| ID | Technique | Tactic |
|---|---|---|
| T1059 | Command and Scripting Interpreter | Execution |
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Cisco IOS XE Request Platform Package Describe Shell Pattern
Description
This analytic detects Cisco IOS-XE "request platform software package describe" commands containing suspicious shell-style filename patterns. Indicative of Slat Typhoon tradecraft.
Search
1`cisco_ios`
2facility IN ("AAA", "HA_EM")
3mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG")
4message_text="*request platform software package describe*"
5message_text IN ("*--filename=/(bash)n*", "*--filename=$(bash)n*")
6
7
8| eval dest=coalesce(host, dvc, dest, "unknown")
9
10| stats count min(_time) as firstTime
11 max(_time) as lastTime
12 values(message_text) as message
13 by dest
14
15| `security_content_ctime(firstTime)`
16
17| `security_content_ctime(lastTime)`
18
19| `cisco_ios_xe_request_platform_package_describe_shell_pattern_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco IOS Logs | Other | 'cisco:ios' |
'cisco:ios' |
Macros Used
| Name | Value |
|---|---|
| cisco_ios | sourcetype=cisco:ios |
| cisco_ios_xe_request_platform_package_describe_shell_pattern_filter | search * |
cisco_ios_xe_request_platform_package_describe_shell_pattern_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
Delivery
DE.CM
CIS 13
APT28
APT29
APT32
APT37
APT39
APT41
APT5
Agrius
Axiom
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Cinnamon Tempest
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN5
FIN6
FIN7
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
HAFNIUM
INC Ransom
Ke3chang
Kimsuky
Leviathan
Magic Hound
Medusa Group
MirrorFace
Moses Staff
MuddyWater
Mustang Panda
OilRig
Play
Rocke
Saint Bear
Salt Typhoon
Sandworm Team
Scattered Spider
Sea Turtle
Stealth Falcon
Storm-0501
Threat Group-3390
ToddyCat
UNC3886
VOID MANTICORE
Volatile Cedar
Volt Typhoon
Whitefly
Windigo
Winter Vivern
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | No |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Command visibility requires AAA command accounting or EEM catchall command logging.
Known False Positives
No false positives have been identified at this time.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Suspicious request platform package describe command was issued on $dest$. | dest | system | 50 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | ctb:catalyst:syslog |
cisco:ios |
| Integration | ✅ Passing | Dataset | ctb:catalyst:syslog |
cisco:ios |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1