[T1020.001 ] Automated Exfiltration: Traffic Duplication β Adversaries can abuse native traffic mirroring and packet capture features in network and cloud platforms to duplicate and siphon sensitive data to attacker-controlled endpoints without direct file transfer. Monitor mirror configurations and anomalous mirrored flows to reduce risk. #TrafficDuplication #AutomatedExfiltration
Keypoints
- Traffic mirroring duplicates packets from a source to one or more destinations for analysis or exfiltration.
- Both on-prem network devices and cloud providers offer mirroring features that can be abused.
- Adversaries may modify device firmware or images to enable stealthy traffic redirection.
- Detection requires monitoring mirror configuration changes and unusual mirrored flows.
- Combining mirroring with sniffing or MiTM increases the potential data exposure.
Description:
- Like placing a hidden microphone in a conference room, traffic duplication silently copies network conversations so an observer can listen in later.
- Attackers enable or abuse mirroring features on routers, switches, or cloud services to redirect copies of traffic to systems they control, letting them capture credentials, files, and session data without noisy data transfers; this matters because it can exfiltrate high-value information while appearing as legitimate monitoring.
Detection:
- Audit mirror and TAP configurations regularly using device APIs and cloud provider consoles to detect unauthorized mirror targets or recently created mirror sessions.
- Collect and review network device configuration change logs and management plane access logs for unexpected firmware updates, ROMMON/boot changes, or image patches.
- Monitor network flows for new or unusual destinations receiving high volumes of mirrored traffic, including fixed-size periodic packets or persistent streams to nonβstandard analysis hosts.
- Use packet inspection to validate protocol adherence; flag flows where packet contents do not match the expected protocol on the observed port.
- Correlate cloud provider VPC flow logs, traffic mirroring job logs (AWS/GCP/Azure), and SIEM alerts to identify mirrored traffic sent to external or suspicious targets.
- Deploy IDS/IPS and network behavioral analytics to detect sniffing-style patterns and lateral mirror distribution; tune rules to reduce false positives from legitimate monitoring tools.
- Harden operations: enforce least privilege for mirror configuration, require multi-factor and change approvals for network/cloud mirror creation, and implement alerting on new mirror sessions and image/firmware changes.
Tactics:
Exfiltration
Platforms:
IaaS, Network Devices
Data Sources:
Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow
Relationship Citations:
,