title: Traffic Duplication (T1020.001)
id: df00tech-t1020-001
status: experimental
description: "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some network devices and cloud environments, often used for legitimate network analysis. Adversaries may abuse this capability to mirror or redirect network traffic through infrastructure they control, enabling passive interception of credentials, session tokens, and sensitive data. Cloud-based environments (AWS Traffic Mirroring, GCP Packet Mirroring, Azure vTAP) provide native APIs for configuring traffic duplication, which adversaries may invoke directly after gaining sufficient privileges."
references:
  - https://attack.mitre.org/techniques/T1020/001/
  - https://df00tech.com/detections/T1020.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1020.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Network operations teams legitimately configuring traffic mirroring for IDS/IPS or network performance monitoring purposes
  - Security teams deploying packet capture appliances or NDR sensors that require vTAP or traffic mirror configurations
  - "Cloud infrastructure automation (Terraform, Ansible, Pulumi) that provisions traffic mirroring as part of baseline network security architecture"
  - Managed security service providers (MSSPs) configuring traffic mirroring in customer environments for monitoring
  - Cloud migration projects that temporarily mirror traffic for validation and testing before full cutover
level: high