LoFP LoFP / legitimate use of cisco smart install may generate traffic to port 4786 within environments that actively use this feature for switch deployment and management. network administrators might use smart install for legitimate device configuration purposes, especially during network deployment or maintenance windows. to reduce false positives, baseline normal smart install usage patterns in your environment and consider implementing time-based filtering to alert only on unexpected usage outside of scheduled maintenance periods. additionally, consider whitelisting known management stations that legitimately use smart install.

Techniques

Sample rules

Cisco Smart Install Port Discovery and Status

Description

This analytic detects network traffic to TCP port 4786, which is used by the Cisco Smart Install protocol. Smart Install is a plug-and-play configuration and image-management feature that helps customers to deploy Cisco switches. This protocol has been exploited via CVE-2018-0171, a vulnerability that allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions. Recently, Cisco Talos reported that a Russian state-sponsored threat actor called “Static Tundra” has been actively exploiting this vulnerability to compromise unpatched and end-of-life network devices. Monitoring for traffic to this port can help identify potential exploitation attempts or unauthorized Smart Install activity.

Detection logic


| tstats `security_content_summariesonly` count values(All_Traffic.src_ip) as src_ip values(All_Traffic.src_port) as src_port values(All_Traffic.dest_ip) as dest_ip earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.dest_port=4786 AND All_Traffic.transport=tcp by All_Traffic.dest_ip All_Traffic.dest_port 
| `drop_dm_object_name("All_Traffic")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `cisco_smart_install_port_discovery_and_status_filter`