| ID | Technique | Tactic |
|---|---|---|
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1040 | Network Sniffing | Credential Access |
| T1552 | Unsecured Credentials | Discovery |
Detection: Cisco SNMP Community String Configuration Changes
Description
This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.
Search
1
2| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*snmp-server community*rw*") OR (All_Changes.command="*snmp-server community*ro*") OR (All_Changes.command="*snmp-server host*") ) by All_Changes.dvc All_Changes.user
3| `drop_dm_object_name("All_Changes")`
4| rename dvc as dest
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `cisco_snmp_community_string_configuration_changes_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco IOS Logs | N/A | 'cisco:ios' |
'cisco:ios' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| cisco_snmp_community_string_configuration_changes_filter | search * |
cisco_snmp_community_string_configuration_changes_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 13
APT33
APT38
Agrius
Akira
Aquatic Panda
BRONZE BUTLER
BlackByte
DarkVishnya
Ember Bear
FIN6
Gamaredon Group
Gorgon Group
INC Ransom
Indrik Spider
Kimsuky
Lazarus Group
Magic Hound
MuddyWater
Play
Putter Panda
Rocke
Saint Bear
Salt Typhoon
Sandworm Team
TA2541
TA505
TeamTNT
Turla
Velvet Ant
Volt Typhoon
Wizard Spider
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with appropriate logging levels enabled to capture configuration commands. Configure command logging on Cisco IOS devices using the "archive log config logging enable" command to ensure that SNMP configuration changes are properly logged.
Known False Positives
Legitimate SNMP configuration changes may trigger this detection during routine network maintenance or initial device setup. Network administrators often need to configure SNMP for monitoring and management purposes. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for SNMP configuration changes, and scheduled maintenance windows. You may also want to create a lookup table of approved SNMP hosts and filter out alerts for these destinations.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Suspicious SNMP community string configuration changes detected on Cisco device $dest$ by user $user$, which may indicate persistence establishment
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 60 | command |
| user | user | 40 | command |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
| Integration | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1