network scanning or testing tools that probe cisco smart install endpoints may trigger similar signatures. validate against maintenance windows or approved security assessments.

Techniques

Sample rules

Cisco Secure Firewall - Static Tundra Smart Install Abuse

source: splunk
technicques:
- T1190
- T1210
- T1499

Description

This analytic detects activity associated with “Static Tundra” threat actor abuse of the Cisco Smart Install (SMI) protocol using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify occurrences of Smart Install exploitation and protocol abuse, including denial-of-service and buffer overflow attempts. The detection triggers when multiple Cisco Smart Install-related Snort signatures are observed in a short period from the same source, which is indicative of active exploitation or reconnaissance against Cisco devices that expose SMI.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (46468, 46096, 41722, 41723, 41724, 41725)

| bin _time span=15m

| fillnull

| stats dc(signature_id) as unique_signature_count
        values(signature_id) as signature_id
        values(signature) as signature
        values(class_desc) as class_desc
        values(MitreAttackGroups) as MitreAttackGroups
        values(InlineResult) as InlineResult
        values(InlineResultReason) as InlineResultReason
        values(dest) as dest
        values(dest_port) as dest_port
        values(rule) as rule
        values(transport) as transport
        values(app) as app
        min(_time) as firstTime
        max(_time) as lastTime
        by src

| where unique_signature_count >= 2

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___static_tundra_smart_install_abuse_filter`