Techniques
Sample rules
Cisco Privileged Account Creation with HTTP Command Execution
- source: splunk
- technicques:
- T1021.004
- T1136
- T1078
Description
This analytic correlates risk events between privileged account creation on Cisco IOS devices and HTTP requests to privileged execution paths such as /level/15/exec/-/*.
APT actors have been observed creating privileged accounts and then running commands on routers via HTTP GET or POST requests that target privileged execution paths.
These requests allow attackers to execute commands with the highest privilege level (15) on Cisco devices without requiring interactive SSH access.
This correlation identifies when both “Cisco IOS Suspicious Privileged Account Creation” and “Privileged Command Execution via HTTP” Snort detections fire for the same network device.
This behavior indicates an attacker leveraging the newly created account to execute commands remotely via HTTP.
Detection logic
| tstats `security_content_summariesonly`
min(_time) as firstTime
max(_time) as lastTime
sum(All_Risk.calculated_risk_score) as risk_score
count(All_Risk.calculated_risk_score) as risk_event_count
values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
values(All_Risk.tag) as tag
values(source) as source
dc(source) as source_count
values(contributing_events_search)
values(All_Risk.threat_object)
from datamodel=Risk.All_Risk where
source IN (
"*Cisco IOS Suspicious Privileged Account Creation*",
"*Cisco Secure Firewall - Privileged Command Execution via HTTP*"
)
by All_Risk.normalized_risk_object
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 2
| `cisco_privileged_account_creation_with_http_command_execution_filter`
Cisco Secure Firewall - SSH Connection to Non-Standard Port
- source: splunk
- technicques:
- T1021.004
Description
This analytic detects inbound SSH connections to non-standard ports on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling SSH servers on high, non-default TCP ports to maintain encrypted remote access to compromised network infrastructure. This detection leverages Snort signature 65369 to identify SSH protocol traffic on unusual ports, which may indicate persistence mechanisms or backdoor access established by threat actors.
Detection logic
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65369
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_non_standard_port_filter`
Cisco Privileged Account Creation with Suspicious SSH Activity
- source: splunk
- technicques:
- T1021.004
- T1136
- T1078
Description
This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events This correlation identifies when both “Cisco IOS Suspicious Privileged Account Creation” and SSH-related Snort detections (“SSH Connection to sshd_operns” or “SSH Connection to Non-Standard Port”) fire for the same network device. This behavior is highly indicative of persistence establishment following initial compromise.
Detection logic
| tstats `security_content_summariesonly`
min(_time) as firstTime
max(_time) as lastTime
sum(All_Risk.calculated_risk_score) as risk_score
count(All_Risk.calculated_risk_score) as risk_event_count
values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
values(All_Risk.tag) as tag
values(source) as source
dc(source) as source_count
values(contributing_events_search)
values(All_Risk.threat_object)
from datamodel=Risk.All_Risk where
source IN (
"*Cisco IOS Suspicious Privileged Account Creation*",
"*Cisco Secure Firewall - SSH Connection to sshd_operns*",
"*Cisco Secure Firewall - SSH Connection to Non-Standard Port*"
)
by All_Risk.normalized_risk_object
| `drop_dm_object_name(All_Risk)`
| eval has_account_creation=if(
match(source, "Cisco IOS Suspicious Privileged Account Creation"),
1, 0
)
| eval has_ssh_detection=if(
match(source, "SSH Connection to sshd_operns")
OR
match(source, "SSH Connection to Non-Standard Port"),
1, 0
)
| where has_account_creation=1
AND
has_ssh_detection=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_privileged_account_creation_with_suspicious_ssh_activity_filter`
Cisco Secure Firewall - Privileged Command Execution via HTTP
- source: splunk
- technicques:
- T1059
- T1505.003
Description
This analytic detects HTTP requests to privileged execution paths on Cisco routers, specifically targeting the /level/15/exec/-/* endpoint using Cisco Secure Firewall Intrusion Events.
This detection leverages Snort signature 65370 to identify requests to these sensitive endpoints, which when combined with other indicators may signal active exploitation or post-compromise activity.
Detection logic
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65370
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___privileged_command_execution_via_http_filter`
Cisco Secure Firewall - SSH Connection to sshd_operns
- source: splunk
- technicques:
- T1021.004
Description
This analytic detects inbound SSH connections to the sshd_operns service on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling sshd_operns and opening it on non-standard ports to maintain encrypted remote access to compromised network infrastructure. This detection leverages Snort signature 65368 to identify connections to this service, which when combined with other indicators may signal persistent access mechanisms established by threat actors.
Detection logic
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65368
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_sshd_operns_filter`