| ID | Technique | Tactic |
|---|---|---|
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1005 | Data from Local System | Collection |
Detection: Cisco TFTP Server Configuration for Data Exfiltration
Description
This analytic detects the configuration of TFTP services on Cisco IOS devices that could be used to exfiltrate sensitive configuration files. Threat actors like Static Tundra have been observed configuring TFTP servers to make device configuration files accessible for exfiltration after gaining initial access. The detection specifically looks for commands that expose critical configuration files such as startup-config, running-config, and other sensitive system information through TFTP. This activity is particularly concerning as it may represent an attempt to steal credentials, network topology information, and other sensitive data stored in device configurations.
Search
1
2| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where (All_Changes.command="*tftp-server*") AND ( All_Changes.command="*nvram:startup-config*" OR All_Changes.command="*bootflash:running-config*" OR All_Changes.command="*system:running-config*" OR All_Changes.command="*bootflash:info*" OR All_Changes.command="*startup-config*" OR All_Changes.command="*running-config*" ) by All_Changes.dvc All_Changes.user
3| `drop_dm_object_name("All_Changes")`
4| rename dvc as dest
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `cisco_tftp_server_configuration_for_data_exfiltration_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco IOS Logs | N/A | 'cisco:ios' |
'cisco:ios' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| cisco_tftp_server_configuration_for_data_exfiltration_filter | search * |
cisco_tftp_server_configuration_for_data_exfiltration_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
Exploitation
DE.CM
CIS 13
APT28
APT29
APT3
APT37
APT38
APT39
APT41
Agrius
Andariel
Aquatic Panda
Axiom
BRONZE BUTLER
BlackByte
CURIUM
Dark Caracal
Dragonfly
Ember Bear
FIN13
FIN6
FIN7
Fox Kitten
GALLIUM
Gamaredon Group
HAFNIUM
Inception
Ke3chang
Kimsuky
LAPSUS$
Lazarus Group
LuminousMoth
Magic Hound
OilRig
Patchwork
RedCurl
Sandworm Team
Stealth Falcon
Threat Group-3390
ToddyCat
Turla
Volt Typhoon
Windigo
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with appropriate logging levels enabled to capture command logging events (PARSER-5-CFGLOG_LOGGEDCMD). Configure command logging on Cisco IOS devices using the "archive log config logging enable" command.
Known False Positives
Legitimate TFTP server configurations may be detected by this analytic during authorized backup operations or device maintenance. Network administrators sometimes use TFTP for legitimate configuration backups, firmware updates, or during troubleshooting. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Suspicious TFTP server configuration detected on Cisco device $dest$ by user $user$, potentially exposing sensitive configuration files
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 60 | command |
| user | user | 40 | command |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
| Integration | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1