Detect Network Device Authentication in Sumo Logic CSE
Adversaries may patch network device operating systems to add a hardcoded backdoor password, bypassing normal authentication for local accounts on routers, switches, and VPN appliances. SYNful Knock implanted a backdoor password in Cisco IOS router images, checking if login credentials match the backdoor password before passing them to normal authentication. SLOWPULSE modified Pulse Secure LDAP and 2FA authentication to accept a designated attacker-supplied password. Detection relies on network configuration integrity checks and unusual authentication behavior.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.004 Network Device Authentication
- Canonical reference
- https://attack.mitre.org/techniques/T1556/004/
Sumo Detection Query
(_sourceCategory=network/syslog OR _sourceCategory=cisco* OR _sourceCategory=juniper* OR _sourceCategory=paloalto* OR _sourceCategory=fortinet*)
| where _sourceHost matches "*router*"
OR _sourceHost matches "*switch*"
OR _sourceHost matches "*fw*"
OR _sourceHost matches "*vpn*"
OR _sourceHost matches "*asa*"
OR _sourceHost matches "*ios*"
OR _sourceHost matches "*junos*"
OR _sourceHost matches "*nexus*"
OR _sourceHost matches "*palo*"
OR _sourceCategory matches "*cisco*"
OR _sourceCategory matches "*juniper*"
OR _sourceCategory matches "*paloalto*"
| parse regex "(?:from|srcip?)[\s=]+(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "(?:user|username|for)[\s=]+(?P<username>[\w@.\-]+)" nodrop
| if (matches(_raw, "(?i)(authentication succeeded|login successful|accepted password|authenticated|login accepted)"), "SUCCESS",
if (matches(_raw, "(?i)(authentication failed|incorrect password|bad password|login failed|access denied|auth failure)"), "FAILURE", "OTHER")) as auth_result
| where auth_result in ("SUCCESS", "FAILURE")
| timeslice 1h
| count as events, countif(auth_result="SUCCESS") as successes, countif(auth_result="FAILURE") as failures, dcount(username) as unique_users by _timeslice, _sourceHost, src_ip
| where failures > 5 or (successes > 5 and failures == 0) or (unique_users > 3 and successes > 0 and failures == 0)
| sort by failures descSumo Logic query scoped to network device syslog via _sourceCategory routing, performing nodrop regex extraction of source IPs and usernames from raw syslog payloads, classifying each event as SUCCESS or FAILURE using inline if/matches expressions, and aggregating into 1-hour timeslices. Flags device/source-IP pairs with >5 failures per hour (brute force or credential stuffing), clean-success patterns (>5 successes, zero failures — backdoor credential that never misses), or multiple distinct authenticated users from a single source with no failures (possible credential harvesting or backdoor shared across sessions).
Data Sources
Required Tables
False Positives & Tuning
- Syslog relay or aggregation servers appearing as a single _sourceHost may conflate authentication events from many physical devices, causing the unique_users and successes thresholds to fire against the relay host IP rather than a compromised network appliance.
- Automated network configuration backup tools (RANCID, Oxidized, Cisco DNA Center) authenticating on a fixed schedule to pull running configs generate consistent clean-success authentication streams (many successes, zero failures) that precisely match the backdoor heuristic.
- VPN concentrators and remote-access appliances serving high concurrent user volumes during peak hours generate legitimate bursts of authentication failures from users mistyping credentials, followed by success on retry, readily exceeding the failures > 5 per timeslice threshold.
Other platforms for T1556.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Verify Cisco IOS Image Hash (Integrity Check)
Expected signal: SSH authentication event in network device syslog. Network device syslog entry for privileged exec command execution. If syslog forwarding is configured, Splunk/Sentinel will capture the authentication and command events.
- Test 2Simulate Failed Network Device Authentication (Syslog Testing)
Expected signal: Network device syslog entries: 'Authentication failed for user testuser from <IP>'. If forwarded to SIEM: Splunk index=network_syslog with authentication failure events. Five events in rapid succession should trigger the failure rate detection.
- Test 3Check Network Device Syslog Collection
Expected signal: Test syslog message appearing in SIEM with source IP of the test host. The message mimics a Cisco IOS login success event and should match the network device authentication detection patterns.
References (5)
- https://attack.mitre.org/techniques/T1556/004/
- https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/
- https://tools.cisco.com/security/center/resources/integrity_assurance.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.004/T1556.004.md
- https://www.mandiant.com/resources/blog/mandiant-identifies-new-pulse-connect-secure-vulnerabilities
Unlock Pro Content
Get the full detection package for T1556.004 including response playbook, investigation guide, and atomic red team tests.