EXPLORE
Sign In
← Back to Explore
elasticmediumTTP

AWS EC2 Full Network Packet Capture Detected

Detects successful creation of an Amazon EC2 Traffic Mirroring session. A session copies full packets from a source Elastic Network Interface (ENI) to a mirror target (e.g., an ENI or NLB) using a mirror filter (ingress/egress rules). While used for diagnostics and NDR/IDS tooling, adversaries can abuse sessions to covertly capture and exfiltrate sensitive, potentially unencrypted, traffic from instances or subnets.

MITRE ATT&CK

T1020T1537T1074T1040
exfiltrationcollectiondiscoverycredential-access

Detection Query

data_stream.dataset: "aws.cloudtrail" and 
    event.provider: "ec2.amazonaws.com" and
    event.action: "CreateTrafficMirrorSession" and
    event.outcome: "success"

Author

Elastic, Austin Songer

Created

2021/05/05

Data Sources

AWSAmazon Web ServicesAWS EC2filebeat-*logs-aws.cloudtrail-*

References

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EC2Use Case: Network Security MonitoringTactic: ExfiltrationTactic: CollectionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2021/05/05"
integration = ["aws"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic", "Austin Songer"]
description = """
Detects successful creation of an Amazon EC2 Traffic Mirroring session. A session copies full packets from a source
Elastic Network Interface (ENI) to a mirror target (e.g., an ENI or NLB) using a mirror filter (ingress/egress rules).
While used for diagnostics and NDR/IDS tooling, adversaries can abuse sessions to covertly capture and exfiltrate
sensitive, potentially unencrypted, traffic from instances or subnets.
"""
false_positives = [
    """
    Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent,
    and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS EC2 Full Network Packet Capture Detected"
note = """## Triage and analysis

### Investigating AWS EC2 Full Network Packet Capture Detected

This alert fires on a successful `CreateTrafficMirrorSession`, which enables full-packet Traffic Mirroring from a
source ENI to a mirror target under a given filter. Because sessions immediately begin sending packets once active,
treat unexpected creations as high priority.

#### Possible investigation steps

**Identify the actor and execution context**
- **Principal**: Review `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.type`, and
  `aws.cloudtrail.user_identity.access_key_id` to determine who created the session (human IAM user vs. assumed role vs. automation).
- **Caller metadata**: Check `user_agent.original`, and `source.ip` for unusual tools, hosts, or locations.
- **Account/Region/Time**: Validate `cloud.account.id`, `cloud.region`, and `@timestamp` against change windows or tickets.

**Extract the session details from the event**
- **Request parameters**: Parse `aws.cloudtrail.request_parameters` for:
  - `NetworkInterfaceId` (mirrored source ENI)  map to the EC2 instance and its business function.
  - `TrafficMirrorTargetId` identify where packets are being sent (ENI vs. NLB).
  - `TrafficMirrorFilterId` check which directions and protocols are allowed (ingress/egress, ports).
  - `SessionNumber`, `Description`, `TagSpecifications` look for operator tags or suspicious notes.
- **Response elements**: Use `aws.cloudtrail.response_elements` to confirm the created `TrafficMirrorSessionId` and
  any resolved resource ARNs/IDs.

**Pivot for related API calls to validate scope and intent**
Look before and after this event (±30–60 minutes) by the same principal / access key / source IP for:
- **Target & Filter lifecycle**: `CreateTrafficMirrorTarget`, `CreateTrafficMirrorFilter`, `CreateTrafficMirrorFilterRule`,
  `ModifyTrafficMirrorSession|Filter|FilterRule`, and `Delete*` calls (rapid create-modify patterns can indicate staging).
- **Session management**: `DeleteTrafficMirrorSession` shortly after creation (test/probe), or repeated creations to different targets.
- **Discovery/positioning**: `DescribeNetworkInterfaces`, `DescribeInstances`, `DescribeVpcs/Subnets/RouteTables` around the same time.
- **Cross-account indicators**: creation of targets that forward to infrastructure not owned by your account (e.g., NLB in shared services).
- **Other suspicious changes**: IAM permission changes, new access keys, or S3/SNS setup that could support exfil/ops.

**Validate the mirror destination and potential data exposure**
- If the target is an ENI: identify the owning instance/application; confirm it is an approved NDR/packet capture host.
- If the target is an NLB target: determine where the NLB sends traffic (could be a collection point in another VPC or account).
- Assess whether mirrored flows include plaintext protocols (internal HTTP, databases, LDAP, etc.) increasing sensitivity.

### False positive analysis

- **Authorized monitoring**: Approved NDR/IDS tooling or troubleshooting playbooks may legitimately create sessions.
- **Ops/diagnostics**: Short-lived sessions during incident handling or performance analysis.
- **Automation**: Infrastructure pipelines that stand up temporary mirroring for validation.

### Response and remediation

**Contain**
- If unauthorized, terminate the session immediately (use the `TrafficMirrorSessionId` from `aws.cloudtrail.response_elements`)
  and block creation permissions for the offending principal.
- Quarantine or restrict egress from the target if you suspect it is forwarding captured traffic outside approved destinations.

**Investigate**
- Enumerate all active sessions in the affected account/region; verify there aren’t additional rogue sessions.
- Review related target and filter resources (and recent `Modify*` calls) to understand captured scope and recipients.
- Trace the source ENI back to the EC2 instance and validate whether sensitive workloads were mirrored.

**Recover & harden**
- Remove or lock down unapproved targets/filters; enforce least privilege on `ec2:CreateTrafficMirrorSession/Target/Filter`.
- Consider SCPs or IAM conditions limiting who/where sessions can be created (e.g., only into designated monitoring VPCs).
- Ensure monitoring targets are controlled, logged, and not internet-reachable.

**Improve**
- Add correlation logic to automatically surface CreateTrafficMirrorSession alongside Create/Modify Target/Filter calls by the same actor.
- Require tags on approved mirroring resources; alert on untagged/unticketed creations.
- Update playbooks to include a standard validation checklist (principal, source ENI, target, filter rules, destination path).

"""
references = [
    "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorSession.html",
    "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/",
]
risk_score = 47
rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Data Source: AWS EC2",
    "Use Case: Network Security Monitoring",
    "Tactic: Exfiltration",
    "Tactic: Collection",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
data_stream.dataset: "aws.cloudtrail" and 
    event.provider: "ec2.amazonaws.com" and
    event.action: "CreateTrafficMirrorSession" and
    event.outcome: "success"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1020"
name = "Automated Exfiltration"
reference = "https://attack.mitre.org/techniques/T1020/"

[[rule.threat.technique]]
id = "T1537"
name = "Transfer Data to Cloud Account"
reference = "https://attack.mitre.org/techniques/T1537/"

[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1074"
name = "Data Staged"
reference = "https://attack.mitre.org/techniques/T1074/"

[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1040"
name = "Network Sniffing"
reference = "https://attack.mitre.org/techniques/T1040/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1040"
name = "Network Sniffing"
reference = "https://attack.mitre.org/techniques/T1040/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.investigation_fields]
field_names = [
    "@timestamp",
    "user.name",
    "user_agent.original",
    "source.ip",
    "aws.cloudtrail.user_identity.arn",
    "aws.cloudtrail.user_identity.type",
    "aws.cloudtrail.user_identity.access_key_id",
    "event.action",
    "event.outcome",
    "cloud.account.id",
    "cloud.region",
    "aws.cloudtrail.request_parameters",
    "aws.cloudtrail.response_elements",
]