<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Network-Sniffing - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/network-sniffing/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 11 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/network-sniffing/feed.xml" rel="self" type="application/rss+xml"/><item><title>Azure VNet Full Network Packet Capture Enabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/</link><pubDate>Thu, 11 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-11-azure-packet-capture/</guid><description>Detection of Azure Network Watcher's Packet Capture feature being enabled, potentially indicating malicious network sniffing for credential access and discovery of sensitive data in unencrypted traffic.</description><content:encoded><![CDATA[<p>The Azure Network Watcher Packet Capture feature is designed for legitimate network traffic inspection and troubleshooting. However, malicious actors can abuse this feature to perform network sniffing and capture sensitive data, including credentials, from unencrypted internal traffic within Azure Virtual Networks (VNets). This can lead to unauthorized access to systems and data. The detection rule focuses on identifying instances where packet capture is initiated successfully, providing an opportunity to detect and respond to potential credential access attempts. The rule leverages Azure activity logs to monitor for specific packet capture operations, ensuring that suspicious activity is flagged for investigation. The scope of this threat is limited to Azure environments that utilize Network Watcher and have not implemented proper network segmentation or encryption.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains access to an Azure account with sufficient privileges to manage Network Watcher and initiate packet captures.</li>
<li><strong>Discovery:</strong> The attacker uses the compromised account to explore the Azure environment, identifying target VNets and subnets containing potentially valuable data.</li>
<li><strong>Packet Capture Configuration:</strong> The attacker configures the Network Watcher Packet Capture feature to capture traffic from the targeted VNet or subnet. This involves specifying the target VM or network interface and the duration of the capture.</li>
<li><strong>Start Packet Capture:</strong> The attacker initiates the packet capture process, which begins recording network traffic based on the configured parameters. The <code>MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION</code> operation is triggered in the Azure activity logs.</li>
<li><strong>Data Acquisition:</strong> Network traffic, including unencrypted credentials or sensitive data, is captured and stored in a designated storage account.</li>
<li><strong>Data Exfiltration (Potential):</strong> If the attacker has configured the packet capture to store data outside the secure environment, they may exfiltrate the captured data for further analysis or malicious use.</li>
<li><strong>Credential Access:</strong> The attacker analyzes the captured network traffic to identify and extract credentials or other sensitive information.</li>
<li><strong>Lateral Movement/Privilege Escalation:</strong> Using the acquired credentials, the attacker attempts to move laterally within the Azure environment, gaining access to additional systems and resources, or escalate privileges to gain higher-level control.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to the compromise of sensitive data, including user credentials, API keys, and proprietary information. The impact could range from unauthorized access to internal systems and data breaches to complete control over the affected Azure resources. The severity depends on the scope of the captured network traffic and the sensitivity of the data transmitted. Organizations in all sectors utilizing Azure are potentially vulnerable. The number of victims can vary depending on the access level of the compromised account and the targeted resources.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious packet capture activity in Azure.</li>
<li>Review Azure activity logs for instances of <code>MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION</code>, <code>MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION</code>, or <code>MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE</code> operations with a Success outcome, as identified in the rule query.</li>
<li>Implement the recommendations for Response and Remediation provided in the Setup section of the referenced Elastic rule to improve detection and response capabilities.</li>
<li>Regularly audit Azure user roles and permissions to ensure that only authorized personnel have the ability to manage Network Watcher and initiate packet captures.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>azure</category><category>network-sniffing</category><category>credential-access</category></item></channel></rss>