GitHub Repo

Detection: Cisco IOS XE VTY Access Class Tampering

Updated Date: 2026-05-20 ID: a01ca274-16cb-476d-a814-d2ffe29d8905 Author: Nasreddine Bencherchali Type: Anomaly Product: Splunk Enterprise Security

Description

This analytic detects rapid modification of Cisco IOS-XE VTY access-class settings. The Salt Typhoon notes describe configure HTTP activity followed by line vty changes and removal/re-application of an access-class within 60 seconds.

 1`cisco_ios`
 2facility IN ("HA_EM", "PARSER")
 3mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD")
 4message_text IN (
 5    "*access-class*",
 6    "*configure http*",
 7    "*line vty*"
 8)
 9
10| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
11
12| rex field=message_text "<enteredCommand><cli>(?<parser_command>.*?)</cli>"
13
14| rex field=message_text "<user>(?<parser_user>[^<]+)</user>"
15
16| rex field=message_text "<srcIP>(?<parser_src_ip>[^<]+)</srcIP>"
17
18| eval command=lower(trim(coalesce(parser_command, eem_command, "")))
19
20| eval event_type=case(
21    like(command, "configure http%") OR like(command, "ip http secure-server%"), "http_config",
22    like(command, "line vty%"), "line_vty",
23    like(command, "no access-class%"), "remove_access_class",
24    like(command, "access-class%"), "add_access_class",
25    true(), null())
26
27| where isnotnull(event_type)
28
29| eval user=coalesce(parser_user, user, "unknown")
30
31| eval src_ip=coalesce(parser_src_ip, src_ip, "unknown")
32
33| eval dest=coalesce(host, dvc, dest, "unknown")
34
35| bin _time span=1m
36
37| stats count min(_time) as firstTime
38              max(_time) as lastTime
39              values(event_type) as event_types
40              values(user) as user
41              values(src_ip) as src_ip
42              values(command) as commands
43  by _time dest
44
45| where mvfind(event_types, "line_vty") >= 0
46        AND
47        mvfind(event_types, "remove_access_class") >= 0
48        AND
49        mvfind(event_types, "add_access_class") >= 0
50
51| `security_content_ctime(firstTime)`
52
53| `security_content_ctime(lastTime)`
54
55| `cisco_ios_xe_vty_access_class_tampering_filter`

Data Source

Name Platform Sourcetype Source
Cisco IOS Logs Other 'cisco:ios' 'cisco:ios'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
cisco_ios_xe_vty_access_class_tampering_filter search *
cisco_ios_xe_vty_access_class_tampering_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1021 Remote Services Lateral Movement
T1562 Impair Defenses Stealth
Exploitation
DE.AE
CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging.

Known False Positives

VTY ACL changes occur during legitimate management access updates. Filter approved maintenance windows and known administrators.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
Cisco IOS-XE VTY access-class settings were removed and reapplied on $dest$ by $user$. dest system 20

Threat Objects

Field Type
commands command

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset ctb:catalyst:syslog cisco:ios
Integration ✅ Passing Dataset ctb:catalyst:syslog cisco:ios

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1