Techniques
Sample rules
Cisco Configuration Archive Logging Analysis
- source: splunk
- technicques:
- T1562.001
- T1098
- T1505.003
Description
This analytic provides comprehensive monitoring of configuration changes on Cisco devices by analyzing archive logs. Configuration archive logging captures all changes made to a device’s configuration, providing a detailed audit trail that can be used to identify suspicious or malicious activities. This detection is particularly valuable for identifying patterns of malicious configuration changes that might indicate an attacker’s presence, such as the creation of backdoor accounts, SNMP community string modifications, and TFTP server configurations for data exfiltration. By analyzing these logs, security teams can gain a holistic view of configuration changes across sessions and users, helping to detect sophisticated attack campaigns like those conducted by threat actors such as Static Tundra.
Detection logic
| tstats `security_content_summariesonly` count values(All_Changes.command) as commands min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*username*privilege 15*") OR (All_Changes.command="*username*password*") OR (All_Changes.command="*USER TABLE MODIFIED*") OR (All_Changes.command="*tftp-server*") OR (All_Changes.command="*snmp-server community*") ) by All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_configuration_archive_logging_analysis_filter`