AN1132: Analytic 1132
Unauthorized mirroring sessions initiated on routers/switches (e.g., via `monitor session`, `mirror port`) coupled with outbound traffic from mirrored interface to unexpected destinations.
Analyst context for executives and security teams
This analytic matters because unauthorized port or traffic mirroring on routers and switches can turn core network infrastructure into a quiet visibility point for data exposure or surveillance. For leaders, the practical question is whether network-device configuration changes and mirrored-interface traffic are governed, logged, and reviewed well enough to distinguish approved monitoring from unauthorized capture or forwarding.
Executive priority
Prioritize this where network devices carry sensitive business, identity, administrative, or operational traffic. The decision value is control assurance: who can create mirroring sessions, how changes are approved, whether unexpected outbound destinations are investigated, and whether audit evidence exists for network monitoring configurations. This is relevant to incident response readiness, compliance evidence, and business continuity because misuse of infrastructure-level monitoring may bypass endpoint-focused controls.
Technical view
Validate coverage on network devices for two evidence paths: configuration changes that create or modify mirroring sessions, and traffic from mirrored interfaces to destinations that are not expected or approved. Because the ATT&CK object provides no tactic, relationship context, or official detection logic, SOC teams should treat this as a detection engineering requirement rather than a complete rule. Baseline authorized mirror sessions, approved collectors, and expected egress paths, then alert on new or changed sessions and mirrored traffic leaving to unrecognized destinations.
Likely telemetry
- Network device configuration change logs
- Router and switch administrative audit logs
- AAA authentication and authorization records for network-device changes
- Configuration snapshots or backups showing monitor session or mirror port settings
- Network flow records from mirrored interfaces or associated switch/router ports
Detection direction
- Build detections around unauthorized creation or modification of mirroring sessions on routers and switches.
- Compare observed mirror sessions against an approved inventory of monitoring tools, collectors, interfaces, and destinations.
- Tune for legitimate network operations, troubleshooting, lawful monitoring, and SOC packet-capture activity to reduce false positives.
- Correlate configuration changes with administrator identity, change ticket, time window, and outbound traffic to unexpected destinations.
- Review blind spots where network-device logs are not centralized, configuration backups are infrequent, or flow visibility does not include infrastructure ports.
Mitigation priorities
- Restrict network-device administrative privileges to authorized personnel and roles.
- Require change approval and documentation for all port or traffic mirroring sessions.
- Maintain an inventory of approved mirror sessions, collectors, and destinations.
- Centralize and retain network-device configuration and administrative logs for audit and incident response.
- Regularly review router and switch configurations for unauthorized monitor session or mirror port entries.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Network Devices, focused on unauthorized mirroring sessions and outbound traffic from mirrored interfaces to unexpected destinations. No tactics, relationships, aliases, labels, or official detection logic were supplied, so local baselines and approved network-monitoring architecture are essential for interpretation.
This take is limited to the supplied STIX fields and external reference. It does not establish adversary use, active exploitation, impact, attribution, or guaranteed detection coverage. Exact commands, log fields, and telemetry availability will vary by network-device platform and organizational logging configuration.
Analytic 1132
Unauthorized mirroring sessions initiated on routers/switches (e.g., via `monitor session`, `mirror port`) coupled with outbound traffic from mirrored interface to unexpected destinations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0e0b6f11260a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1132Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.