1. Home
  2. Techniques
  3. Enterprise
  4. Automated Exfiltration
  5. Traffic Duplication

Automated Exfiltration: Traffic Duplication

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. [1][2]

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.[3][4]

Many cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.[5][6][7]

Adversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.

ID: T1020.001
Sub-technique of:  T1020
Tactic: Exfiltration
Platforms: IaaS, Network Devices
Version: 1.4
Created: 19 October 2020
Last Modified: 24 October 2025
Version Permalink

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention

Implement Data Loss Prevention (DLP) solutions to monitor, detect, and control the flow of sensitive information. DLP tools can be configured to block unauthorized attempts to exfiltrate data, such as preventing emails from being forwarded to external recipients or monitoring for suspicious data transfers. By creating email flow rules and applying policies to detect anomalies, DLP solutions help mitigate the risk of data exfiltration over alternative protocols.
M1041 Encrypt Sensitive Information

Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
M1018 User Account Management

In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0403 Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices AN1131

Configuration changes to virtual TAP/mirror policies that forward traffic to unapproved destinations. Detection correlates management plane API calls with mirrored traffic observation.
AN1132

Unauthorized mirroring sessions initiated on routers/switches (e.g., via monitor session, mirror port) coupled with outbound traffic from mirrored interface to unexpected destinations.

References

  1. Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020.
  2. Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020.
  3. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  4. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  1. Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.
  2. Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.
  3. Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.