title: Network Sniffing (T1040)
id: df00tech-t1040
status: experimental
description: "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over insecure, unencrypted protocols such as FTP, HTTP Basic Auth, Telnet, POP3, IMAP, and LDAP. Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics necessary for subsequent Lateral Movement and Defense Evasion activities. In cloud-based environments, adversaries may use traffic mirroring services (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTap) to sniff network traffic from virtual machines. On network devices, adversaries may perform network captures using Network Device CLI commands such as 'monitor capture'. Threat actors including Sandworm Team, Kimsuky, APT33, and Salt Typhoon have used this technique with tools such as Intercepter-NG, SniffPass, Impacket, and custom sniffers."
references:
  - https://attack.mitre.org/techniques/T1040/
  - https://df00tech.com/detections/T1040
author: df00tech
date: 2026/04/16
tags:
  - attack.t1040
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Network administrators and security engineers using Wireshark, tshark, or tcpdump for legitimate network troubleshooting, packet analysis, or application protocol debugging"
  - "Vulnerability scanners (Nessus, Qualys, Rapid7) that load WinPcap/Npcap libraries during network discovery and host enumeration phases"
  - "Developer workstations where Wireshark, Scapy, or Impacket are installed for protocol research, application debugging, or CTF competitions"
  - "Dedicated network performance monitoring hosts (SolarWinds NPM, PRTG, ntopng) that continuously capture traffic for baseline analysis and alerting"
  - Security Operations Center analyst machines running authorized packet captures during active incident response investigations
level: high