Detection: Cisco IOS XE WebUI Login From IOSd Local Port

Updated Date: 2026-05-19 ID: 77a1751f-552f-456c-b9ae-cdb66eec3e42 Author: Nasreddine Bencherchali Type: TTP Product: Splunk Enterprise Security

Description

This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111. This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path.

Search

 1`cisco_ios`
 2facility="SEC_LOGIN"
 3mnemonic IN ("QUIET_MODE_ON", "LOGIN_SUCCESS", "LOGIN_FAILED")
 4message_text="*[localport: 21111]*"
 5
 6| rex field=_raw "\[user:\s*(?<user>[^\]]+)\]"
 7
 8| rex field=_raw "\[Source:\s*(?<src_ip>[^\]]+)\]"
 9
10| rex field=_raw "\[localport:\s*(?<local_port>[^\]]+)\]"
11
12| rex field=_raw "\[Reason:\s*(?<reason>[^\]]+)\]"
13
14| rex field=_raw "\[ACL:\s*(?<acl>[^\]]+)\]"
15
16| eval dest=coalesce(host, dvc, dest, "unknown")
17
18| stats count min(_time) as firstTime
19              max(_time) as lastTime
20              values(local_port) as local_port
21              values(acl) as acl
22  by dest user src_ip reason
23
24| `security_content_ctime(firstTime)`
25
26| `security_content_ctime(lastTime)`
27
28| `cisco_ios_xe_webui_login_from_iosd_local_port_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco IOS Logs	Other	`'cisco:ios'`	`'cisco:ios'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
cisco_ios_xe_webui_login_from_iosd_local_port_filter	`search *`

cisco_ios_xe_webui_login_from_iosd_local_port_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1078	Valid Accounts	Initial Access
T1190	Exploit Public-Facing Application	Persistence

Installation

Exploitation

Delivery

DE.CM

CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Intermediate Finding (Risk Event)	Yes

TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.

Implementation

Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Login failure logging must be enabled with "login on-failure log".

Known False Positives

This local port value should not appear for normal WebUI logins. So false positives should very minimal.

Associated Analytic Story

Salt Typhoon

Finding

Title	Entity Field	Entity Type	Risk Score
WebUI authentication failure with local port 21111 from $src_ip$.	user	user	50

Intermediate Findings

Message	Entity Field	Entity Type	Risk Score
WebUI authentication failure with local port 21111 from $src_ip$ on $dest$.	dest	system	50

Threat Objects

Field	Type
src_ip	ip_address

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`ctb:catalyst:syslog`	`cisco:ios`
Integration	✅ Passing	Dataset	`ctb:catalyst:syslog`	`cisco:ios`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1