{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-sniffing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Azure","Azure Network Watcher"],"_cs_severities":["medium"],"_cs_tags":["azure","network-sniffing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Azure Network Watcher Packet Capture feature is designed for legitimate network traffic inspection and troubleshooting. However, malicious actors can abuse this feature to perform network sniffing and capture sensitive data, including credentials, from unencrypted internal traffic within Azure Virtual Networks (VNets). This can lead to unauthorized access to systems and data. The detection rule focuses on identifying instances where packet capture is initiated successfully, providing an opportunity to detect and respond to potential credential access attempts. The rule leverages Azure activity logs to monitor for specific packet capture operations, ensuring that suspicious activity is flagged for investigation. The scope of this threat is limited to Azure environments that utilize Network Watcher and have not implemented proper network segmentation or encryption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains access to an Azure account with sufficient privileges to manage Network Watcher and initiate packet captures.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses the compromised account to explore the Azure environment, identifying target VNets and subnets containing potentially valuable data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePacket Capture Configuration:\u003c/strong\u003e The attacker configures the Network Watcher Packet Capture feature to capture traffic from the targeted VNet or subnet. This involves specifying the target VM or network interface and the duration of the capture.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStart Packet Capture:\u003c/strong\u003e The attacker initiates the packet capture process, which begins recording network traffic based on the configured parameters. The \u003ccode\u003eMICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\u003c/code\u003e operation is triggered in the Azure activity logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Acquisition:\u003c/strong\u003e Network traffic, including unencrypted credentials or sensitive data, is captured and stored in a designated storage account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Potential):\u003c/strong\u003e If the attacker has configured the packet capture to store data outside the secure environment, they may exfiltrate the captured data for further analysis or malicious use.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker analyzes the captured network traffic to identify and extract credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Privilege Escalation:\u003c/strong\u003e Using the acquired credentials, the attacker attempts to move laterally within the Azure environment, gaining access to additional systems and resources, or escalate privileges to gain higher-level control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the compromise of sensitive data, including user credentials, API keys, and proprietary information. The impact could range from unauthorized access to internal systems and data breaches to complete control over the affected Azure resources. The severity depends on the scope of the captured network traffic and the sensitivity of the data transmitted. Organizations in all sectors utilizing Azure are potentially vulnerable. The number of victims can vary depending on the access level of the compromised account and the targeted resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious packet capture activity in Azure.\u003c/li\u003e\n\u003cli\u003eReview Azure activity logs for instances of \u003ccode\u003eMICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\u003c/code\u003e, \u003ccode\u003eMICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\u003c/code\u003e, or \u003ccode\u003eMICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\u003c/code\u003e operations with a Success outcome, as identified in the rule query.\u003c/li\u003e\n\u003cli\u003eImplement the recommendations for Response and Remediation provided in the Setup section of the referenced Elastic rule to improve detection and response capabilities.\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure user roles and permissions to ensure that only authorized personnel have the ability to manage Network Watcher and initiate packet captures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-11T12:00:00Z","date_published":"2024-01-11T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/","summary":"Detection of Azure Network Watcher's Packet Capture feature being enabled, potentially indicating malicious network sniffing for credential access and discovery of sensitive data in unencrypted traffic.","title":"Azure VNet Full Network Packet Capture Enabled","url":"https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/"}],"language":"en","title":"CraftedSignal Threat Feed - Network-Sniffing","version":"https://jsonfeed.org/version/1.1"}