Detect Network Device Authentication in CrowdStrike LogScale
Adversaries may patch network device operating systems to add a hardcoded backdoor password, bypassing normal authentication for local accounts on routers, switches, and VPN appliances. SYNful Knock implanted a backdoor password in Cisco IOS router images, checking if login credentials match the backdoor password before passing them to normal authentication. SLOWPULSE modified Pulse Secure LDAP and 2FA authentication to accept a designated attacker-supplied password. Detection relies on network configuration integrity checks and unusual authentication behavior.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.004 Network Device Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1556/004/
LogScale Detection Query
// T1556.004 - Network Device Authentication Backdoor Detection
// Requires syslog ingestion from network devices into LogScale repository
#repo=main #kind=syslog
| sourcetype = /(?i)(cisco[._:]ios|cisco[._:]asa|juniper[._:]junos|paloalto[._:]firewall|fortinet[._:]fortigate)/
OR ComputerName = /(?i)(router|switch|fw|vpn|asa|junos|nexus|palo|fortigate)/
| case {
message = /(?i)(authentication succeeded|login successful|accepted password|authenticated|login accepted)/
| auth_result := "SUCCESS";
message = /(?i)(authentication failed|incorrect password|bad password|login failed|access denied|auth failure)/
| auth_result := "FAILURE";
* | auth_result := "OTHER";
}
| auth_result != "OTHER"
| regex(field=message, regex="(?:from|srcip?)[\\s=]+(?P<src_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})", flags=i)
| default(field=src_ip, value="unknown")
| regex(field=message, regex="(?:user|username|for)[\\s=]+(?P<username>[\\w@.\\-]+)", flags=i)
| default(field=username, value="unknown")
| bucket(span=1h)
| groupBy([ComputerName, src_ip, _bucket], function=[
count(as=total_events),
count(filter=auth_result=="SUCCESS", as=successes),
count(filter=auth_result=="FAILURE", as=failures),
count(distinct=username, as=unique_users)
])
| where failures > 5
OR (successes > 5 AND failures == 0)
OR (unique_users > 3 AND successes > 0 AND failures == 0)
| sort(failures, order=desc)CrowdStrike LogScale (Falcon LogScale) streaming query targeting syslog ingestion from network infrastructure devices. Performs inline case-based classification of authentication outcomes from raw message payloads, extracts source IP and username via regex with null-safe defaults, buckets events into 1-hour windows using the native bucket() function, and aggregates per device hostname and source IP. Fires on three suspicious patterns matching T1556.004 indicators: high failure volume (brute force or credential enumeration), clean-success anomaly (a credential that never fails — hallmark of a hardcoded backdoor), or multiple distinct authenticated users from one source with zero failures (backdoor credential shared or reused across accounts).
Data Sources
Required Tables
False Positives & Tuning
- LogScale sourcetype classification depends on correct tagging at ingestion; devices not matching the sourcetype regex but with ambiguous ComputerName values may be excluded (coverage gap) or incorrectly included if a non-network host has a hostname containing 'fw' or 'vpn' as a substring.
- Network management systems or observability platforms (Grafana, Prometheus exporters, SolarWinds) that use HTTP basic auth or device API polling will generate frequent success-only authentication bursts matching the successes > 5 AND failures == 0 condition if their polling credentials are logged as authentication events.
- TACACS+ or RADIUS servers forwarding consolidated authentication logs to LogScale may appear as a single ComputerName with a high unique_users count and zero failures, precisely matching the multi-user clean-success threshold when in fact all authentications are legitimate enterprise logins routed through a central AAA service.
Other platforms for T1556.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Verify Cisco IOS Image Hash (Integrity Check)
Expected signal: SSH authentication event in network device syslog. Network device syslog entry for privileged exec command execution. If syslog forwarding is configured, Splunk/Sentinel will capture the authentication and command events.
- Test 2Simulate Failed Network Device Authentication (Syslog Testing)
Expected signal: Network device syslog entries: 'Authentication failed for user testuser from <IP>'. If forwarded to SIEM: Splunk index=network_syslog with authentication failure events. Five events in rapid succession should trigger the failure rate detection.
- Test 3Check Network Device Syslog Collection
Expected signal: Test syslog message appearing in SIEM with source IP of the test host. The message mimics a Cisco IOS login success event and should match the network device authentication detection patterns.
References (5)
- https://attack.mitre.org/techniques/T1556/004/
- https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- https://tools.cisco.com/security/center/resources/integrity_assurance.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.004/T1556.004.md
- https://www.mandiant.com/resources/blog/mandiant-identifies-new-pulse-connect-secure-vulnerabilities
Unlock Pro Content
Get the full detection package for T1556.004 including response playbook, investigation guide, and atomic red team tests.