Possible use of a networking driver for network sniffing

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent
  • Requires:
    • eXtended Threat Hunting (XTH)

Detection Modules

ATT&CK Tactic

ATT&CK Technique

Network Sniffing (T1040)

Severity

Informational

Description

A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.

Attacker's Goals

Read raw network data over promiscuous mode, this can allow the attacker the capabilities to sniff passwords and other credentials from the organization's network, in other cases also interfere with the network.

Investigative actions

  • Verify if the process is known for the IT/ User.
  • Check if the driver installed recently, if it was installed with sc.exe this action can be malicious (check who ran sc.exe to verify that).

Variations

Possible use of a networking driver for network sniffing

Synopsis

ATT&CK Tactic

ATT&CK Technique

Network Sniffing (T1040)

Severity

Medium

Description

A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network.

Attacker's Goals

Read raw network data over promiscuous mode, this can allow the attacker the capabilities to sniff passwords and other credentials from the organization's network, in other cases also interfere with the network.

Investigative actions

  • Verify if the process is known for the IT/ User.
  • Check if the driver installed recently, if it was installed with sc.exe this action can be malicious (check who ran sc.exe to verify that).


Possible use of a networking driver for network sniffing

Synopsis

ATT&CK Tactic

ATT&CK Technique

Network Sniffing (T1040)

Severity

Low

Description

A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network.

Attacker's Goals

Read raw network data over promiscuous mode, this can allow the attacker the capabilities to sniff passwords and other credentials from the organization's network, in other cases also interfere with the network.

Investigative actions

  • Verify if the process is known for the IT/ User.
  • Check if the driver installed recently, if it was installed with sc.exe this action can be malicious (check who ran sc.exe to verify that).