Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0876: Analytic 0876

Correlates interface mode changes to promiscuous with execution of sniffing tools like tcpdump, tshark, or custom pcap libraries. Detects abnormal NIC configurations and unauthorized sniffing from non-root sessions.

EnterpriseAN0876AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Linux systems that may be placed into packet-sniffing mode, especially when a network interface changes to promiscuous mode around the same time that tools such as tcpdump, tshark, or custom packet-capture libraries execute. For leaders, the practical issue is not the tool name itself; it is whether an endpoint or server can quietly observe network traffic outside normal administrative activity, creating exposure for credentials, sensitive data, and incident scope uncertainty.

Executive priority

Prioritize this where Linux systems sit on sensitive network segments, support regulated workloads, or are used by administrators and responders. The business decision value is validating whether the organization can distinguish authorized troubleshooting from unauthorized sniffing, preserve evidence during an investigation, and prove that monitoring exists for abnormal network interface behavior. This supports SOC readiness, incident response scoping, compliance evidence, and control prioritization around privileged activity on Linux assets.

Technical view

For SOC and detection engineering teams, validate correlation between Linux network interface mode changes to promiscuous and nearby process execution involving packet-capture utilities or libraries. Because the official object does not specify tactics or provide a detection implementation, teams should treat this as an analytic pattern: combine interface state telemetry, process creation data, user/session context, and privilege context. Pay special attention to non-root sessions, unexpected users, unusual hosts, and systems where packet capture is not part of normal operations.

Likely telemetry

  • Linux process execution telemetry, including command name, command line, user, parent process, and session context
  • Network interface state or configuration change events showing promiscuous mode enabled or disabled
  • Privilege and identity context, including root versus non-root execution and sudo or session metadata where available
  • Host inventory and role context to distinguish network monitoring, troubleshooting, and security tooling systems from ordinary servers
  • Time-correlated endpoint logs that can link interface mode changes with packet-capture process activity

Detection direction

  • Confirm that Linux telemetry actually records promiscuous mode changes; many environments collect process logs but not NIC state changes.
  • Correlate interface mode changes with execution of tcpdump, tshark, or packet-capture libraries rather than alerting on tool names alone.
  • Tune expected administrative, network engineering, and incident response activity to reduce false positives while preserving visibility into unusual users, hosts, and times.
  • Review non-root session activity carefully, as the official description explicitly calls out unauthorized sniffing from non-root sessions.
  • Document blind spots where endpoint logging, session identity, or interface configuration telemetry is missing.

Mitigation priorities

  • Restrict who can run packet-capture tools or place interfaces into promiscuous mode on Linux systems.
  • Limit privileged access and validate sudo or equivalent controls for network diagnostic activity.
  • Maintain approved-use procedures for legitimate packet capture so SOC teams can separate authorized troubleshooting from suspicious behavior.
  • Ensure Linux endpoint logging covers both process execution and network interface configuration changes.
  • Use host role and asset criticality to prioritize monitoring on sensitive servers and network-adjacent systems.
Analyst notes and limits

This Glexia take is based only on ATT&CK analytic AN0876. The object identifies a Linux detection analytic that correlates promiscuous interface mode changes with packet-sniffing tool execution. No tactics, relationships, aliases, labels, or official detection logic were supplied, so implementation details must be developed and validated against local telemetry.

The source does not provide a full detection query, supported data sources, tactic mapping, or relationship context. It does not establish active exploitation, attribution, business impact, or detection coverage. Local baselines are required to separate legitimate packet capture from suspicious activity.

Official MITRE ATT&CK definition

Analytic 0876

Correlates interface mode changes to promiscuous with execution of sniffing tools like tcpdump, tshark, or custom pcap libraries. Detects abnormal NIC configurations and unauthorized sniffing from non-root sessions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a7bf647ec81fcbe6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a7bf647ec81f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0876
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use