| ID | Technique | Tactic |
|---|---|---|
| T1016 | System Network Configuration Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1590 | Gather Victim Network Information | Reconnaissance |
Detection: Cisco IOS XE Reconnaissance Command Activity
Description
This analytic detects bursts of Cisco IOS or NX-OS discovery commands associated with Salt Typhoon tradecraft. Adversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths. This reconnaissance phase involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions.
Search
1`cisco_ios`
2facility IN ("AAA", "HA_EM")
3mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG")
4message_text IN (
5 "*show running-config*",
6 "*show tacacs*",
7 "*show cdp neighbors*",
8 "*show file systems*",
9 "*dir bootflash:*",
10 "*show clock*",
11 "*show platform software status control-processor brief*",
12 "*terminal length 0*",
13 "*terminal width 0*"
14)
15
16
17| rex field=message_text "^\w+:(?<aaa_src>[^:@]+)(?:@[^:]*)?:(?<aaa_user>[^:]*):(?<aaa_command>.*?)(?:\s+\((?<aaa_result>SUCCESS
18|FAILURE)\))?$"
19
20| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
21
22| eval command=lower(trim(coalesce(aaa_command, eem_command, "")))
23
24
25| eval command_type=case(
26 like(command, "show running-config%"), "show_conf",
27 like(command, "show tacacs%"), "show_tacacs",
28 like(command, "show cdp neighbors detail%"), "show_cdp",
29 like(command, "show cdp neighbors%"), "show_cdp",
30 like(command, "show file systems%"), "show_file",
31 like(command, "dir bootflash:%"), "dir_bootflash",
32 like(command, "show clock%"), "show_clock",
33 like(command, "show platform software status control-processor brief%"), "show_platform",
34 like(command, "terminal length 0%"), "terminal",
35 like(command, "terminal width 0%"), "terminal",
36 true(), null())
37
38| where isnotnull(command_type)
39
40| eval user=coalesce(aaa_user, user, "unknown")
41
42| eval src_ip=coalesce(aaa_src, src_ip, "unknown")
43
44| eval dest=coalesce(host, dvc, dest, "unknown")
45
46| bin _time span=5m
47
48| stats count min(_time) as firstTime
49 max(_time) as lastTime
50 dc(command_type) as unique_recon_commands
51 values(command_type) as command_types
52 values(command) as commands
53 by _time dest user src_ip
54
55| where unique_recon_commands >= 4
56
57| `security_content_ctime(firstTime)`
58
59| `security_content_ctime(lastTime)`
60
61| `cisco_ios_xe_reconnaissance_command_activity_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco IOS Logs | Other | 'cisco:ios' |
'cisco:ios' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| cisco_ios_xe_reconnaissance_command_activity_filter | search * |
cisco_ios_xe_reconnaissance_command_activity_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Reconnaissance
DE.AE
CIS 13
APT18
APT19
APT3
APT32
APT37
APT38
APT41
APT42
Aquatic Panda
BlackByte
Blue Mockingbird
CURIUM
Chimera
Contagious Interview
Daggerfly
Darkhotel
Dragonfly
Earth Lusca
FIN13
FIN7
FIN8
GALLIUM
Gamaredon Group
HAFNIUM
HEXANE
Higaisa
Inception
Indrik Spider
Ke3chang
Kimsuky
Lazarus Group
Leviathan
Lotus Blossom
Magic Hound
Malteiro
Medusa Group
MirrorFace
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
Naikon
OilRig
Patchwork
Play
RedCurl
Rocke
Sandworm Team
Scattered Spider
SideCopy
Sidewinder
Sowbug
Stealth Falcon
Storm-0501
TA2541
TeamTNT
Threat Group-3390
Tropic Trooper
Turla
UNC3886
VOID MANTICORE
Volt Typhoon
Windigo
Windshift
Winter Vivern
Wizard Spider
ZIRCONIUM
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". On Nexus, local accounting can emit "%AAA-6-AAA_ACCOUNTING_MESSAGE". On Catalyst, use TACACS+ command accounting or EEM catchall syslog for exec command visibility.
Known False Positives
Network audits and troubleshooting can produce similar command bursts. Tune the command list, threshold, and approved administrators for the environment.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| User $user$ executed $unique_recon_commands$ Cisco reconnaissance command categories on $dest$. | dest | system | 20 |
Threat Objects
| Field | Type |
|---|---|
| commands | command |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | ctb:nexus:syslog |
cisco:ios |
| Integration | ✅ Passing | Dataset | ctb:nexus:syslog |
cisco:ios |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1