Skip to content

DET0403 Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices

Item Value
ID DET0403
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1020.001 (Traffic Duplication)

Analytics

IaaS

AN1131

Configuration changes to virtual TAP/mirror policies that forward traffic to unapproved destinations. Detection correlates management plane API calls with mirrored traffic observation.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) AWS:CloudTrail CreateTrafficMirrorSession or ModifyTrafficMirrorTarget
Network Connection Creation (DC0082) AWS:VPCFlowLogs Traffic observed on mirror destination instance
Mutable Elements
Field Description
TimeWindow Detect mirror session creation followed by mirrored traffic within X seconds (e.g., 60s)
MirrorDestinationCIDR Define suspicious or external mirror targets (e.g., non-enterprise ranges)
UserIdentity Flag traffic mirror activity by non-privileged or unexpected IAM roles

Network Devices

AN1132

Unauthorized mirroring sessions initiated on routers/switches (e.g., via monitor session, mirror port) coupled with outbound traffic from mirrored interface to unexpected destinations.

Log Sources
Data Component Name Channel
Network Traffic Flow (DC0078) networkdevice:syslog Config change: CLI/NETCONF/SNMP – ‘monitor session’, ‘mirror port’
Network Connection Creation (DC0082) networkdevice:Flow Traffic from mirrored interface to mirror target IP
Mutable Elements
Field Description
ConfigChangeType Tune based on accepted interface config changes (e.g., audit only mirror session creation)
MirrorDestinationPort Define high-risk ports used for exfil (e.g., 4443, 8443, 2055)
DeviceRole Define whether mirroring is expected on edge vs core vs distribution devices