this search will also report any legitimate attempts of software downloads to network devices as well as outbound ssh sessions from network devices.

Techniques

Sample rules

Detect Software Download To Network Device

source: splunk
technicques:
- T1542.005
- T1542

Description

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.transport=udp AND All_Traffic.dest_port=69) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch by All_Traffic.src All_Traffic.dest All_Traffic.dest_port 
| `drop_dm_object_name("All_Traffic")` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `detect_software_download_to_network_device_filter`