Detect Traffic Duplication in Sumo Logic CSE
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1020 Automated Exfiltration
- Sub-technique
- T1020.001 Traffic Duplication
- Canonical reference
- https://attack.mitre.org/techniques/T1020/001/
Sumo Detection Query
(_sourceCategory=*cloudtrail* OR _sourceCategory=*azure/activity* OR _sourceCategory=*gcp/audit*)
| json auto maxdepth 5 nodrop
| if (!isNull(%"eventName"), %"eventName",
if (!isNull(%"operationName"), %"operationName",
if (!isNull(%"protoPayload.methodName"), %"protoPayload.methodName", "unknown")
)
) as EventName
| if (!isNull(%"sourceIPAddress"), %"sourceIPAddress",
if (!isNull(%"callerIpAddress"), %"callerIpAddress",
if (!isNull(%"protoPayload.requestMetadata.callerIp"), %"protoPayload.requestMetadata.callerIp", "unknown")
)
) as SourceIP
| if (!isNull(%"userIdentity.arn"), %"userIdentity.arn",
if (!isNull(%"caller"), %"caller",
if (!isNull(%"protoPayload.authenticationInfo.principalEmail"), %"protoPayload.authenticationInfo.principalEmail", "unknown")
)
) as Actor
| where EventName matches "*TrafficMirror*"
OR EventName matches "*PacketMirror*"
OR EventName matches "*virtualNetworkTap*"
OR EventName matches "*tapConfiguration*"
| if (_sourceCategory matches "*cloudtrail*", "AWS",
if (_sourceCategory matches "*azure*", "Azure",
if (_sourceCategory matches "*gcp*", "GCP", "Unknown")
)
) as Platform
| fields _messageTime, Platform, EventName, Actor, SourceIP
| sort by _messageTime descDetects traffic mirroring and packet duplication API activity across AWS, Azure, and GCP by parsing cloud audit log sources in Sumo Logic. Normalises event name, source IP, and actor identity fields across all three cloud provider log formats using nested coalesce logic, then filters for any event name matching known traffic mirror or vTAP resource patterns.
Data Sources
Required Tables
False Positives & Tuning
- Cloud security and observability teams creating AWS Traffic Mirror sessions to route packets to approved network detection tools (e.g., Corelight sensors, packet capture appliances) as part of a sanctioned security architecture
- Compliance automation or CSPM platforms that programmatically enumerate mirror and vTAP configurations to assess posture, triggering modify or list API calls logged as activity events
- Disaster recovery or chaos engineering exercises that temporarily create mirror sessions to capture traffic samples between primary and DR environments for replication fidelity validation
Other platforms for T1020.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Traffic Mirror Session Creation
Expected signal: AWS CloudTrail will log CreateTrafficMirrorTarget, CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule (x2), and CreateTrafficMirrorSession events. Each event will contain userIdentity.arn, sourceIPAddress, eventTime, requestParameters (including networkInterfaceId, trafficMirrorTargetId), and responseElements with the created resource IDs.
- Test 2Azure Virtual Network TAP Configuration
Expected signal: Azure Activity Log will record Microsoft.Network/virtualNetworkTaps/write and Microsoft.Network/networkInterfaces/tapConfigurations/write operations with caller identity (UPN or service principal), CallerIpAddress, ResourceGroup, and SubscriptionId. Events appear within 1-5 minutes of execution.
- Test 3GCP Packet Mirroring Policy Creation
Expected signal: GCP Cloud Audit Log (Admin Activity) will record a compute.packetMirrorings.insert method call with principalEmail, callerIp, requestMetadata, and resource name. The event is logged in the cloudaudit.googleapis.com/activity log stream for the project.
- Test 4Cisco IOS SPAN Session Configuration Simulation
Expected signal: Linux syslog will contain CISCO-IOS tagged entries showing ERSPAN configuration commands. These would be ingested via syslog forwarder into SIEM. In a real scenario, TACACS+ accounting would also log the commands with the authenticated username, timestamp, and device IP.
References (11)
- https://attack.mitre.org/techniques/T1020/001/
- https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
- https://cloud.google.com/vpc/docs/packet-mirroring
- https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview
- https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
- https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://docs.aws.amazon.com/cli/latest/reference/ec2/create-traffic-mirror-session.html
- https://docs.microsoft.com/en-us/cli/azure/network/vnet/tap
- https://cloud.google.com/sdk/gcloud/reference/compute/packet-mirrorings/create
Unlock Pro Content
Get the full detection package for T1020.001 including response playbook, investigation guide, and atomic red team tests.