T0842: Network Sniffing
Network sniffing is the practice of using a network interface on a computer system to monitor or capture information [1] regardless of whether it is the specified destination for the information.
An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis.
In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Analyst context for executives and security teams
Network Sniffing matters because an adversary who can observe ICS network traffic may learn how operators, workstations, HMIs, controllers, gateways, historians, VPN servers, jump hosts, and network devices communicate. The highest business concern is not packet capture by itself; it is the exposure of credentials, operational protocols, and system relationships that can enable later unauthorized access or manipulation, especially where unencrypted protocols or manipulable discovery/addressing services are present.
Executive priority
Treat this as an operational resilience and control-assurance issue for ICS environments. Leaders should ask whether sensitive ICS communications are encrypted where feasible, whether critical control networks are segmented from enterprise and remote-access paths, and whether credential exposure through legacy or unencrypted protocols is addressed. This technique also supports audit and risk discussions: evidence should show which ICS traffic is protected, where exceptions exist due to device limitations, and how compensating controls are monitored.
Technical view
ATT&CK does not provide official detection text for T0842, but it identifies a related detection strategy, DET0800 Detection of Network Sniffing, and multiple mitigations. SOC and IR teams should validate visibility around network interfaces, switching infrastructure, ARP/DNS behavior, remote-access paths, and traffic crossing ICS boundaries. Because the object targets many ICS asset types—including workstations, HMIs, PLCs, RTUs, IEDs, historians, control servers, data gateways, VPN servers, jump hosts, switches, firewalls, safety controllers, DCS controllers, and PACs—coverage should be assessed by network zone and asset role rather than by a single endpoint platform.
Likely telemetry
- Network packet metadata and, where policy allows, packet capture from ICS network segments
- Switch and network device logs relevant to port configuration, mirroring, MAC address changes, and forwarding behavior
- ARP, DHCP, and DNS activity that could indicate manipulated message forwarding or name/address resolution
- Authentication logs for workstations, HMIs, jump hosts, VPN servers, control servers, and application servers
- Firewall and segmentation boundary logs between enterprise, DMZ, remote access, and process control networks
Detection direction
- Start by confirming whether DET0800 or an equivalent local detection strategy is implemented and mapped to monitored ICS zones.
- Tune detections around unexpected ARP/DNS behavior, unusual traffic observation points, unauthorized network interface behavior, and suspicious changes to switching or forwarding paths.
- Prioritize monitoring at choke points: enterprise-to-ICS firewalls, DMZs, VPN servers, jump hosts, data gateways, control-server paths, and switch infrastructure serving HMIs/controllers.
- Account for false positives from legitimate engineering diagnostics, maintenance captures, protocol analysis, and approved troubleshooting; require change tickets or maintenance windows for context.
- Identify blind spots where embedded controllers, field devices, or isolated segments do not generate host logs and where only passive network telemetry can provide evidence.
Mitigation priorities
- Encrypt network traffic where feasible using strong cryptographic techniques and protocols to reduce credential and data exposure from eavesdropping.
- Use network segmentation to isolate critical systems, restrict traffic to required systems and services, and prevent enterprise or unrelated business networks from accessing process control systems directly.
- Use static network configuration where possible to reduce reliance on dynamic discovery/addressing mechanisms such as ARP, DHCP, and DNS that can support adversary-in-the-middle conditions; document exceptions where device capabilities or operations prevent this.
- Strengthen privileged account management so credentials exposed through network observation have limited value and scope.
- Use multi-factor authentication where compatible with ICS operational and safety constraints, especially for remote access, jump hosts, VPN paths, and administrative workflows.
Analyst notes and limits
The relationship context is important: this technique is associated with broad ICS asset targeting and has documented software relationships to Stuxnet and VPNFilter in ATT&CK. Those relationships support defensive prioritization but should not be read as evidence of current activity in any specific environment. The supplied mitigation relationships point to encryption, static network configuration, privileged account management, network segmentation, and MFA as the main control themes.
The ATT&CK object does not specify tactics, platforms, aliases, or official detection text. Local architecture, protocol use, asset criticality, and available telemetry are required to determine actual exposure and detection coverage. Some ICS devices may have limited support for encryption, MFA, or logging, so compensating network controls may be necessary.
Network Sniffing
Network sniffing is the practice of using a network interface on a computer system to monitor or capture information [1] regardless of whether it is the specified destination for the information.
An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis.
In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S1010: VPNFilter
VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. [1] [2] VPNFilter was assessed to be replaced by Sandworm Team with Cyclops Blink starting in 2019.[3]
S1045: INCONTROLLER
INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]
S0603: Stuxnet
Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9587cc4dc456… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Enterprise ATT&CK January 2018
Enterprise ATT&CK 2018, January 11 Network Sniffing Retrieved. 2018/05/17
Open source URL -
[2]
mitre-attack T0842Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.