Detect Traffic Mirroring

Description

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.

SPL Difficulty

None

Journey

Stage 2

MITRE ATT&CK Tactics

Initial Access
Impact

MITRE ATT&CK Techniques

Hardware Additions
Network Denial of Service
Automated Exfiltration

Hardware Additions
Network Denial of Service
Traffic Duplication

MITRE Threat Groups

APT28
DarkVishnya

Data Sources

Network Communication

   Help

Detect Traffic Mirroring Help

This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.

   Search

Open in Search