| ID | Technique | Tactic |
|---|---|---|
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1098 | Account Manipulation | Persistence |
| T1505.003 | Web Shell | Privilege Escalation |
Detection: Cisco Configuration Archive Logging Analysis
Description
This analytic provides comprehensive monitoring of configuration changes on Cisco devices by analyzing archive logs. Configuration archive logging captures all changes made to a device's configuration, providing a detailed audit trail that can be used to identify suspicious or malicious activities. This detection is particularly valuable for identifying patterns of malicious configuration changes that might indicate an attacker's presence, such as the creation of backdoor accounts, SNMP community string modifications, and TFTP server configurations for data exfiltration. By analyzing these logs, security teams can gain a holistic view of configuration changes across sessions and users, helping to detect sophisticated attack campaigns like those conducted by threat actors such as Static Tundra.
Search
1
2| tstats `security_content_summariesonly` count values(All_Changes.command) as commands min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*username*privilege 15*") OR (All_Changes.command="*username*password*") OR (All_Changes.command="*USER TABLE MODIFIED*") OR (All_Changes.command="*tftp-server*") OR (All_Changes.command="*snmp-server community*") ) by All_Changes.dvc All_Changes.user
3| `drop_dm_object_name("All_Changes")`
4| rename dvc as dest
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `cisco_configuration_archive_logging_analysis_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco IOS Logs | N/A | 'cisco:ios' |
'cisco:ios' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| cisco_configuration_archive_logging_analysis_filter | search * |
cisco_configuration_archive_logging_analysis_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.AE
CIS 13
APT29
APT32
APT38
APT39
APT5
Agrius
Akira
Aquatic Panda
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
CURIUM
Deep Panda
Dragonfly
Ember Bear
FIN13
FIN6
Fox Kitten
GALLIUM
Gamaredon Group
Gorgon Group
HAFNIUM
INC Ransom
Indrik Spider
Kimsuky
Lazarus Group
Leviathan
Magic Hound
Moses Staff
MuddyWater
OilRig
Play
Putter Panda
Rocke
Saint Bear
Sandworm Team
Sea Turtle
TA2541
TA505
TeamTNT
Threat Group-3390
Tonto Team
Tropic Trooper
Turla
Velvet Ant
Volatile Cedar
Volt Typhoon
Wizard Spider
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with configuration archive logging enabled. On Cisco devices, enable archive logging with the commands "archive" and "log config" in global configuration mode. Configure command logging with "archive log config logging enable" and ensure that the appropriate logging levels are set with "logging trap informational". The detection looks for patterns of suspicious configuration changes across sessions, focusing on account creation, SNMP modifications, and TFTP server configurations.
Known False Positives
Legitimate configuration changes during routine maintenance or device setup may trigger this detection, especially when multiple related changes are made in a single session. Network administrators often make several configuration changes in sequence during maintenance windows. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows. The detection includes a threshold (count > 2) to filter out isolated configuration changes, but this threshold may need to be adjusted based on your environment's normal activity patterns.
Associated Analytic Story
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
| Integration | ✅ Passing | Dataset | cisco:ios |
cisco:ios |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1