Detect Traffic Duplication in Elastic Security
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1020 Automated Exfiltration
- Sub-technique
- T1020.001 Traffic Duplication
- Canonical reference
- https://attack.mitre.org/techniques/T1020/001/
Elastic Detection Query
any where event.dataset in ("aws.cloudtrail", "azure.activitylogs", "gcp.audit")
and (
event.action in (
"CreateTrafficMirrorSession",
"CreateTrafficMirrorTarget",
"CreateTrafficMirrorFilter",
"ModifyTrafficMirrorSession",
"ModifyTrafficMirrorFilterRule",
"DeleteTrafficMirrorSession",
"google.compute.v1.PacketMirrorings.Insert",
"google.compute.v1.PacketMirrorings.Patch",
"google.compute.v1.PacketMirrorings.Delete"
)
or event.action like~ "*TrafficMirror*"
or event.action like~ "*PacketMirror*"
or event.action like~ "*virtualNetworkTaps*"
or event.action like~ "*tapConfiguration*"
)Detects creation, modification, and deletion of traffic mirroring and packet duplication resources across AWS (Traffic Mirror Sessions, Targets, Filters), Azure (vTAP and TAP configurations), and GCP (Packet Mirroring policies). Adversaries with sufficient cloud privileges invoke these native APIs to passively intercept credentials, session tokens, and sensitive data without disrupting network flows.
Data Sources
Required Tables
False Positives & Tuning
- Network or cloud security engineering teams deploying approved IDS, NDR, or packet capture appliances (e.g., Darktrace, ExtraHop, Corelight) that require traffic mirror sessions routed to inspection infrastructure
- Infrastructure-as-code pipelines (Terraform, CloudFormation, Pulumi) running under CI/CD service accounts that provision or update traffic mirroring configurations as part of sanctioned environment builds
- Security Operations teams creating short-lived traffic mirror sessions during active incident response or forensic capture workflows to record network evidence from a compromised instance
Other platforms for T1020.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Traffic Mirror Session Creation
Expected signal: AWS CloudTrail will log CreateTrafficMirrorTarget, CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule (x2), and CreateTrafficMirrorSession events. Each event will contain userIdentity.arn, sourceIPAddress, eventTime, requestParameters (including networkInterfaceId, trafficMirrorTargetId), and responseElements with the created resource IDs.
- Test 2Azure Virtual Network TAP Configuration
Expected signal: Azure Activity Log will record Microsoft.Network/virtualNetworkTaps/write and Microsoft.Network/networkInterfaces/tapConfigurations/write operations with caller identity (UPN or service principal), CallerIpAddress, ResourceGroup, and SubscriptionId. Events appear within 1-5 minutes of execution.
- Test 3GCP Packet Mirroring Policy Creation
Expected signal: GCP Cloud Audit Log (Admin Activity) will record a compute.packetMirrorings.insert method call with principalEmail, callerIp, requestMetadata, and resource name. The event is logged in the cloudaudit.googleapis.com/activity log stream for the project.
- Test 4Cisco IOS SPAN Session Configuration Simulation
Expected signal: Linux syslog will contain CISCO-IOS tagged entries showing ERSPAN configuration commands. These would be ingested via syslog forwarder into SIEM. In a real scenario, TACACS+ accounting would also log the commands with the authenticated username, timestamp, and device IP.
References (11)
- https://attack.mitre.org/techniques/T1020/001/
- https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
- https://cloud.google.com/vpc/docs/packet-mirroring
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
- https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
- https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://docs.aws.amazon.com/cli/latest/reference/ec2/create-traffic-mirror-session.html
- https://docs.microsoft.com/en-us/cli/azure/network/vnet/tap
- https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings/create
Unlock Pro Content
Get the full detection package for T1020.001 including response playbook, investigation guide, and atomic red team tests.