Techniques
Sample rules
Cisco IOS XE Remote Access Probe Burst
- source: splunk
- technicques:
Description
This analytic detects bursts of ping, SSH, and Telnet commands issued from Cisco IOS or NX-OS devices. The Salt Typhoon notes describe repeated SSH, Telnet-to-port-22, and ping activity across multiple IP addresses in a short time window.
Detection logic
`cisco_ios`
facility IN ("AAA", "HA_EM")
mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG")
message_text IN ("*ssh *", "*telnet *", "*ping *")
| rex field=message_text "^\w+:(?<aaa_src>[^:@]+)(?:@[^:]*)?:(?<aaa_user>[^:]*):(?<aaa_command>.*?)(?:\s+\((?<aaa_result>SUCCESS
|FAILURE)\))?$"
| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
| eval command=lower(trim(coalesce(aaa_command, eem_command, "")))
| where match(command, "^(ssh
|telnet
|ping)\s+")
| rex field=command "(?i)^(?:ssh(?:\s+-l\s+\S+)?
|telnet
|ping)\s+(?<target_ip>\d{1,3}(?:\.\d{1,3}){3})"
| eval command_type=case(match(command, "^ssh\s+"), "ssh", match(command, "^telnet\s+"), "telnet", match(command, "^ping\s+"), "ping")
| eval user=coalesce(aaa_user, user, "unknown")
| eval src_ip=coalesce(aaa_src, src_ip, "unknown")
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=10m
| stats count as command_count
min(_time) as firstTime
max(_time) as lastTime
dc(target_ip) as distinct_targets
values(target_ip) as target_ips
values(command_type) as command_types
values(command) as commands
by _time dest user src_ip
| where command_count >= 8 OR distinct_targets >= 5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_remote_access_probe_burst_filter`