Techniques
Sample rules
Cisco IOS XE VTY Access Class Tampering
- source: splunk
- technicques:
Description
This analytic detects rapid modification of Cisco IOS-XE VTY access-class settings. The Salt Typhoon notes describe configure HTTP activity followed by line vty changes and removal/re-application of an access-class within 60 seconds.
Detection logic
`cisco_ios`
facility IN ("HA_EM", "PARSER")
mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD")
message_text IN (
"*access-class*",
"*configure http*",
"*line vty*"
)
| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
| rex field=message_text "<enteredCommand><cli>(?<parser_command>.*?)</cli>"
| rex field=message_text "<user>(?<parser_user>[^<]+)</user>"
| rex field=message_text "<srcIP>(?<parser_src_ip>[^<]+)</srcIP>"
| eval command=lower(trim(coalesce(parser_command, eem_command, "")))
| eval event_type=case(
like(command, "configure http%") OR like(command, "ip http secure-server%"), "http_config",
like(command, "line vty%"), "line_vty",
like(command, "no access-class%"), "remove_access_class",
like(command, "access-class%"), "add_access_class",
true(), null())
| where isnotnull(event_type)
| eval user=coalesce(parser_user, user, "unknown")
| eval src_ip=coalesce(parser_src_ip, src_ip, "unknown")
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=1m
| stats count min(_time) as firstTime
max(_time) as lastTime
values(event_type) as event_types
values(user) as user
values(src_ip) as src_ip
values(command) as commands
by _time dest
| where mvfind(event_types, "line_vty") >= 0
AND
mvfind(event_types, "remove_access_class") >= 0
AND
mvfind(event_types, "add_access_class") >= 0
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_vty_access_class_tampering_filter`