LoFP / legitimate network interface configuration changes may trigger this detection during routine network maintenance or initial device setup. network administrators often need to create or modify interfaces as part of normal operations. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for interface configuration changes, and scheduled maintenance windows. you may also want to create a lookup table of approved interface naming conventions and filter out alerts for standard interface configurations.

Techniques

• T1021
• T1133
• T1556

Sample rules

Cisco Network Interface Modifications

• source: splunk
• technicques:
  • T1556
  • T1021
  • T1133

Description

This analytic detects the creation or modification of network interfaces on Cisco devices, which could indicate an attacker establishing persistence or preparing for lateral movement. After gaining initial access to network devices, threat actors like Static Tundra often create new interfaces (particularly loopback interfaces) to establish covert communication channels or maintain persistence. This detection specifically looks for the configuration of new interfaces, interface state changes, and the assignment of IP addresses to interfaces. These activities are particularly concerning when they involve unusual interface names or descriptions containing suspicious terms.

Detection logic

| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*interface*") OR (All_Changes.command="*LINEPROTO-5-UPDOWN*") OR (All_Changes.command="*ip address*") ) by All_Changes.dvc All_Changes.user 
| `drop_dm_object_name("All_Changes")` 
| rename dvc as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `cisco_network_interface_modifications_filter`