T1020.001

Traffic Duplication

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges.

Microsoft Sentinel / Defender

kusto

// AWS Traffic Mirroring — detect new mirror session creation via CloudTrail-style logs in Sentinel
let AWSTrafficMirrorEvents = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationName has_any ("CreateTrafficMirrorSession", "CreateTrafficMirrorTarget", "CreateTrafficMirrorFilter", "ModifyTrafficMirrorSession", "ModifyTrafficMirrorFilterRule")
| extend EventSource = "Azure"
| project TimeGenerated, OperationName, Caller, CallerIpAddress, ResourceGroup, SubscriptionId, EventSource;
// Azure vTAP — detect virtual network TAP creation or modification
let AzurevTAPEvents = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Microsoft.Network/virtualNetworkTaps/write", "Microsoft.Network/virtualNetworkTaps/delete", "Microsoft.Network/networkInterfaces/tapConfigurations/write")
| extend EventSource = "AzurevTAP"
| project TimeGenerated, OperationName, Caller, CallerIpAddress, ResourceGroup, SubscriptionId, EventSource;
// Combine results
AWSTrafficMirrorEvents
| union AzurevTAPEvents
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Network Traffic: Network Traffic Flow Azure Activity Logs

Required Tables

AzureActivity

False Positives

Network operations teams legitimately configuring traffic mirroring for IDS/IPS or network performance monitoring purposes
Security teams deploying packet capture appliances or NDR sensors that require vTAP or traffic mirror configurations
Cloud infrastructure automation (Terraform, Ansible, Pulumi) that provisions traffic mirroring as part of baseline network security architecture
Managed security service providers (MSSPs) configuring traffic mirroring in customer environments for monitoring
Cloud migration projects that temporarily mirror traffic for validation and testing before full cutover

Splunk

spl

index=* (sourcetype="aws:cloudtrail" OR sourcetype="azure:activity" OR sourcetype="gcp:cloudaudit")
| eval EventName=coalesce(eventName, operationName, protoPayload.methodName)
| eval SourceIP=coalesce(sourceIPAddress, callerIpAddress, protoPayload.requestMetadata.callerIp)
| eval Actor=coalesce(userIdentity.arn, caller, protoPayload.authenticationInfo.principalEmail)
| eval Platform=case(
    sourcetype="aws:cloudtrail", "AWS",
    sourcetype="azure:activity", "Azure",
    sourcetype="gcp:cloudaudit", "GCP",
    true(), "Unknown"
  )
| eval IsMirrorEvent=if(
    match(EventName, "(?i)(CreateTrafficMirrorSession|CreateTrafficMirrorTarget|CreateTrafficMirrorFilter|ModifyTrafficMirrorSession|ModifyTrafficMirrorFilterRule|DeleteTrafficMirrorSession|CreatePacketMirroringPolicy|patchPacketMirroring|insertPacketMirroring|virtualNetworkTaps/write|tapConfigurations/write)"),
    1, 0
  )
| where IsMirrorEvent=1
| eval IsMirrorCreation=if(match(EventName, "(?i)(Create|insert|write)"), 1, 0)
| eval IsMirrorModify=if(match(EventName, "(?i)(Modify|patch|update)"), 1, 0)
| eval IsMirrorDelete=if(match(EventName, "(?i)(Delete)"), 1, 0)
| table _time, Platform, EventName, Actor, SourceIP, IsMirrorCreation, IsMirrorModify, IsMirrorDelete
| sort - _time

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Network Traffic: Network Traffic Flow AWS CloudTrail Azure Activity Logs GCP Cloud Audit Logs

Required Sourcetypes

aws:cloudtrail azure:activity gcp:cloudaudit

False Positives

Network operations teams legitimately configuring traffic mirroring for IDS/IPS or network performance monitoring purposes
Security teams deploying packet capture appliances or NDR sensors that require vTAP or traffic mirror configurations
Cloud infrastructure automation (Terraform, Ansible, Pulumi) that provisions traffic mirroring as part of baseline network security architecture
Managed security service providers (MSSPs) configuring traffic mirroring in customer environments for monitoring
Cloud migration projects that temporarily mirror traffic for validation and testing before full cutover

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  username AS Actor,
  sourceip AS SourceIP,
  "EventName",
  CASE
    WHEN LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%cloudtrail%' THEN 'AWS'
    WHEN LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%azure%' THEN 'Azure'
    WHEN LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%google%'
      OR LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%gcp%' THEN 'GCP'
    ELSE 'Unknown'
  END AS Platform
FROM events
WHERE (
  LOWER("EventName") LIKE '%createtrafficmirrorsession%'
  OR LOWER("EventName") LIKE '%createtrafficmirrortarget%'
  OR LOWER("EventName") LIKE '%createtrafficmirrorfilter%'
  OR LOWER("EventName") LIKE '%modifytrafficmirrorsession%'
  OR LOWER("EventName") LIKE '%modifytrafficmirrorfilterrule%'
  OR LOWER("EventName") LIKE '%deletetrafficmirrorsession%'
  OR LOWER("EventName") LIKE '%insertpacketmirroring%'
  OR LOWER("EventName") LIKE '%patchpacketmirroring%'
  OR LOWER("EventName") LIKE '%deletepacketmirroring%'
  OR LOWER("EventName") LIKE '%virtualnetworktap%'
  OR LOWER("EventName") LIKE '%tapconfigurations%'
)
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

AWS CloudTrail via IBM QRadar DSM for Amazon AWS CloudTrail Microsoft Azure Activity Logs via IBM QRadar DSM for Microsoft Azure Google Cloud Platform Audit Logs via IBM QRadar DSM for Google GCP Audit

Required Tables

events

False Positives

Approved network visibility deployments where security or platform teams create AWS Traffic Mirror sessions to forward packets to inline tools such as network taps, IDS appliances, or packet brokers
Automated cloud governance or CSPM tools (e.g., Prisma Cloud, Wiz, Orca) that enumerate existing traffic mirror and vTAP configurations during scheduled compliance assessments
Terraform or Ansible automation runs in deployment pipelines that create, update, or destroy traffic mirroring resources as part of environment provisioning or teardown workflows

Sumo Logic CSE

sql

(_sourceCategory=*cloudtrail* OR _sourceCategory=*azure/activity* OR _sourceCategory=*gcp/audit*)
| json auto maxdepth 5 nodrop
| if (!isNull(%"eventName"), %"eventName",
    if (!isNull(%"operationName"), %"operationName",
      if (!isNull(%"protoPayload.methodName"), %"protoPayload.methodName", "unknown")
    )
  ) as EventName
| if (!isNull(%"sourceIPAddress"), %"sourceIPAddress",
    if (!isNull(%"callerIpAddress"), %"callerIpAddress",
      if (!isNull(%"protoPayload.requestMetadata.callerIp"), %"protoPayload.requestMetadata.callerIp", "unknown")
    )
  ) as SourceIP
| if (!isNull(%"userIdentity.arn"), %"userIdentity.arn",
    if (!isNull(%"caller"), %"caller",
      if (!isNull(%"protoPayload.authenticationInfo.principalEmail"), %"protoPayload.authenticationInfo.principalEmail", "unknown")
    )
  ) as Actor
| where EventName matches "*TrafficMirror*"
  OR EventName matches "*PacketMirror*"
  OR EventName matches "*virtualNetworkTap*"
  OR EventName matches "*tapConfiguration*"
| if (_sourceCategory matches "*cloudtrail*", "AWS",
    if (_sourceCategory matches "*azure*", "Azure",
      if (_sourceCategory matches "*gcp*", "GCP", "Unknown")
    )
  ) as Platform
| fields _messageTime, Platform, EventName, Actor, SourceIP
| sort by _messageTime desc

high severity high confidence

Data Sources

AWS CloudTrail via Sumo Logic AWS CloudTrail App or S3/HTTP source (configure _sourceCategory to match *cloudtrail*) Azure Activity Logs via Sumo Logic Azure Audit App or Azure Event Hub source (configure _sourceCategory to match *azure/activity*) GCP Cloud Audit Logs via Sumo Logic GCP App or Google Cloud Pub/Sub source (configure _sourceCategory to match *gcp/audit*)

Required Tables

Sumo Logic source configured for AWS CloudTrail Sumo Logic source configured for Azure Activity Logs Sumo Logic source configured for GCP Cloud Audit Logs

False Positives

Cloud security and observability teams creating AWS Traffic Mirror sessions to route packets to approved network detection tools (e.g., Corelight sensors, packet capture appliances) as part of a sanctioned security architecture
Compliance automation or CSPM platforms that programmatically enumerate mirror and vTAP configurations to assess posture, triggering modify or list API calls logged as activity events
Disaster recovery or chaos engineering exercises that temporarily create mirror sessions to capture traffic samples between primary and DR environments for replication fidelity validation

Google Chronicle / SecOps

yaral

rule detect_traffic_duplication_t1020_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation, modification, or deletion of traffic mirroring and packet duplication resources in AWS, Azure, and GCP. Adversaries abuse cloud-native mirroring APIs after gaining sufficient privileges to passively intercept credentials, session tokens, and sensitive data (MITRE T1020.001)."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1020.001"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    (
      re.regex($e.metadata.product_event_type,
        `(?i)CreateTrafficMirrorSession|CreateTrafficMirrorTarget|CreateTrafficMirrorFilter|ModifyTrafficMirrorSession|ModifyTrafficMirrorFilterRule|DeleteTrafficMirrorSession`)
      or re.regex($e.metadata.product_event_type,
        `(?i)insertPacketMirroring|patchPacketMirroring|deletePacketMirroring`)
      or re.regex($e.target.resource.name,
        `(?i)virtualNetworkTaps|tapConfigurations`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with AWS CloudTrail ingestion via Chronicle forwarder or S3-based log feed Google Chronicle with Azure Activity Log ingestion via Chronicle Azure integration Google Chronicle with GCP Cloud Audit Log ingestion — automatic for GCP-native Chronicle tenants

Required Tables

Chronicle UDM events (cloud audit log sources ingested and normalised to UDM schema)

False Positives

Security platform engineering teams creating AWS Traffic Mirror sessions targeting approved appliance ENIs as part of a documented network visibility architecture review or rollout
Infrastructure-as-code automation (Terraform, Pulumi) running under known service accounts that provision or update packet mirroring policies across cloud environments on a scheduled cadence
Authorised red team or penetration test engagements with documented scope that include cloud traffic mirroring as a tested attack technique — verify actor identity against engagement authorisation window

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale — detect cloud traffic mirroring via cloud audit log ingestion
// Target the repository containing AWS CloudTrail, Azure Activity, and GCP Audit events
(
  eventName = /(?i)CreateTrafficMirrorSession|CreateTrafficMirrorTarget|CreateTrafficMirrorFilter|ModifyTrafficMirrorSession|ModifyTrafficMirrorFilterRule|DeleteTrafficMirrorSession/
  OR operationName = /(?i)virtualNetworkTaps\/write|tapConfigurations\/write/
  OR protoPayload.methodName = /(?i)insertPacketMirroring|patchPacketMirroring|deletePacketMirroring/
)
| case {
    eventName = /(?i)Create|Insert/ | mirrorAction := "Creation" ;
    eventName = /(?i)Modify|Patch|Update/ | mirrorAction := "Modification" ;
    eventName = /(?i)Delete/ | mirrorAction := "Deletion" ;
    operationName = /(?i)write/ | mirrorAction := "Creation/Modification" ;
    * | mirrorAction := "Other" ;
  }
| coalesce(userIdentity.arn, caller, protoPayload.authenticationInfo.principalEmail) as ActorIdentity
| coalesce(sourceIPAddress, callerIpAddress, protoPayload.requestMetadata.callerIp) as SourceIP
| coalesce(eventName, operationName, protoPayload.methodName) as ResolvedEventName
| table([_time, ResolvedEventName, mirrorAction, ActorIdentity, SourceIP, awsRegion, resourceGroupName])

high severity medium confidence

Data Sources

CrowdStrike Falcon CSPM (Horizon) cloud audit log ingestion for AWS CrowdStrike Falcon CSPM (Horizon) cloud audit log ingestion for Azure CrowdStrike Falcon CSPM (Horizon) cloud audit log ingestion for GCP LogScale direct cloud audit source integrations (AWS CloudTrail S3, Azure Event Hub, GCP Pub/Sub)

Required Tables

LogScale repository containing cloud audit events from AWS CloudTrail, Azure Activity Logs, and GCP Cloud Audit

False Positives

Platform or security engineering teams running approved AWS Traffic Mirror deployments to route packets to network inspection appliances (NDR sensors, packet brokers) as part of an established security architecture
CrowdStrike Falcon Horizon or other CSPM tools making automated API calls to enumerate or validate traffic mirror configurations during routine cloud posture assessments
Load testing or performance engineering teams creating short-lived mirror sessions to capture representative traffic samples for analysis — verify against active load test windows and change management tickets

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1020.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Traffic Duplication

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Exfiltration

Popular Detections