| ID | Technique | Tactic |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Cisco Smart Install Port Discovery and Status
Description
This analytic detects network traffic to TCP port 4786, which is used by the Cisco Smart Install protocol. Smart Install is a plug-and-play configuration and image-management feature that helps customers to deploy Cisco switches. This protocol has been exploited via CVE-2018-0171, a vulnerability that allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions. Recently, Cisco Talos reported that a Russian state-sponsored threat actor called "Static Tundra" has been actively exploiting this vulnerability to compromise unpatched and end-of-life network devices. Monitoring for traffic to this port can help identify potential exploitation attempts or unauthorized Smart Install activity.
Search
1
2| tstats `security_content_summariesonly` count values(All_Traffic.src_ip) as src_ip values(All_Traffic.src_port) as src_port values(All_Traffic.dest_ip) as dest_ip earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=4786 AND All_Traffic.transport=tcp by All_Traffic.dest_ip All_Traffic.dest_port
3| `drop_dm_object_name("All_Traffic")`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `cisco_smart_install_port_discovery_and_status_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Splunk Stream TCP |  Splunk |
'stream:tcp' |
'stream:tcp' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| cisco_smart_install_port_discovery_and_status_filter | search * |
cisco_smart_install_port_discovery_and_status_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
DE.CM
CIS 13
APT29
APT39
APT41
APT5
Agrius
Axiom
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Cinnamon Tempest
Dragonfly
Earth Lusca
Ember Bear
FIN13
FIN7
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
HAFNIUM
INC Ransom
Ke3chang
Kimsuky
Leviathan
Magic Hound
Moses Staff
MuddyWater
Play
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
Threat Group-3390
ToddyCat
Volatile Cedar
Volt Typhoon
Winter Vivern
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
To implement this search, you need to be ingesting network traffic data into the Network_Traffic data model. This can be accomplished using Splunk Stream, which captures and indexes network traffic. Specifically, you need to ensure that TCP traffic is being monitored and indexed with the sourcetype "stream:tcp". The search looks for traffic destined to port 4786, which is used by the Cisco Smart Install protocol. For optimal security, organizations should consider blocking this port at their network perimeter to prevent external exploitation attempts. However, monitoring for both external and internal traffic to this port is valuable for detecting potential malicious activity. You may need to modify this search to focus on traffic patterns specific to your environment, such as monitoring only for inbound traffic from external sources or for unexpected internal communications using this protocol.
Known False Positives
Legitimate use of Cisco Smart Install may generate traffic to port 4786 within environments that actively use this feature for switch deployment and management. Network administrators might use Smart Install for legitimate device configuration purposes, especially during network deployment or maintenance windows. To reduce false positives, baseline normal Smart Install usage patterns in your environment and consider implementing time-based filtering to alert only on unexpected usage outside of scheduled maintenance periods. Additionally, consider whitelisting known management stations that legitimately use Smart Install.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Detected network traffic to Cisco Smart Install port (4786) on $dest_ip$. Possible access to Cisco Smart Install.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest_ip | system | 50 | src_ip |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | stream:tcp |
stream:tcp |
| Integration | ✅ Passing | Dataset | stream:tcp |
stream:tcp |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1