event for /tmp/t1040_capture_test.pcap. Sysmon for Linux (if deployed) Event ID 1: Process Create with Image=/usr/sbin/tcpdump and CommandLine containing '-i any' and '-w'. File creation event (Sysmon Event ID 11) for the .pcap output.

  2. Test 2tshark Targeted Credential Protocol Capture (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=tshark.exe, CommandLine containing '-f "port 21 or port 23 or port 80 or port 389"', '-w', and output file path. Sysmon Event ID 7: wpcap.dll and npcap.dll loaded by tshark.exe (if not previously loaded). Sysmon Event ID 11: File Create for %TEMP%\t1040_cred_capture.pcapng. Windows System Event ID 7045 (if Npcap driver not previously installed and service is being created for first time).

  3. Test 3Python Scapy Raw Socket Packet Sniffing (Linux)

    Expected signal: Linux auditd: execve syscall for python3 with inline script containing 'scapy', 'sniff', 'SOCK_RAW', 'AF_PACKET'. Auditd socket syscall records for raw socket creation (socket(AF_PACKET, SOCK_RAW, ETH_P_ALL)). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=python3 and CommandLine matching 'scapy.*sniff'. No file creation event since data is held in memory only.

  4. Test 4WinDump Windows Packet Capture with Output File

    Expected signal: Sysmon Event ID 1: Process Create with Image=windump.exe, CommandLine '-i 1 -c 50 -w %TEMP%\t1040_windump_test.pcap'. Sysmon Event ID 7: wpcap.dll and Packet.dll loaded by windump.exe process. Sysmon Event ID 11: File Create for the .pcap output file. Windows System Event ID 7045 for NPF driver service installation if WinPcap was not previously installed (service name 'NPF').

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1040 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1557Adversary-in-the-MiddleT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1552.001Credentials In FilesT1003OS Credential DumpingT1021Remote ServicesT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1046Network Service Discovery

Same Tactic: Credential Access

Popular Detections