Techniques
Sample rules
Detect Traffic Mirroring
- source: splunk
- technicques:
- T1200
- T1020
- T1498
- T1020.001
Description
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.
Detection logic
`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*")
| stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `detect_traffic_mirroring_filter`