Techniques
Sample rules
Cisco IOS XE WebUI Login From IOSd Local Port
- source: splunk
- technicques:
Description
This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111. This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path.
Detection logic
`cisco_ios`
facility="SEC_LOGIN"
mnemonic IN ("QUIET_MODE_ON", "LOGIN_SUCCESS", "LOGIN_FAILED")
message_text="*[localport: 21111]*"
| rex field=_raw "\[user:\s*(?<user>[^\]]+)\]"
| rex field=_raw "\[Source:\s*(?<src_ip>[^\]]+)\]"
| rex field=_raw "\[localport:\s*(?<local_port>[^\]]+)\]"
| rex field=_raw "\[Reason:\s*(?<reason>[^\]]+)\]"
| rex field=_raw "\[ACL:\s*(?<acl>[^\]]+)\]"
| eval dest=coalesce(host, dvc, dest, "unknown")
| stats count min(_time) as firstTime
max(_time) as lastTime
values(local_port) as local_port
values(acl) as acl
by dest user src_ip reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_webui_login_from_iosd_local_port_filter`