LoFP LoFP / legitimate snmp configuration changes may trigger this detection during routine network maintenance or initial device setup. network administrators often need to configure snmp for monitoring and management purposes. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for snmp configuration changes, and scheduled maintenance windows. you may also want to create a lookup table of approved snmp hosts and filter out alerts for these destinations.

Techniques

Sample rules

Cisco SNMP Community String Configuration Changes

Description

This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.

Detection logic


| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where ( (All_Changes.command="*snmp-server community*rw*") OR (All_Changes.command="*snmp-server community*ro*") OR (All_Changes.command="*snmp-server host*") ) by All_Changes.dvc All_Changes.user 
| `drop_dm_object_name("All_Changes")` 
| rename dvc as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `cisco_snmp_community_string_configuration_changes_filter`