title: Network Sniffing
id: f4d3748a-65d1-4806-bd23-e25728081d01
status: test
description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Timur Zinniatullin, oscd.community
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
date: 2019/10/21
modified: 2021/11/27
logsource:
  product: linux
  service: auditd
detection:
  selection1:
    type: 'execve'
    a0: 'tcpdump'
    a1: '-c'
    a3|contains: '-i'
  selection2:
    type: 'execve'
    a0: 'tshark'
    a1: '-c'
    a3: '-i'
  condition: selection1 or selection2
falsepositives:
  - Legitimate administrator or user uses network sniffing tool for legitimate reasons.
level: low
tags:
  - attack.credential_access
  - attack.discovery
  - attack.t1040