Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-NetworkTap-RogueSPANExfil.

Upgrade to Pro
THREAT-NetworkTap-RogueSPANExfil Splunk · SPL

Detect Unauthorized On-Premises SPAN/RSPAN/ERSPAN Configuration for Passive Traffic Exfiltration in Splunk

The base T1020.001 technique detection focuses on cloud-native traffic mirroring APIs (AWS Traffic Mirroring, Azure vTAP, GCP Packet Mirroring), which cover cloud estates well but leave on-premises network infrastructure largely unmonitored. Adversaries with compromised network device credentials, or malicious insiders with switch/router administrative access, can configure a local SPAN or RSPAN session, or an ERSPAN tunnel, on a Cisco IOS/IOS-XE or Juniper Junos device to passively copy production traffic to a destination they control — either an internal collector planted on the network or, more dangerously, an external IP reached via a GRE-encapsulated ERSPAN tunnel that egresses the corporate perimeter. Because this is a control-plane configuration change rather than a data-plane anomaly, it produces no alert in traditional DLP or proxy-based exfiltration monitoring; the only telemetry is the device's own configuration-change logging (TACACS+/RADIUS command accounting, or syslog CFGLOG entries) and, if the destination is external, a subsequent GRE (IP protocol 47) flow to that address. This scenario targets that specific on-premises control-plane + data-plane correlation, which is a materially different detection surface from the cloud API monitoring the base technique file already covers, and closes a real blind spot for organizations running hybrid or fully on-premises network infrastructure.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=network_syslog sourcetype IN ("cisco:ios", "cisco:asa", "tacacs:accounting")
(CommandText="*monitor session*" OR CommandText="*erspan-source*" OR CommandText="*erspan-id*" OR CommandText="*destination ip address*" OR CommandText="*port-mirroring*")
| rex field=CommandText "destination ip address (?<DestIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval Signal="SpanConfigChange"
| join type=inner DestIP
  [ search index=network_flows (protocol="GRE" OR protocol="47")
    | rename dest_ip as DestIP
    | eval GreFlowTime=_time
    | table DestIP, GreFlowTime, bytes ]
| where GreFlowTime > _time AND GreFlowTime < _time + 3600
| table _time, host, Username, SourceIP, CommandText, DestIP, GreFlowTime, bytes
| sort - GreFlowTime
high severity medium confidence

SPL detection joining Cisco/TACACS+ configuration-command logs (matching SPAN/RSPAN/ERSPAN CLI keywords) against network flow logs on the extracted destination IP, requiring a GRE-protocol flow to that destination within one hour of the configuration change. Field/index names assume Cisco syslog and NetFlow-style ingestion; adapt sourcetypes and field extractions to the deployed collector.

Data Sources

Cisco IOS/IOS-XE syslogTACACS+ command accountingNetFlow/IPFIX flow records

Required Sourcetypes

cisco:iostacacs:accounting

False Positives & Tuning

  • Network operations staff configuring approved SPAN/RSPAN sessions for legitimate NDR/IDS sensor deployment under an active change ticket
  • Scheduled network health-check automation briefly configuring and tearing down a mirror session
  • ERSPAN tunnels to a legitimate internal security-tooling collector

Other platforms for THREAT-NetworkTap-RogueSPANExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Cisco IOS ERSPAN Configuration to External Destination via Syslog

    Expected signal: Syslog entries tagged CISCO-IOS containing CFGLOG_LOGGEDCMD messages with 'monitor session', 'erspan-source', 'destination ip address 198.51.100.77', and 'erspan-id'. In a real deployment these would also generate matching TACACS+ accounting records.

  2. Test 2Simulate GRE Flow to ERSPAN Destination

    Expected signal: A synthetic flow log entry showing protocol=47 (GRE) traffic from the internal device IP to the previously configured external destination. In production this would be sourced from actual NetFlow/IPFIX/sFlow export from the network device or an upstream collector.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-NetworkTap-RogueSPANExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections