Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-NetworkTap-RogueSPANExfil.

Upgrade to Pro
THREAT-NetworkTap-RogueSPANExfil

Unauthorized On-Premises SPAN/RSPAN/ERSPAN Configuration for Passive Traffic Exfiltration

Exfiltration Last updated:

The base T1020.001 technique detection focuses on cloud-native traffic mirroring APIs (AWS Traffic Mirroring, Azure vTAP, GCP Packet Mirroring), which cover cloud estates well but leave on-premises network infrastructure largely unmonitored. Adversaries with compromised network device credentials, or malicious insiders with switch/router administrative access, can configure a local SPAN or RSPAN session, or an ERSPAN tunnel, on a Cisco IOS/IOS-XE or Juniper Junos device to passively copy production traffic to a destination they control — either an internal collector planted on the network or, more dangerously, an external IP reached via a GRE-encapsulated ERSPAN tunnel that egresses the corporate perimeter. Because this is a control-plane configuration change rather than a data-plane anomaly, it produces no alert in traditional DLP or proxy-based exfiltration monitoring; the only telemetry is the device's own configuration-change logging (TACACS+/RADIUS command accounting, or syslog CFGLOG entries) and, if the destination is external, a subsequent GRE (IP protocol 47) flow to that address. This scenario targets that specific on-premises control-plane + data-plane correlation, which is a materially different detection surface from the cloud API monitoring the base technique file already covers, and closes a real blind spot for organizations running hybrid or fully on-premises network infrastructure.

What is THREAT-NetworkTap-RogueSPANExfil Unauthorized On-Premises SPAN/RSPAN/ERSPAN Configuration for Passive Traffic Exfiltration?

Unauthorized On-Premises SPAN/RSPAN/ERSPAN Configuration for Passive Traffic Exfiltration (THREAT-NetworkTap-RogueSPANExfil) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Unauthorized On-Premises SPAN/RSPAN/ERSPAN Configuration for Passive Traffic Exfiltration, covering the data sources and telemetry it touches: Network device syslog (TACACS+/RADIUS command accounting), Network flow logs (NetFlow/IPFIX/sFlow), Cisco IOS/IOS-XE CFGLOG syslog messages. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
// Requires syslog/TACACS+ command accounting from network devices ingested into a custom table (NetworkDeviceSyslog_CL) with fields: TimeGenerated, DeviceName, Username, SourceIP, CommandText
// Signal 1: SPAN/RSPAN/ERSPAN configuration command logged via TACACS+ accounting or Cisco CFGLOG syslog
let SpanConfigCommands =
NetworkDeviceSyslog_CL
| where TimeGenerated > ago(24h)
| where CommandText has_any ("monitor session", "erspan-source", "erspan-id", "destination ip address", "port-mirroring")
| project TimeGenerated, DeviceName, Username, SourceIP, CommandText, Signal = "SpanConfigChange";
// Extract any destination IP embedded in an ERSPAN destination command
let ErspanDestinations =
SpanConfigCommands
| where CommandText has "destination ip address"
| extend DestIP = extract(@"destination ip address (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})", 1, CommandText)
| where isnotempty(DestIP);
// Signal 2: GRE flow (IP protocol 47, used by ERSPAN) to the same destination shortly after the config change
// Requires flow telemetry ingested into a NetworkFlowLogs table with fields: TimeGenerated, SourceIP, DestinationIP, Protocol, Bytes
let GreFlowsToDest =
NetworkFlowLogs
| where TimeGenerated > ago(24h)
| where Protocol == "GRE" or Protocol == "47"
| project TimeGenerated, SourceIP, DestinationIP, Bytes;
ErspanDestinations
| join kind=inner (GreFlowsToDest) on $left.DestIP == $right.DestinationIP
| where TimeGenerated1 > TimeGenerated and TimeGenerated1 < TimeGenerated + 1h
| project ConfigTime = TimeGenerated, DeviceName, Username, SourceIP, CommandText, DestIP, GreFlowTime = TimeGenerated1, GreBytes = Bytes
| sort by GreFlowTime desc

Correlates network device configuration-change telemetry (TACACS+ command accounting or Cisco CFGLOG syslog, normalized into NetworkDeviceSyslog_CL) with subsequent GRE flow telemetry (NetworkFlowLogs) to the same destination IP extracted from the ERSPAN destination command. A SPAN/RSPAN/ERSPAN configuration command followed within an hour by a GRE flow to the configured destination is a high-confidence indicator of active traffic mirroring exfiltration. Field/table names assume ingestion of network device syslog and flow data into Log Analytics custom tables; adjust to your actual ingestion pipeline (e.g., Azure Monitor Agent DCR, syslog forwarder).

high severity medium confidence

Data Sources

Network device syslog (TACACS+/RADIUS command accounting) Network flow logs (NetFlow/IPFIX/sFlow) Cisco IOS/IOS-XE CFGLOG syslog messages

Required Tables

NetworkDeviceSyslog_CL NetworkFlowLogs

False Positives

  • Network operations staff configuring approved SPAN/RSPAN sessions for legitimate NDR/IDS sensor deployment or troubleshooting, under an active change ticket
  • Scheduled network health-check automation that briefly configures and tears down a mirror session as part of a synthetic monitoring routine
  • ERSPAN tunnels to a legitimate internal security-tooling collector whose IP happens to fall outside the immediate management VLAN

Sigma rule & cross-platform mapping

The detection logic for Unauthorized On-Premises SPAN/RSPAN/ERSPAN Configuration for Passive Traffic Exfiltration (THREAT-NetworkTap-RogueSPANExfil) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Cisco IOS ERSPAN Configuration to External Destination via Syslog

    Expected signal: Syslog entries tagged CISCO-IOS containing CFGLOG_LOGGEDCMD messages with 'monitor session', 'erspan-source', 'destination ip address 198.51.100.77', and 'erspan-id'. In a real deployment these would also generate matching TACACS+ accounting records.

  2. Test 2Simulate GRE Flow to ERSPAN Destination

    Expected signal: A synthetic flow log entry showing protocol=47 (GRE) traffic from the internal device IP to the previously configured external destination. In production this would be sourced from actual NetFlow/IPFIX/sFlow export from the network device or an upstream collector.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-NetworkTap-RogueSPANExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections