LoFP / false positives may be present from vulnerability scanners or legitimate access requests. apply appropriate filters as needed.

Techniques

• T1190

Sample rules

Cisco IOS XE Implant Access

• source: splunk
• technicques:
  • T1190

Description

The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface. It monitors POST requests to the “/webui/logoutconfirm.html?logon_hash=*” endpoint using the Web datamodel. This activity can be significant as it indicates potential access request to the implant If confirmed malicious, attackers could maintain privileged access, compromising the device’s integrity and security.

Detection logic

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url="*/webui/logoutconfirm.html?logon_hash=*"
Web.http_method=POST
Web.status=200

BY Web.http_user_agent Web.status Web.http_method
   Web.url Web.url_length Web.src Web.dest

| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_ios_xe_implant_access_filter`