Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0006 ✕ technique: T1040 ✕

Show ATT&CK heatmap
  • Network sniffing detected in Cloud environment Informational Cloud 2 variations

    A network sniffing tool was used in a cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.
    Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.

    Variations

    Unusual Network sniffing detected in Cloud environment

    Low overridden

    A network sniffing tool was used in a cloud environment. overridden

    Successful Network sniffing detected in Cloud environment

    Informational overridden

    A network sniffing tool was used in a cloud environment. overridden

  • Possible network sniffing attempt via tcpdump or tshark Low

    Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent
    Attacker's goals: Gain user-account credentials.
    Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.
  • Possible use of a networking driver for network sniffing Informational 2 variations

    A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Network Sniffing (T1040)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.
    Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.

    Variations

    Possible use of a networking driver for network sniffing

    Medium overridden

    A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden

    Possible use of a networking driver for network sniffing

    Low overridden

    A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden