Detect Traffic Duplication in Microsoft Sentinel
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1020 Automated Exfiltration
- Sub-technique
- T1020.001 Traffic Duplication
- Canonical reference
- https://attack.mitre.org/techniques/T1020/001/
KQL Detection Query
// AWS Traffic Mirroring — detect new mirror session creation via CloudTrail-style logs in Sentinel
let AWSTrafficMirrorEvents = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationName has_any ("CreateTrafficMirrorSession", "CreateTrafficMirrorTarget", "CreateTrafficMirrorFilter", "ModifyTrafficMirrorSession", "ModifyTrafficMirrorFilterRule")
| extend EventSource = "Azure"
| project TimeGenerated, OperationName, Caller, CallerIpAddress, ResourceGroup, SubscriptionId, EventSource;
// Azure vTAP — detect virtual network TAP creation or modification
let AzurevTAPEvents = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationName has_any ("Microsoft.Network/virtualNetworkTaps/write", "Microsoft.Network/virtualNetworkTaps/delete", "Microsoft.Network/networkInterfaces/tapConfigurations/write")
| extend EventSource = "AzurevTAP"
| project TimeGenerated, OperationName, Caller, CallerIpAddress, ResourceGroup, SubscriptionId, EventSource;
// Combine results
AWSTrafficMirrorEvents
| union AzurevTAPEvents
| sort by TimeGenerated descDetects creation or modification of traffic mirroring and virtual network TAP configurations in Azure environments. Monitors AzureActivity logs for vTAP write operations and network interface TAP configuration changes that could indicate adversary-configured traffic duplication for exfiltration. Also captures any CloudTrail-style traffic mirror session events ingested into Sentinel. Alerts on any new or modified traffic mirror session, target, filter, or vTAP resource.
Data Sources
Required Tables
False Positives & Tuning
- Network operations teams legitimately configuring traffic mirroring for IDS/IPS or network performance monitoring purposes
- Security teams deploying packet capture appliances or NDR sensors that require vTAP or traffic mirror configurations
- Cloud infrastructure automation (Terraform, Ansible, Pulumi) that provisions traffic mirroring as part of baseline network security architecture
- Managed security service providers (MSSPs) configuring traffic mirroring in customer environments for monitoring
- Cloud migration projects that temporarily mirror traffic for validation and testing before full cutover
Other platforms for T1020.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Traffic Mirror Session Creation
Expected signal: AWS CloudTrail will log CreateTrafficMirrorTarget, CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule (x2), and CreateTrafficMirrorSession events. Each event will contain userIdentity.arn, sourceIPAddress, eventTime, requestParameters (including networkInterfaceId, trafficMirrorTargetId), and responseElements with the created resource IDs.
- Test 2Azure Virtual Network TAP Configuration
Expected signal: Azure Activity Log will record Microsoft.Network/virtualNetworkTaps/write and Microsoft.Network/networkInterfaces/tapConfigurations/write operations with caller identity (UPN or service principal), CallerIpAddress, ResourceGroup, and SubscriptionId. Events appear within 1-5 minutes of execution.
- Test 3GCP Packet Mirroring Policy Creation
Expected signal: GCP Cloud Audit Log (Admin Activity) will record a compute.packetMirrorings.insert method call with principalEmail, callerIp, requestMetadata, and resource name. The event is logged in the cloudaudit.googleapis.com/activity log stream for the project.
- Test 4Cisco IOS SPAN Session Configuration Simulation
Expected signal: Linux syslog will contain CISCO-IOS tagged entries showing ERSPAN configuration commands. These would be ingested via syslog forwarder into SIEM. In a real scenario, TACACS+ accounting would also log the commands with the authenticated username, timestamp, and device IP.
References (11)
- https://attack.mitre.org/techniques/T1020/001/
- https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
- https://cloud.google.com/vpc/docs/packet-mirroring
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
- https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
- https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://docs.aws.amazon.com/cli/latest/reference/ec2/create-traffic-mirror-session.html
- https://docs.microsoft.com/en-us/cli/azure/network/vnet/tap
- https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings/create
Unlock Pro Content
Get the full detection package for T1020.001 including response playbook, investigation guide, and atomic red team tests.