valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b87010e92
atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1040.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

3.5 KiB
Raw Blame History

T1040 - Network Sniffing

Description from ATT&CK

Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.

Atomic Tests


Atomic Test #1 - Packet Capture Linux

Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.

Supported Platforms: Linux

Inputs

Name Description Type Default Value
interface Specify interface to perform PCAP on. String ens33

Run it with bash!

tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}


Atomic Test #2 - Packet Capture MacOS

Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.

Supported Platforms: macOS

Inputs

Name Description Type Default Value
interface Specify interface to perform PCAP on. String en0A

Run it with bash!

tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}


Atomic Test #3 - Packet Capture Windows Command Prompt

Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed, along with WinPCAP. Windump will require the windump executable.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
interface Specify interface to perform PCAP on. String Ethernet0

Run it with command_prompt!

c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe


Atomic Test #4 - Packet Capture PowerShell

Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark installed, along with WinPCAP. Windump will require the windump executable.

Supported Platforms: Windows

Inputs

Name Description Type Default Value
interface Specify interface to perform PCAP on. String Ethernet0

Run it with powershell!

c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe