Detect Traffic Duplication in CrowdStrike LogScale
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1020 Automated Exfiltration
- Sub-technique
- T1020.001 Traffic Duplication
- Canonical reference
- https://attack.mitre.org/techniques/T1020/001/
LogScale Detection Query
// CrowdStrike LogScale — detect cloud traffic mirroring via cloud audit log ingestion
// Target the repository containing AWS CloudTrail, Azure Activity, and GCP Audit events
(
eventName = /(?i)CreateTrafficMirrorSession|CreateTrafficMirrorTarget|CreateTrafficMirrorFilter|ModifyTrafficMirrorSession|ModifyTrafficMirrorFilterRule|DeleteTrafficMirrorSession/
OR operationName = /(?i)virtualNetworkTaps\/write|tapConfigurations\/write/
OR protoPayload.methodName = /(?i)insertPacketMirroring|patchPacketMirroring|deletePacketMirroring/
)
| case {
eventName = /(?i)Create|Insert/ | mirrorAction := "Creation" ;
eventName = /(?i)Modify|Patch|Update/ | mirrorAction := "Modification" ;
eventName = /(?i)Delete/ | mirrorAction := "Deletion" ;
operationName = /(?i)write/ | mirrorAction := "Creation/Modification" ;
* | mirrorAction := "Other" ;
}
| coalesce(userIdentity.arn, caller, protoPayload.authenticationInfo.principalEmail) as ActorIdentity
| coalesce(sourceIPAddress, callerIpAddress, protoPayload.requestMetadata.callerIp) as SourceIP
| coalesce(eventName, operationName, protoPayload.methodName) as ResolvedEventName
| table([_time, ResolvedEventName, mirrorAction, ActorIdentity, SourceIP, awsRegion, resourceGroupName])CrowdStrike LogScale (Humio) query detecting traffic mirroring and packet duplication events across AWS, Azure, and GCP cloud environments. Uses regex matching on cloud audit log event fields, classifies each event into creation, modification, or deletion lifecycle buckets, and normalises actor identity and source IP across all three cloud providers for unified analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Platform or security engineering teams running approved AWS Traffic Mirror deployments to route packets to network inspection appliances (NDR sensors, packet brokers) as part of an established security architecture
- CrowdStrike Falcon Horizon or other CSPM tools making automated API calls to enumerate or validate traffic mirror configurations during routine cloud posture assessments
- Load testing or performance engineering teams creating short-lived mirror sessions to capture representative traffic samples for analysis — verify against active load test windows and change management tickets
Other platforms for T1020.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Traffic Mirror Session Creation
Expected signal: AWS CloudTrail will log CreateTrafficMirrorTarget, CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule (x2), and CreateTrafficMirrorSession events. Each event will contain userIdentity.arn, sourceIPAddress, eventTime, requestParameters (including networkInterfaceId, trafficMirrorTargetId), and responseElements with the created resource IDs.
- Test 2Azure Virtual Network TAP Configuration
Expected signal: Azure Activity Log will record Microsoft.Network/virtualNetworkTaps/write and Microsoft.Network/networkInterfaces/tapConfigurations/write operations with caller identity (UPN or service principal), CallerIpAddress, ResourceGroup, and SubscriptionId. Events appear within 1-5 minutes of execution.
- Test 3GCP Packet Mirroring Policy Creation
Expected signal: GCP Cloud Audit Log (Admin Activity) will record a compute.packetMirrorings.insert method call with principalEmail, callerIp, requestMetadata, and resource name. The event is logged in the cloudaudit.googleapis.com/activity log stream for the project.
- Test 4Cisco IOS SPAN Session Configuration Simulation
Expected signal: Linux syslog will contain CISCO-IOS tagged entries showing ERSPAN configuration commands. These would be ingested via syslog forwarder into SIEM. In a real scenario, TACACS+ accounting would also log the commands with the authenticated username, timestamp, and device IP.
References (11)
- https://attack.mitre.org/techniques/T1020/001/
- https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
- https://cloud.google.com/vpc/docs/packet-mirroring
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
- https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
- https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://docs.aws.amazon.com/cli/latest/reference/ec2/create-traffic-mirror-session.html
- https://docs.microsoft.com/en-us/cli/azure/network/vnet/tap
- https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings/create
Unlock Pro Content
Get the full detection package for T1020.001 including response playbook, investigation guide, and atomic red team tests.