network scanning or testing tools that probe cisco smart install endpoints may trigger similar signatures. validate against maintenance windows or approved security assessments.

Techniques

Sample rules

Cisco Secure Firewall - Static Tundra Smart Install Abuse

source: splunk
technicques:
- T1190
- T1210
- T1499

Description

This analytic detects activity associated with “Static Tundra” threat actor abuse of the Cisco Smart Install (SMI) protocol using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify occurrences of Smart Install exploitation and protocol abuse, including denial-of-service and buffer overflow attempts. The detection triggers when multiple Cisco Smart Install-related Snort signatures are observed in a short period from the same source, which is indicative of active exploitation or reconnaissance against Cisco devices that expose SMI.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (46468, 46096, 41722, 41723, 41724, 41725)

| bin _time span=15m

| fillnull

| stats dc(signature_id) as unique_signature_count 
        values(signature_id) as signature_id 
        values(signature) as signature 
        values(class_desc) as class_desc 
        values(MitreAttackGroups) as MitreAttackGroups 
        values(InlineResult) as InlineResult 
        values(InlineResultReason) as InlineResultReason 
        values(dest_ip) as dest_ip 
        values(dest_port) as dest_port 
        values(rule) as rule 
        values(transport) as transport 
        values(app) as app 
        min(_time) as firstTime 
        max(_time) as lastTime 
        by src_ip

| where unique_signature_count >= 2

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___static_tundra_smart_install_abuse_filter`