Detection coverage in DCV across AWS, Azure and GCP for Network Sniffing, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to. Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic. The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.
On network devices, adversaries may perform network captures using Network Device CLI commands such as `monitor capture`.
Platforms: Linux, macOS, Windows, Network Devices, IaaS.
DCV maps 60 detections across 3 cloud providers to T1040. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 24 | 0.64 |
| AWS Security Hub | AWS | 15 | 0.79 |
| Microsoft Defender for Cloud | Azure | 9 | 0.94 |
| Azure Policy | Azure | 7 | 0.92 |
| GCP Security Command Center | GCP | 3 | 0.78 |
| Azure Regulatory Compliance | Azure | 2 | 0.95 |
CloudSigma ships 3 production-ready Sigma rules that detect T1040 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: AWS Network Traffic Mirroring for Credential Capture
id: f64f00e5-2fb7-4bab-94ba-5b09fc7fff33
status: experimental
description: >
Detects the creation of VPC Traffic Mirror targets, filters, or sessions in AWS.
Adversaries may configure traffic mirroring to capture network traffic containing
credentials or sensitive data traversing the cloud network.
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1040/
- https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName:
- CreateTrafficMirrorTarget
- CreateTrafficMirrorFilter
- CreateTrafficMirrorSession
condition: selection
falsepositives:
- Network security teams setting up traffic mirroring for intrusion detection
- Legitimate network monitoring and troubleshooting activities
level: high