Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)
Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Man-in-the-Middle depending on the goals and objectives of the adversary.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-16 | Security and Privacy Attributes | Protects | T1020.001 | Traffic Duplication |
AC-17 | Remote Access | Protects | T1020.001 | Traffic Duplication |
AC-18 | Wireless Access | Protects | T1020.001 | Traffic Duplication |
AC-19 | Access Control for Mobile Devices | Protects | T1020.001 | Traffic Duplication |
AC-20 | Use of External Systems | Protects | T1020.001 | Traffic Duplication |
CM-2 | Baseline Configuration | Protects | T1020.001 | Traffic Duplication |
CM-6 | Configuration Settings | Protects | T1020.001 | Traffic Duplication |
CM-8 | System Component Inventory | Protects | T1020.001 | Traffic Duplication |
SC-4 | Information in Shared System Resources | Protects | T1020.001 | Traffic Duplication |
SI-12 | Information Management and Retention | Protects | T1020.001 | Traffic Duplication |
SI-4 | System Monitoring | Protects | T1020.001 | Traffic Duplication |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1020.001 | Traffic Duplication |