216.73.217.22

T1040: T1040

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID
T1040
Confidence
100/100
Revoked
No
Published
16/12/2025 19:37
Modified
27/03/2026 01:09
Author / Source
The MITRE Corporation

Aliases

Network Sniffing

Platforms

windows macos linux Network Devices IaaS

Description

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary. Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Defense Evasion](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment. In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) On network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)

Kill chain phases

Kill chainPhase
mitre-attack credential-access
mitre-attack discovery

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (21)

  • Ke3chang uses APT15Mirage
    The MITRE Corporation Confidence 100

    [Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • UNC3886 uses
    The MITRE Corporation Confidence 100

    [UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda
    The MITRE Corporation Confidence 100

    [Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • DarkVishnya uses
    The MITRE Corporation Confidence 100

    [DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Void Blizzard uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:54 · Modified 21/12/2025 13:54
  • BackdoorDiplomacy uses
    The MITRE Corporation Confidence 100

    [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Salt Typhoon uses
    The MITRE Corporation Confidence 100

    [Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • SilkSpecter uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 07:54 · Modified 21/12/2025 07:54
  • ShadyPanda uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:23 · Modified 21/12/2025 19:23
  • Hiatus uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:55 · Modified 20/12/2025 23:55
  • APT33 uses HOLMIUMElfin
    The MITRE Corporation Confidence 100

    [APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • China-nexus threat actors uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:55 · Modified 21/12/2025 14:55
  • Sandworm Team uses ELECTRUMTelebots
    The MITRE Corporation Confidence 100

    [Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Velvet Ant uses
    The MITRE Corporation Confidence 100

    [Velvet Ant](https://attack.mitre.org/groups/G1047) is a threat actor operating since at least 2021. [Velvet Ant](https://attack.mitre.org/groups/G1047) is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Kimsuky uses Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • APT28 uses IRON TWILIGHTSNAKEMACKEREL
    The MITRE Corporation Confidence 100

    [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 08/04/2026 13:02
  • Androxgh0st uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:24 · Modified 21/12/2025 08:21
  • Sandworm uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:15 · Modified 20/12/2025 23:15
  • APT42 uses
    The MITRE Corporation Confidence 100

    [APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • September uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:20 · Modified 20/12/2025 22:20
  • Lazarus uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:17 · Modified 29/05/2026 12:20

Malware (25 / 93)

  • Space Pirates
  • Penquin
  • Albaniiutas
  • Regin
  • Emotet
  • Totbrick uses
    Family
    Published 05/06/2026 18:07 · Modified 05/06/2026 18:07
  • Bronze Union
  • JumbledPath
  • CBeacon uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:34 · Modified 20/12/2025 21:27
  • Symbiote uses
    Family
    Published 25/02/2025 02:46 · Modified 25/02/2025 02:46
  • HiatusRat uses
    Family
    Published 02/05/2024 13:50 · Modified 02/05/2024 13:50
  • Uroburos
  • AsyncRAT uses
    Family
    Published 11/06/2026 16:31 · Modified 11/06/2026 16:31
  • GoBeacon
  • hiatus
  • PoisonIvy
  • Gh0st
  • Infinity V+ uses
    Family
    Published 03/12/2025 20:19 · Modified 03/12/2025 20:19
  • BH_A006 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:33 · Modified 20/12/2025 20:12
  • Mozi uses
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • Infamouse Chisel
  • PcShare uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:12 · Modified 20/12/2025 20:12
  • MESSAGETAP
  • OS X
  • Evilginx uses
    Family
    Published 03/12/2025 17:58 · Modified 03/12/2025 17:58

Reports (10)

Vulnerabilities (CVE) (25 / 37)

CVE-2020-8515 KEV

DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution.

Published
03/11/2021
Modified
20/12/2025
CVE-2021-41277 KEV

Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

Published
12/11/2024
Modified
21/12/2025
CVE-2024-21887 KEV
9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector
Network
Published
10/01/2024
Modified
27/05/2026
CVE-2023-46805 KEV
8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector
Network
Published
10/01/2024
Modified
27/05/2026
CVE-2020-26879
9.8 Critical

Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API …

Attack vector
NETWORK
Published
26/10/2020
Modified
20/12/2025
CVE-2023-34048 KEV
9.8 Critical

VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote …

Attack vector
Network
Published
22/01/2024
Modified
21/12/2025
CVE-2023-38646
9.8 Critical

Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's …

Attack vector
NETWORK
Published
21/07/2023
Modified
21/12/2025
CVE-2014-2120 KEV
6.1 Medium

Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to …

Attack vector
NETWORK
Complexity
LOW
Published
19/03/2014
Modified
22/04/2026
CVE-2022-1040 KEV

An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.

Published
31/03/2022
Modified
21/12/2025
CVE-2018-13379 KEV

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …

Published
03/11/2021
Modified
20/12/2025
CVE-2018-0171 KEV
9.8 Critical

Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …

Attack vector
NETWORK
Published
03/11/2021
Modified
14/01/2026
CVE-2017-11882 KEV
7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector
Local
Complexity
Low
Published
15/11/2017
Modified
29/05/2026
CVE-2024-4577 KEV
9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector
Network
Published
12/06/2024
Modified
21/12/2025
Received
CVE-2024-3400 KEV
10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector
Network
Published
12/04/2024
Modified
21/12/2025
CVE-2020-26878
8.8 High

Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting …

Attack vector
NETWORK
Published
26/10/2020
Modified
20/12/2025
CVE-2022-41328 KEV
6.7 Medium

Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …

Attack vector
Local
Published
14/03/2023
Modified
21/12/2025
CVE-2018-10561 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.

Published
31/03/2022
Modified
20/12/2025
CVE-2015-2291 KEV
7.8 High

Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service (DoS).

Attack vector
LOCAL
Complexity
LOW
Published
09/08/2017
Modified
22/04/2026
CVE-2018-10562 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.

Published
31/03/2022
Modified
20/12/2025
CVE-2017-9841 KEV
9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector
NETWORK
Complexity
LOW
Published
27/06/2017
Modified
22/04/2026
CVE-2018-15133 KEV

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a …

Published
16/01/2024
Modified
21/12/2025
CVE-2021-26086 KEV

Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the …

Published
12/11/2024
Modified
21/12/2025
CVE-2021-41773 KEV
9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector
Network
Published
03/11/2021
Modified
18/02/2026

Tool (5)

  • Responder uses
    The MITRE Corporation Confidence 100

    Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. …

    Published 16/01/2018 17:13 · Modified 27/03/2026 01:07
  • NBTscan uses
    The MITRE Corporation Confidence 100

    [NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June …

    Published 17/03/2021 16:26 · Modified 27/03/2026 01:07
  • Empire uses
    The MITRE Corporation Confidence 100

    [Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents …

    Published 11/03/2019 15:13 · Modified 27/03/2026 01:07
  • Impacket uses
    The MITRE Corporation Confidence 100

    [Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, …

    Published 31/01/2019 02:39 · Modified 27/03/2026 01:07
  • PoshC2 uses
    The MITRE Corporation Confidence 100

    [PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while …

    Published 23/04/2019 14:31 · Modified 27/03/2026 01:07

Course Of Action (4)

  • Network Segmentation mitigates
  • Multi-factor Authentication mitigates
  • User Account Management mitigates
  • Encrypt Sensitive Information mitigates

Campaign (3)

  • RedPenguin uses
  • 2015 Ukraine Electric Power Attack uses
  • ArcaneDoor uses