Detect Traffic Duplication in IBM QRadar
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1020 Automated Exfiltration
- Sub-technique
- T1020.001 Traffic Duplication
- Canonical reference
- https://attack.mitre.org/techniques/T1020/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
LOGSOURCETYPENAME(devicetype) AS LogSourceType,
username AS Actor,
sourceip AS SourceIP,
"EventName",
CASE
WHEN LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%cloudtrail%' THEN 'AWS'
WHEN LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%azure%' THEN 'Azure'
WHEN LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%google%'
OR LOWER(LOGSOURCETYPENAME(devicetype)) LIKE '%gcp%' THEN 'GCP'
ELSE 'Unknown'
END AS Platform
FROM events
WHERE (
LOWER("EventName") LIKE '%createtrafficmirrorsession%'
OR LOWER("EventName") LIKE '%createtrafficmirrortarget%'
OR LOWER("EventName") LIKE '%createtrafficmirrorfilter%'
OR LOWER("EventName") LIKE '%modifytrafficmirrorsession%'
OR LOWER("EventName") LIKE '%modifytrafficmirrorfilterrule%'
OR LOWER("EventName") LIKE '%deletetrafficmirrorsession%'
OR LOWER("EventName") LIKE '%insertpacketmirroring%'
OR LOWER("EventName") LIKE '%patchpacketmirroring%'
OR LOWER("EventName") LIKE '%deletepacketmirroring%'
OR LOWER("EventName") LIKE '%virtualnetworktap%'
OR LOWER("EventName") LIKE '%tapconfigurations%'
)
ORDER BY starttime DESC
LAST 24 HOURSDetects traffic duplication and packet mirroring API calls across AWS, Azure, and GCP in IBM QRadar by querying cloud audit log sources. Derives cloud platform from the log source type name using LOGSOURCETYPENAME and filters on case-insensitive LIKE patterns covering the full lifecycle (create, modify, delete) of mirroring resources across all three providers.
Data Sources
Required Tables
False Positives & Tuning
- Approved network visibility deployments where security or platform teams create AWS Traffic Mirror sessions to forward packets to inline tools such as network taps, IDS appliances, or packet brokers
- Automated cloud governance or CSPM tools (e.g., Prisma Cloud, Wiz, Orca) that enumerate existing traffic mirror and vTAP configurations during scheduled compliance assessments
- Terraform or Ansible automation runs in deployment pipelines that create, update, or destroy traffic mirroring resources as part of environment provisioning or teardown workflows
Other platforms for T1020.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Traffic Mirror Session Creation
Expected signal: AWS CloudTrail will log CreateTrafficMirrorTarget, CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule (x2), and CreateTrafficMirrorSession events. Each event will contain userIdentity.arn, sourceIPAddress, eventTime, requestParameters (including networkInterfaceId, trafficMirrorTargetId), and responseElements with the created resource IDs.
- Test 2Azure Virtual Network TAP Configuration
Expected signal: Azure Activity Log will record Microsoft.Network/virtualNetworkTaps/write and Microsoft.Network/networkInterfaces/tapConfigurations/write operations with caller identity (UPN or service principal), CallerIpAddress, ResourceGroup, and SubscriptionId. Events appear within 1-5 minutes of execution.
- Test 3GCP Packet Mirroring Policy Creation
Expected signal: GCP Cloud Audit Log (Admin Activity) will record a compute.packetMirrorings.insert method call with principalEmail, callerIp, requestMetadata, and resource name. The event is logged in the cloudaudit.googleapis.com/activity log stream for the project.
- Test 4Cisco IOS SPAN Session Configuration Simulation
Expected signal: Linux syslog will contain CISCO-IOS tagged entries showing ERSPAN configuration commands. These would be ingested via syslog forwarder into SIEM. In a real scenario, TACACS+ accounting would also log the commands with the authenticated username, timestamp, and device IP.
References (11)
- https://attack.mitre.org/techniques/T1020/001/
- https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
- https://cloud.google.com/vpc/docs/packet-mirroring
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
- https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
- https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://docs.aws.amazon.com/cli/latest/reference/ec2/create-traffic-mirror-session.html
- https://docs.microsoft.com/en-us/cli/azure/network/vnet/tap
- https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings/create
Unlock Pro Content
Get the full detection package for T1020.001 including response playbook, investigation guide, and atomic red team tests.