Techniques
Sample rules
Cisco IOS Suspicious Privileged Account Creation
- source: splunk
- technicques:
- T1136
- T1078
Description
This analytic detects the creation of privileged user accounts on Cisco IOS devices, which could indicate an attacker establishing backdoor access. The detection focuses on identifying when user accounts are created with privilege level 15 (the highest administrative privilege level in Cisco IOS) or when existing accounts have their privileges elevated. This type of activity is particularly concerning when performed by unauthorized users or during unusual hours, as it may represent a key step in establishing persistence following the exploitation of vulnerabilities like CVE-2018-0171 in Cisco Smart Install. Threat actors like Static Tundra have been observed creating privileged accounts as part of their attack chain after gaining initial access to network devices.
Detection logic
| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*username * privilege 15*") OR (All_Changes.command="*username * password*" AND All_Changes.command="*USER TABLE MODIFIED*") OR (All_Changes.command="*USER_PRIVILEGE_UPDATE*priv-15*") ) by All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_suspicious_privileged_account_creation_filter`