Esc

Traffic Duplication - T1020.001

(ATT&CK® Technique)

Definition

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1020001["Traffic Duplication"] --> |produces| InternetNetworkTraffic["Internet Network Traffic"]; class T1020001 OffensiveTechniqueNode;
        class InternetNetworkTraffic ArtifactNode; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";
        click T1020001 href "/offensive-technique/attack/T1020.001/"; click InternetNetworkTraffic href "/dao/artifact/d3f:InternetNetworkTraffic";Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1020001["Traffic Duplication"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1020001["Traffic Duplication"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1020001["Traffic Duplication"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1020001["Traffic Duplication"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1020001["Traffic Duplication"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1020001["Traffic Duplication"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | InternetNetworkTraffic["Internet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1020001["Traffic Duplication"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | InternetNetworkTraffic["Internet Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1020001["Traffic Duplication"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class InternetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";

json