Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0006 ✕ technique: T1040 ✕
Show ATT&CK heatmapNetwork sniffing detected in Cloud environment Informational Cloud 2 variations
A network sniffing tool was used in a cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network.Investigative actions: Check the targeted resources and the sniffing policy. Check The cloud identity activity prior/after the network sniffing.Variations
Unusual Network sniffing detected in Cloud environment
Low overridden
A network sniffing tool was used in a cloud environment. overridden
Successful Network sniffing detected in Cloud environment
Informational overridden
A network sniffing tool was used in a cloud environment. overridden
Possible network sniffing attempt via tcpdump or tshark Low
Attackers may monitor network traffic for cleartext credentials or to learn the network's configuration.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR AgentAttacker's goals: Gain user-account credentials.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.Possible use of a networking driver for network sniffing Informational 2 variations
A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)ATT&CK techniques: Network Sniffing (T1040)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.Investigative actions: Verify whether the process is expected and recognized by IT or the user. Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.Variations
Possible use of a networking driver for network sniffing
Medium overridden
A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden
Possible use of a networking driver for network sniffing
Low overridden
A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network. overridden