GitHub Repo

Detection: Cisco IOS XE Guestshell Activation and Destroy

Updated Date: 2026-05-20 ID: ff82a536-8fde-4963-a801-815826fcdf75 Author: Nasreddine Bencherchali Type: Anomaly Product: Splunk Enterprise Security

Description

This analytic detects Cisco IOS-XE guestshell enable activity followed by activation and destroy lifecycle logs. The detection focuses on HA_EM command logging for "guestshell enable" and "guestshell destroy", VMAN activation and destroy messages, and IM/IOX guestshell activation logs observed on some IOS-XE images.

 1`cisco_ios`
 2facility IN ("HA_EM", "VMAN", "IM", "AAA")
 3mnemonic IN ("LOG", "ACTIVATION_STATE", "IOX_INST_INFO", "INSTALL_STATE", "AAA_ACCOUNTING_MESSAGE")
 4message_text IN (
 5    "*guestshell enable*",
 6    "*guestshell destroy*",
 7    "*Successfully activated virtual service 'guestshell*",
 8    "*IOX SERVICE guestshell*",
 9    "*Destroying virtual service 'guestshell*",
10    "*Successfully destroyed virtual service 'guestshell*"
11)
12
13| eval dest=coalesce(host, dvc, dest, "unknown")
14
15| eval event_type=case(
16    like(message_text, "%guestshell enable%"), "guestshell_enable_command",
17    like(message_text, "%guestshell destroy%"), "guestshell_destroy_command",
18    like(message_text, "%Successfully activated virtual service 'guestshell%"), "vman_guestshell_activated",
19    like(message_text, "%IOX SERVICE guestshell%"), "im_iox_guestshell_activated",
20    like(message_text, "%Destroying virtual service 'guestshell%"), "vman_guestshell_destroying",
21    like(message_text, "%Successfully destroyed virtual service 'guestshell%"), "vman_guestshell_destroyed",
22    true(), "other"
23)
24
25| bin _time span=30m
26
27| stats count min(_time) as firstTime
28              max(_time) as lastTime
29              values(event_type) as event_types
30              values(message_text) as message
31by _time dest
32
33| where
34        (
35            mvfind(event_types, "vman_guestshell_activated") >= 0
36            OR
37            mvfind(event_types, "im_iox_guestshell_activated") >= 0
38            OR
39            mvfind(event_types, "guestshell_enable_command") >= 0
40        )
41        AND
42        (
43            mvfind(event_types, "vman_guestshell_destroying") >= 0
44            OR
45            mvfind(event_types, "vman_guestshell_destroyed") >= 0
46            OR
47            mvfind(event_types, "guestshell_destroy_command") >= 0
48        )
49
50| `security_content_ctime(firstTime)`
51
52| `security_content_ctime(lastTime)`
53
54| `cisco_ios_xe_guestshell_activation_and_destroy_filter`

Data Source

Name Platform Sourcetype Source
Cisco IOS Logs Other 'cisco:ios' 'cisco:ios'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
cisco_ios_xe_guestshell_activation_and_destroy_filter search *
cisco_ios_xe_guestshell_activation_and_destroy_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1059 Command and Scripting Interpreter Execution
T1611 Escape to Host Privilege Escalation
Exploitation
Installation
DE.AE
CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Enable EEM catchall command logging to capture the "guestshell enable" and "guestshell destroy" commands as HA_EM/LOG events.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
Cisco IOS-XE device $dest$ had guestshell enabled and destroyed within a short period. dest system 20

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset ctb:catalyst:syslog cisco:ios
Integration ✅ Passing Dataset ctb:catalyst:syslog cisco:ios

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1