T1020.001 Traffic Duplication Mappings

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)

Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP)

Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-05 Access Restrictions for Change Protects T1020.001 Traffic Duplication
AC-06 Least Privilege Protects T1020.001 Traffic Duplication
AC-03 Access Enforcement Protects T1020.001 Traffic Duplication
AC-02 Account Management Protects T1020.001 Traffic Duplication
AC-16 Security and Privacy Attributes Protects T1020.001 Traffic Duplication
AC-17 Remote Access Protects T1020.001 Traffic Duplication
AC-18 Wireless Access Protects T1020.001 Traffic Duplication
AC-19 Access Control for Mobile Devices Protects T1020.001 Traffic Duplication
AC-20 Use of External Systems Protects T1020.001 Traffic Duplication
AC-04 Information Flow Enforcement Protects T1020.001 Traffic Duplication
CA-03 Information Exchange Protects T1020.001 Traffic Duplication
CM-02 Baseline Configuration Protects T1020.001 Traffic Duplication
CM-06 Configuration Settings Protects T1020.001 Traffic Duplication
CM-08 System Component Inventory Protects T1020.001 Traffic Duplication
SC-04 Information in Shared System Resources Protects T1020.001 Traffic Duplication
SC-07 Boundary Protection Protects T1020.001 Traffic Duplication
SC-08 Transmission Confidentiality and Integrity Protects T1020.001 Traffic Duplication
SI-12 Information Management and Retention Protects T1020.001 Traffic Duplication
SI-04 System Monitoring Protects T1020.001 Traffic Duplication
SI-07 Software, Firmware, and Information Integrity Protects T1020.001 Traffic Duplication