| ID | Technique | Tactic |
|---|---|---|
| T1136 | Create Account | Persistence |
| T1078 | Valid Accounts | Defense Evasion |
Detection: Cisco IOS Suspicious Privileged Account Creation
Description
This analytic detects the creation of privileged user accounts on Cisco IOS devices, which could indicate an attacker establishing backdoor access. The detection focuses on identifying when user accounts are created with privilege level 15 (the highest administrative privilege level in Cisco IOS) or when existing accounts have their privileges elevated. This type of activity is particularly concerning when performed by unauthorized users or during unusual hours, as it may represent a key step in establishing persistence following the exploitation of vulnerabilities like CVE-2018-0171 in Cisco Smart Install. Threat actors like Static Tundra have been observed creating privileged accounts as part of their attack chain after gaining initial access to network devices.
Search
1
2| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*username * privilege 15*") OR (All_Changes.command="*username * password*" AND All_Changes.command="*USER TABLE MODIFIED*") OR (All_Changes.command="*USER_PRIVILEGE_UPDATE*priv-15*") ) by All_Changes.dvc All_Changes.user
3| `drop_dm_object_name("All_Changes")`
4| rename dvc as dest
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `cisco_ios_suspicious_privileged_account_creation_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco IOS Logs | N/A | 'cisco:ios' |
'cisco:ios' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| cisco_ios_suspicious_privileged_account_creation_filter | search * |
cisco_ios_suspicious_privileged_account_creation_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
Exploitation
Installation
DE.AE
CIS 13
APT28
APT29
APT33
APT39
APT41
Akira
Axiom
BlackByte
Carbanak
Chimera
Cinnamon Tempest
Dragonfly
FIN10
FIN4
FIN5
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
INC Ransom
Indrik Spider
Ke3chang
LAPSUS$
Lazarus Group
Leviathan
OilRig
POLONIUM
PittyTiger
Play
Salt Typhoon
Sandworm Team
Scattered Spider
Sea Turtle
Silence
Silent Librarian
Star Blizzard
Suckfly
Threat Group-3390
Volt Typhoon
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel, with AAA accounting and command logging enabled on your Cisco devices.
Known False Positives
Legitimate account creation and privilege elevation activities by authorized administrators will generate alerts with this detection. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for account management, and authorized administrators who regularly perform these actions. You may also want to create a lookup table of approved administrative accounts and filter out alerts for these accounts. Additionally, scheduled maintenance windows should be taken into account when evaluating alerts.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A suspicious privileged account was created or modified on Cisco IOS device $dest$ by user $user$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 50 | command |
| dest | system | 50 | command |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
| Integration | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1