Detect Network Sniffing in Splunk
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over insecure, unencrypted protocols such as FTP, HTTP Basic Auth, Telnet, POP3, IMAP, and LDAP. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and Defense Evasion activities. In cloud-based environments, adversaries may use traffic mirroring services (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTap) to sniff network traffic from virtual machines. On network devices, adversaries may perform network captures using Network Device CLI commands such as 'monitor capture'. Threat actors including Sandworm Team, Kimsuky, APT33, and Salt Typhoon have used this technique with tools such as Intercepter-NG, SniffPass, Impacket, and custom sniffers.
MITRE ATT&CK
- Tactic
- Credential Access Discovery
- Technique
- T1040 Network Sniffing
- Canonical reference
- https://attack.mitre.org/techniques/T1040/
SPL Detection Query
index=wineventlog (
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=7 OR EventCode=11))
OR
(sourcetype="WinEventLog:System" EventCode=7045)
)
// Pattern 1: Sysmon EventCode 1 — Known sniffing tool process creation
| eval IsSniffProcess=if(
EventCode=1 AND (
match(lower(Image), "(tcpdump|tshark|wireshark|windump|dumpcap|rawshark|networkminer|intercepter|sniffpass|pcapdump|ssldump)") OR
match(lower(CommandLine), "(tcpdump|tshark|wireshark|windump|dumpcap|networkminer|intercepter|sniffpass|scapy\.all|pcap_open|pcap_loop|sock_raw|af_packet)")
), 1, 0)
// Pattern 2: Sysmon EventCode 7 — WinPcap/Npcap DLL or driver loaded by non-Wireshark parent
| eval IsPcapDriverLoad=if(
EventCode=7 AND
match(lower(ImageLoaded), "(wpcap\.dll|npcap\.dll|packet\.dll|npf\.sys|npcap\.sys|winpcap\.sys)") AND
NOT match(lower(Image), "(wireshark\.exe|tshark\.exe|dumpcap\.exe|rawshark\.exe|capinfos\.exe|editcap\.exe|mergecap\.exe)"),
1, 0)
// Pattern 3: Windows System EventCode 7045 — NPF/Npcap packet filter service installed
| eval IsNpfServiceInstall=if(
EventCode=7045 AND
match(lower(ServiceName), "(npf|npcap|winpcap|ndiscap|netgroup packet)"),
1, 0)
| where IsSniffProcess=1 OR IsPcapDriverLoad=1 OR IsNpfServiceInstall=1
| eval DetectionType=case(
IsSniffProcess=1, "KnownSniffingToolExecution",
IsPcapDriverLoad=1, "PacketCaptureDriverLoad",
IsNpfServiceInstall=1, "PacketCaptureServiceInstalled",
true(), "Unknown"
)
| eval ActingProcess=coalesce(Image, ServiceName, "unknown")
| eval CmdLine=coalesce(CommandLine, ServiceFileName, "")
| eval LoadedLib=coalesce(ImageLoaded, "")
| eval ActingUser=coalesce(User, SubjectUserName, "unknown")
| eval CaptureToFile=if(match(CmdLine, "-w\s"), 1, 0)
| eval TargetingCleartext=if(match(CmdLine, "(port (21|23|80|110|143|389|25|110)|ftp|telnet|ldap|smtp|pop3|imap)"), 1, 0)
| table _time, host, ActingUser, ActingProcess, CmdLine, LoadedLib, DetectionType, EventCode, CaptureToFile, TargetingCleartext
| sort - _timeDetects network sniffing activity using Sysmon and Windows System event logs across three complementary signals. Sysmon Event ID 1 matches known packet capture tool names in Image path and CommandLine. Sysmon Event ID 7 identifies WinPcap/Npcap DLL loads by processes outside the approved Wireshark suite — the strongest Windows-native indicator since these capture libraries have extremely narrow legitimate use cases. Windows System Event ID 7045 catches NPF (NetGroup Packet Filter) service installation, which WinPcap performs on first run and which indicates the system has been prepared for packet capture capability. Enrichment fields flag captures writing to file and targeting cleartext credential protocols.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Network administrators and security engineers using Wireshark, tshark, or tcpdump for authorized troubleshooting and analysis
- Vulnerability scanners (Nessus, Qualys, Rapid7 InsightVM) that install and use WinPcap/Npcap during network discovery
- Developer machines with Wireshark, Scapy, or Impacket installed for protocol development, testing, or CTF work
- Dedicated network monitoring appliances (SolarWinds, PRTG, ntopng) that continuously capture and analyze traffic
- Red team or penetration testing engagements where packet capture is an authorized test activity
Other platforms for T1040
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1tcpdump Passive Capture on All Interfaces (Linux/macOS)
Expected signal: Linux auditd: execve syscall record for /usr/sbin/tcpdump with argv '-i any -w /tmp/t1040_capture_test.pcap -G 30 -W 1'. Kernel syslog/dmesg: '<interface>: entered promiscuous mode'. File creation event for /tmp/t1040_capture_test.pcap. Sysmon for Linux (if deployed) Event ID 1: Process Create with Image=/usr/sbin/tcpdump and CommandLine containing '-i any' and '-w'. File creation event (Sysmon Event ID 11) for the .pcap output.
- Test 2tshark Targeted Credential Protocol Capture (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=tshark.exe, CommandLine containing '-f "port 21 or port 23 or port 80 or port 389"', '-w', and output file path. Sysmon Event ID 7: wpcap.dll and npcap.dll loaded by tshark.exe (if not previously loaded). Sysmon Event ID 11: File Create for %TEMP%\t1040_cred_capture.pcapng. Windows System Event ID 7045 (if Npcap driver not previously installed and service is being created for first time).
- Test 3Python Scapy Raw Socket Packet Sniffing (Linux)
Expected signal: Linux auditd: execve syscall for python3 with inline script containing 'scapy', 'sniff', 'SOCK_RAW', 'AF_PACKET'. Auditd socket syscall records for raw socket creation (socket(AF_PACKET, SOCK_RAW, ETH_P_ALL)). Sysmon for Linux Event ID 1 (if deployed): Process Create with Image=python3 and CommandLine matching 'scapy.*sniff'. No file creation event since data is held in memory only.
- Test 4WinDump Windows Packet Capture with Output File
Expected signal: Sysmon Event ID 1: Process Create with Image=windump.exe, CommandLine '-i 1 -c 50 -w %TEMP%\t1040_windump_test.pcap'. Sysmon Event ID 7: wpcap.dll and Packet.dll loaded by windump.exe process. Sysmon Event ID 11: File Create for the .pcap output file. Windows System Event ID 7045 for NPF driver service installation if WinPcap was not previously installed (service name 'NPF').
References (12)
- https://attack.mitre.org/techniques/T1040/
- https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
- https://cloud.google.com/vpc/docs/packet-mirroring
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
- https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/
- https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512
- https://www.tcpdump.org/manpages/tcpdump.1.html
- https://www.wireshark.org/docs/man-pages/tshark.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
- https://www.mandiant.com/resources/fortinet-malware-ecosystem
Unlock Pro Content
Get the full detection package for T1040 including response playbook, investigation guide, and atomic red team tests.