Last reviewed:
T1040 is passive network capture: the technique behind credentialed-access breaches where attackers harvest cleartext protocols, NTLM challenges, or unencrypted east-west traffic. Cloud variants typically involve VPC Traffic Mirroring abuse or compromised proxy infrastructure. DCV ships a CreateTrafficMirrorSession EventBridge detection specifically for that pattern, plus GCP's PACKET_CAPTURE_ENABLED finding and Azure encryption-in-transit policies that flag the precondition. T1040 is the technique to instrument the moment your environment turns on packet-capture features.
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as Name Resolution Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Stealth activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic. The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.
On network devices, adversaries may perform network captures using Network Device CLI commands such as `monitor capture`.
Platforms: IaaS, Linux, macOS, Network Devices, Windows.
DCV maps 60 detections across 3 cloud providers to T1040. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 24 | 0.64 |
| AWS Security Hub | AWS | 15 | 0.79 |
| Microsoft Defender for Cloud | Azure | 9 | 0.94 |
| Azure Policy | Azure | 7 | 0.92 |
| GCP Security Command Center | GCP | 3 | 0.78 |
| Azure Regulatory Compliance | Azure | 2 | 0.95 |
CloudSigma ships 60 production-ready Sigma rules that detect T1040 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
title: Azure Network Watcher Packet Capture for Network Sniffing
id: c9f721d2-aef9-4162-8617-3fe9021d24cf
status: test
description: >
Detects the creation or status query of packet captures via Azure Network Watcher.
Adversaries may use packet capture capabilities to sniff network traffic and
extract credentials or sensitive information from cloud network flows.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1040/
- https://learn.microsoft.com/en-us/azure/network-watcher/packet-capture-overview
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- Microsoft.Network/networkWatchers/packetCaptures/create
- Microsoft.Network/networkWatchers/packetCaptures/queryStatus
condition: selection
falsepositives:
- Network administrators using packet capture for troubleshooting connectivity issues
- Automated network monitoring solutions querying capture status
level: high
T1040 is passive network capture: the technique behind credentialed-access breaches where attackers harvest cleartext protocols, NTLM challenges, or unencrypted east-west traffic. Cloud variants typically involve VPC Traffic Mirroring abuse or compromised proxy infrastructure. DCV ships a CreateTrafficMirrorSession EventBridge detection specifically for that pattern, plus GCP's PACKET_CAPTURE_ENABLED finding and Azure encryption-in-transit policies that flag the precondition. T1040 is the technique to instrument the moment your environment turns on packet-capture features.
DCV maps 60 cloud-native detections to T1040 across 3 cloud providers, drawn from AWS Config Rules, AWS Security Hub, Azure Policy, Azure Regulatory Compliance, GCP Security Command Center and Microsoft Defender for Cloud.
T1040 is part of MITRE ATT&CK TA0007 Discovery: How adversaries learn what they have access to.
CloudSigma ships 3 validated Sigma rules for T1040 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.