T1020.001 Google Chronicle · YARA-L

Detect Traffic Duplication in Google Chronicle

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1020 Automated Exfiltration
Sub-technique
T1020.001 Traffic Duplication
Canonical reference
https://attack.mitre.org/techniques/T1020/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule detect_traffic_duplication_t1020_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation, modification, or deletion of traffic mirroring and packet duplication resources in AWS, Azure, and GCP. Adversaries abuse cloud-native mirroring APIs after gaining sufficient privileges to passively intercept credentials, session tokens, and sensitive data (MITRE T1020.001)."
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1020.001"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    (
      re.regex($e.metadata.product_event_type,
        `(?i)CreateTrafficMirrorSession|CreateTrafficMirrorTarget|CreateTrafficMirrorFilter|ModifyTrafficMirrorSession|ModifyTrafficMirrorFilterRule|DeleteTrafficMirrorSession`)
      or re.regex($e.metadata.product_event_type,
        `(?i)insertPacketMirroring|patchPacketMirroring|deletePacketMirroring`)
      or re.regex($e.target.resource.name,
        `(?i)virtualNetworkTaps|tapConfigurations`)
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting traffic duplication and mirroring API calls ingested as UDM events from AWS CloudTrail, Azure Activity Logs, and GCP Cloud Audit Logs. Matches on metadata.product_event_type for AWS and GCP lifecycle operations, and on target.resource.name for Azure vTAP resource writes. Fires on any create, modify, or delete action involving traffic mirroring infrastructure.

Data Sources

Google Chronicle with AWS CloudTrail ingestion via Chronicle forwarder or S3-based log feedGoogle Chronicle with Azure Activity Log ingestion via Chronicle Azure integrationGoogle Chronicle with GCP Cloud Audit Log ingestion — automatic for GCP-native Chronicle tenants

Required Tables

Chronicle UDM events (cloud audit log sources ingested and normalised to UDM schema)

False Positives & Tuning

  • Security platform engineering teams creating AWS Traffic Mirror sessions targeting approved appliance ENIs as part of a documented network visibility architecture review or rollout
  • Infrastructure-as-code automation (Terraform, Pulumi) running under known service accounts that provision or update packet mirroring policies across cloud environments on a scheduled cadence
  • Authorised red team or penetration test engagements with documented scope that include cloud traffic mirroring as a tested attack technique — verify actor identity against engagement authorisation window
Download portable Sigma rule (.yml)

Other platforms for T1020.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Traffic Mirror Session Creation

    Expected signal: AWS CloudTrail will log CreateTrafficMirrorTarget, CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule (x2), and CreateTrafficMirrorSession events. Each event will contain userIdentity.arn, sourceIPAddress, eventTime, requestParameters (including networkInterfaceId, trafficMirrorTargetId), and responseElements with the created resource IDs.

  2. Test 2Azure Virtual Network TAP Configuration

    Expected signal: Azure Activity Log will record Microsoft.Network/virtualNetworkTaps/write and Microsoft.Network/networkInterfaces/tapConfigurations/write operations with caller identity (UPN or service principal), CallerIpAddress, ResourceGroup, and SubscriptionId. Events appear within 1-5 minutes of execution.

  3. Test 3GCP Packet Mirroring Policy Creation

    Expected signal: GCP Cloud Audit Log (Admin Activity) will record a compute.packetMirrorings.insert method call with principalEmail, callerIp, requestMetadata, and resource name. The event is logged in the cloudaudit.googleapis.com/activity log stream for the project.

  4. Test 4Cisco IOS SPAN Session Configuration Simulation

    Expected signal: Linux syslog will contain CISCO-IOS tagged entries showing ERSPAN configuration commands. These would be ingested via syslog forwarder into SIEM. In a real scenario, TACACS+ accounting would also log the commands with the authenticated username, timestamp, and device IP.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1020.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1020Automated Exfiltration

Related Techniques

T1020Automated ExfiltrationT1040Network SniffingT1557Adversary-in-the-MiddleT1056Input CaptureT1542.004ROMMONkitT1601.001Patch System ImageT1078.004Cloud AccountsT1580Cloud Infrastructure DiscoveryT1530Data from Cloud Storage

Same Tactic: Exfiltration

Popular Detections