⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-10-28
- Author: Mikael Bjerkeland, Splunk
- ID: 42b3b753-5925-49c5-9742-36fa40a73990
|T1200||Hardware Additions||Initial Access|
|T1498||Network Denial of Service||Impact|
`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*") | stats min(_time) AS firstTime max(_time) AS lastTime count BY host facility mnemonic | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_traffic_mirroring_filter`
Associated Analytic Story
How To Implement
This search uses a standard SPL query on logs from Cisco Network devices. The network devices must log with a severity level of minimum "5 - notification". The search also requires that the Cisco Networks Add-on for Splunk (https://splunkbase.splunk.com/app/1467) is used to parse the logs from the Cisco network devices and that the devices have been configured according to the documentation of the Cisco Networks Add-on. Also note that an attacker may disable logging from the device prior to enabling traffic mirroring.
Kill Chain Phase
- Actions on Objectives
Known False Positives
This search will return false positives for any legitimate traffic captures by network administrators.
source | version: 1