Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-NetworkTap-RogueSPANExfil.

Upgrade to Pro
THREAT-NetworkTap-RogueSPANExfil Elastic Security · Elastic

Detect Unauthorized On-Premises SPAN/RSPAN/ERSPAN Configuration for Passive Traffic Exfiltration in Elastic Security

The base T1020.001 technique detection focuses on cloud-native traffic mirroring APIs (AWS Traffic Mirroring, Azure vTAP, GCP Packet Mirroring), which cover cloud estates well but leave on-premises network infrastructure largely unmonitored. Adversaries with compromised network device credentials, or malicious insiders with switch/router administrative access, can configure a local SPAN or RSPAN session, or an ERSPAN tunnel, on a Cisco IOS/IOS-XE or Juniper Junos device to passively copy production traffic to a destination they control — either an internal collector planted on the network or, more dangerously, an external IP reached via a GRE-encapsulated ERSPAN tunnel that egresses the corporate perimeter. Because this is a control-plane configuration change rather than a data-plane anomaly, it produces no alert in traditional DLP or proxy-based exfiltration monitoring; the only telemetry is the device's own configuration-change logging (TACACS+/RADIUS command accounting, or syslog CFGLOG entries) and, if the destination is external, a subsequent GRE (IP protocol 47) flow to that address. This scenario targets that specific on-premises control-plane + data-plane correlation, which is a materially different detection surface from the cloud API monitoring the base technique file already covers, and closes a real blind spot for organizations running hybrid or fully on-premises network infrastructure.

MITRE ATT&CK

Tactic
Exfiltration

Elastic Detection Query

Elastic Security (Elastic)
eql
sequence by destination.ip with maxspan=1h
  [any where event.dataset == "network_device.syslog" and
     message : ("*monitor session*", "*erspan-source*", "*erspan-id*", "*port-mirroring*") and
     message : "*destination ip address*"]
  [network where event.type == "connection" and network.transport == "gre"]
high severity medium confidence

Elastic EQL sequence keyed on the destination IP extracted from a SPAN/ERSPAN configuration syslog message, requiring a subsequent GRE-transport network connection event to that same IP within one hour — mirrors the control-plane-to-data-plane correlation used in the KQL/SPL queries. Requires the destination IP to be normalized into destination.ip at ingestion time via a syslog processing pipeline.

Data Sources

Network device syslog ingested via Elastic Agent custom log integrationNetwork flow data (NetFlow/IPFIX via Elastic Agent netflow integration)

Required Tables

logs-network_device.syslog-*logs-netflow.log-*

False Positives & Tuning

  • Network operations staff configuring approved SPAN/RSPAN sessions for legitimate NDR/IDS sensor deployment under an active change ticket
  • ERSPAN tunnels to a legitimate internal security-tooling collector

Other platforms for THREAT-NetworkTap-RogueSPANExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Cisco IOS ERSPAN Configuration to External Destination via Syslog

    Expected signal: Syslog entries tagged CISCO-IOS containing CFGLOG_LOGGEDCMD messages with 'monitor session', 'erspan-source', 'destination ip address 198.51.100.77', and 'erspan-id'. In a real deployment these would also generate matching TACACS+ accounting records.

  2. Test 2Simulate GRE Flow to ERSPAN Destination

    Expected signal: A synthetic flow log entry showing protocol=47 (GRE) traffic from the internal device IP to the previously configured external destination. In production this would be sourced from actual NetFlow/IPFIX/sFlow export from the network device or an upstream collector.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-NetworkTap-RogueSPANExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections