traffic mirroring may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. traffic mirroring from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1020
t1040
t1074
t1537
aws
elastic

Techniques

T1020
T1040
T1074
T1537

Sample rules

AWS EC2 Full Network Packet Capture Detected

source: elastic
technicques:
- T1020
- T1040
- T1074
- T1537

Description

Detects successful creation of an Amazon EC2 Traffic Mirroring session. A session copies full packets from a source Elastic Network Interface (ENI) to a mirror target (e.g., an ENI or NLB) using a mirror filter (ingress/egress rules). While used for diagnostics and NDR/IDS tooling, adversaries can abuse sessions to covertly capture and exfiltrate sensitive, potentially unencrypted, traffic from instances or subnets.

Detection logic

event.dataset: "aws.cloudtrail" and 
    event.provider: "ec2.amazonaws.com" and
    event.action: "CreateTrafficMirrorSession" and
    event.outcome: "success"