WARNING THIS IS A EXPERIMENTAL object
We have not been able to test, simulate, or build datasets for this object. Use at your own risk. This analytic is NOT supported.
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.
- Type: TTP
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-10-28
- Author: Mikael Bjerkeland, Splunk
- ID: 42b3b753-5925-49c5-9742-36fa40a73990
Kill Chain Phase
- Actions on Objectives
- CIS 1
- CIS 11
1 2 3 4 5 `cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`
The SPL above uses the following Macros:
Note that detect_traffic_mirroring_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
How To Implement
This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum “5 - notification”. The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.
Known False Positives
This search will return false positives for any legitimate traffic captures by network administrators.
Associated Analytic story
source | version: 1