| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1499 | Endpoint Denial of Service | Impact |
Detection: Cisco Secure Firewall - Static Tundra Smart Install Abuse
Description
This analytic detects activity associated with "Static Tundra" threat actor abuse of the Cisco Smart Install (SMI) protocol using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify occurrences of Smart Install exploitation and protocol abuse, including denial-of-service and buffer overflow attempts. The detection triggers when multiple Cisco Smart Install-related Snort signatures are observed in a short period from the same source, which is indicative of active exploitation or reconnaissance against Cisco devices that expose SMI.
Search
1`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (46468, 46096, 41722, 41723, 41724, 41725)
2
3| bin _time span=15m
4
5| fillnull
6
7| stats dc(signature_id) as unique_signature_count
8 values(signature_id) as signature_id
9 values(signature) as signature
10 values(class_desc) as class_desc
11 values(MitreAttackGroups) as MitreAttackGroups
12 values(InlineResult) as InlineResult
13 values(InlineResultReason) as InlineResultReason
14 values(dest_ip) as dest_ip
15 values(dest_port) as dest_port
16 values(rule) as rule
17 values(transport) as transport
18 values(app) as app
19 min(_time) as firstTime
20 max(_time) as lastTime
21 by src_ip
22
23| where unique_signature_count >= 2
24
25| `security_content_ctime(firstTime)`
26
27| `security_content_ctime(lastTime)`
28
29| `cisco_secure_firewall___static_tundra_smart_install_abuse_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Secure Firewall Threat Defense Intrusion Event | N/A | 'cisco:sfw:estreamer' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_secure_firewall | sourcetype="cisco:sfw:estreamer" |
| cisco_secure_firewall___static_tundra_smart_install_abuse_filter | search * |
cisco_secure_firewall___static_tundra_smart_install_abuse_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
Delivery
Exploitation
DE.CM
CIS 13
APT29
APT39
APT41
APT5
Agrius
Axiom
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Cinnamon Tempest
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN7
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
HAFNIUM
INC Ransom
Ke3chang
Kimsuky
Leviathan
Magic Hound
Moses Staff
MuddyWater
Play
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
Threat Group-3390
ToddyCat
Tonto Team
Volatile Cedar
Volt Typhoon
Winter Vivern
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires Cisco Secure Firewall Threat Defense logs with IntrusionEvent data. It uses the cisco_secure_firewall
input macro; configure it to match your environment (index, source, sourcetype). Ensure your intrusion policies include the
relevant Smart Install signatures and that events are collected via the Splunk Add-on for Cisco Security Cloud
(https://splunkbase.splunk.com/app/7404). The post-filter macro helps reduce known noise.
Known False Positives
Network scanning or testing tools that probe Cisco Smart Install endpoints may trigger similar signatures. Validate against maintenance windows or approved security assessments.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Smart Install exploitation or protocol abuse targeting $dest_ip$ originating from $src_ip$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest_ip | system | 30 | signature, src_ip |
References
-
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1