Detect Network Device Authentication in IBM QRadar
Adversaries may patch network device operating systems to add a hardcoded backdoor password, bypassing normal authentication for local accounts on routers, switches, and VPN appliances. SYNful Knock implanted a backdoor password in Cisco IOS router images, checking if login credentials match the backdoor password before passing them to normal authentication. SLOWPULSE modified Pulse Secure LDAP and 2FA authentication to accept a designated attacker-supplied password. Detection relies on network configuration integrity checks and unusual authentication behavior.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.004 Network Device Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1556/004/
QRadar Detection Query
SELECT
LOGSOURCENAME(logsourceid) AS log_source,
sourceip AS src_ip,
username,
COUNT(*) AS total_events,
SUM(CASE WHEN LOWER(payload) LIKE '%authentication succeeded%'
OR LOWER(payload) LIKE '%login successful%'
OR LOWER(payload) LIKE '%accepted password%'
OR LOWER(payload) LIKE '%authenticated%' THEN 1 ELSE 0 END) AS successes,
SUM(CASE WHEN LOWER(payload) LIKE '%authentication failed%'
OR LOWER(payload) LIKE '%incorrect password%'
OR LOWER(payload) LIKE '%bad password%'
OR LOWER(payload) LIKE '%login failed%'
OR LOWER(payload) LIKE '%access denied%' THEN 1 ELSE 0 END) AS failures,
DATEFORMAT(TRUNCATE(starttime, 'hour'), 'yyyy-MM-dd HH:mm') AS hour_bucket
FROM events
WHERE LOGSOURCETYPEID IN (
SELECT id FROM logsourcetypes
WHERE name IN ('Cisco IOS', 'Cisco ASA', 'Juniper JunOS', 'Palo Alto PA Series', 'Palo Alto Firewall')
)
AND (
LOWER(payload) LIKE '%authentication%'
OR LOWER(payload) LIKE '%login%'
OR LOWER(payload) LIKE '%password%'
)
GROUP BY
logsourceid,
sourceip,
username,
TRUNCATE(starttime, 'hour')
HAVING
SUM(CASE WHEN LOWER(payload) LIKE '%authentication failed%'
OR LOWER(payload) LIKE '%incorrect password%'
OR LOWER(payload) LIKE '%bad password%'
OR LOWER(payload) LIKE '%login failed%'
OR LOWER(payload) LIKE '%access denied%' THEN 1 ELSE 0 END) > 5
OR (
SUM(CASE WHEN LOWER(payload) LIKE '%authentication succeeded%'
OR LOWER(payload) LIKE '%login successful%'
OR LOWER(payload) LIKE '%accepted password%'
OR LOWER(payload) LIKE '%authenticated%' THEN 1 ELSE 0 END) > 5
AND SUM(CASE WHEN LOWER(payload) LIKE '%authentication failed%'
OR LOWER(payload) LIKE '%incorrect password%'
OR LOWER(payload) LIKE '%bad password%'
OR LOWER(payload) LIKE '%login failed%'
OR LOWER(payload) LIKE '%access denied%' THEN 1 ELSE 0 END) = 0
)
ORDER BY failures DESC
LAST 24 HOURSQRadar AQL query that joins against the logsourcetypes table to scope results to known network infrastructure log sources (Cisco IOS/ASA, Juniper JunOS, Palo Alto), aggregates authentication outcomes from raw payload into hourly buckets per source IP and username, and surfaces device/source combinations exhibiting either high failure volume (>5 per hour, indicative of brute force or credential testing) or clean-success anomalies (>5 successes, zero failures, consistent with a hardcoded backdoor credential that always authenticates).
Data Sources
Required Tables
False Positives & Tuning
- TACACS+ or RADIUS proxy servers aggregating authentication on behalf of multiple users appear as a single high-volume sourceip with mixed success/failure ratios; if the proxy's IP is logged as the source rather than the client workstation, legitimate enterprise AAA traffic may trigger the failure threshold.
- Network management platforms (Cisco DNA Center, SolarWinds NPM, HP IMC) performing scheduled credential verification or device onboarding generate consistent success-heavy authentication bursts that match the clean-success heuristic.
- QRadar's LOGSOURCETYPEID lookup depends on accurate log source classification during initial configuration; improperly typed sources (e.g., a firewall classified as generic syslog) will be excluded from this query, creating coverage gaps rather than false positives, but miscategorised non-network devices may be included.
Other platforms for T1556.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Verify Cisco IOS Image Hash (Integrity Check)
Expected signal: SSH authentication event in network device syslog. Network device syslog entry for privileged exec command execution. If syslog forwarding is configured, Splunk/Sentinel will capture the authentication and command events.
- Test 2Simulate Failed Network Device Authentication (Syslog Testing)
Expected signal: Network device syslog entries: 'Authentication failed for user testuser from <IP>'. If forwarded to SIEM: Splunk index=network_syslog with authentication failure events. Five events in rapid succession should trigger the failure rate detection.
- Test 3Check Network Device Syslog Collection
Expected signal: Test syslog message appearing in SIEM with source IP of the test host. The message mimics a Cisco IOS login success event and should match the network device authentication detection patterns.
References (5)
- https://attack.mitre.org/techniques/T1556/004/
- https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- https://tools.cisco.com/security/center/resources/integrity_assurance.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.004/T1556.004.md
- https://www.mandiant.com/resources/blog/mandiant-identifies-new-pulse-connect-secure-vulnerabilities
Unlock Pro Content
Get the full detection package for T1556.004 including response playbook, investigation guide, and atomic red team tests.