this search will return false positives for any legitimate traffic captures by network administrators.

t1020
T1020.001
t1200
t1498
infrastructure
splunk

Techniques

T1020
T1020.001
T1200
T1498

Sample rules

Detect Traffic Mirroring

source: splunk
technicques:
- T1200
- T1020
- T1498
- T1020.001

Description

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.

Detection logic

`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*") 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)` 
| `detect_traffic_mirroring_filter`