Possible use of a networking driver for network sniffing

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-04-13
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Network Sniffing (T1040)

Severity

Informational

Description

A process wrote a known networking driver with network sniffing capabilities to disk, attackers can use it to sniff passwords and other credentials from the network.

Attacker's Goals

Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.

Investigative actions

  • Verify whether the process is expected and recognized by IT or the user.
  • Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.

Variations

Possible use of a networking driver for network sniffing

Synopsis

ATT&CK Tactic

ATT&CK Technique

Network Sniffing (T1040)

Severity

Medium

Description

A process wrote a known and rare networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network.

Attacker's Goals

Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.

Investigative actions

  • Verify whether the process is expected and recognized by IT or the user.
  • Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.


Possible use of a networking driver for network sniffing

Synopsis

ATT&CK Tactic

ATT&CK Technique

Network Sniffing (T1040)

Severity

Low

Description

A process wrote a known networking driver with network sniffing capabilities to not standard location for drivers on the disk, attackers can use it to sniff passwords and other credentials from the network.

Attacker's Goals

Enable access to raw network traffic via promiscuous mode, allowing an attacker to sniff credentials and other sensitive data from the organization's network, and in some cases interfere with network communications.

Investigative actions

  • Verify whether the process is expected and recognized by IT or the user.
  • Check whether the driver was installed recently. If it was installed using sc.exe, this may indicate malicious activity. Review who executed sc.exe to validate legitimacy.