Detection: Cisco Network Interface Modifications

Description

This analytic detects the creation or modification of network interfaces on Cisco devices, which could indicate an attacker establishing persistence or preparing for lateral movement. After gaining initial access to network devices, threat actors like Static Tundra often create new interfaces (particularly loopback interfaces) to establish covert communication channels or maintain persistence. This detection specifically looks for the configuration of new interfaces, interface state changes, and the assignment of IP addresses to interfaces. These activities are particularly concerning when they involve unusual interface names or descriptions containing suspicious terms.

Search

1
2| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*interface*") OR (All_Changes.command="*LINEPROTO-5-UPDOWN*") OR (All_Changes.command="*ip address*") ) by All_Changes.dvc All_Changes.user 
3| `drop_dm_object_name("All_Changes")` 
4| rename dvc as dest 
5| `security_content_ctime(firstTime)` 
6| `security_content_ctime(lastTime)` 
7| `cisco_network_interface_modifications_filter`

Data Source

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with appropriate logging levels enabled to capture interface configuration changes and line protocol state changes. Configure command logging on Cisco IOS devices using the "archive log config logging enable" command and ensure that syslog is properly configured to capture LINEPROTO-5-UPDOWN messages.

Known False Positives

Legitimate network interface configuration changes may trigger this detection during routine network maintenance or initial device setup. Network administrators often need to create or modify interfaces as part of normal operations. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for interface configuration changes, and scheduled maintenance windows. You may also want to create a lookup table of approved interface naming conventions and filter out alerts for standard interface configurations.

Associated Analytic Story

• Cisco Smart Install Remote Code Execution CVE-2018-0171

Risk Based Analytics (RBA)

Risk Message:

Suspicious network interface modifications detected on Cisco device $dest$ by user $user$, which may indicate persistence establishment

References

• https://blog.talosintelligence.com/static-tundra/

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2

• https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/command/ir-cr-book/ir-i1.html#wp1389942834

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1