Detect Weaken Encryption in Elastic Security
This detection identifies adversary attempts to weaken or disable encryption on network devices, enabling interception or manipulation of otherwise protected traffic. The detection monitors syslog telemetry from network infrastructure (routers, switches, firewalls, VPN concentrators) for configuration changes affecting cryptographic settings, cipher suite downgrade events, IPsec/SSL policy modifications, and use of management protocols (SSH, NETCONF, SNMP write) to alter crypto configurations. It also tracks endpoint-side indicators such as suspicious use of network device management tools and connections from unexpected hosts to device management interfaces.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1600 Weaken Encryption
- Canonical reference
- https://attack.mitre.org/techniques/T1600/
Elastic Detection Query
any where event.dataset in ("system.syslog", "cisco.ios") and message : ("no crypto*" or "encryption des*" or "modulus 512*" or "group 1*" or "esp-des*" or "ssl encryption rc4*" or "null-encryption*")Elastic EQL translation of the T1600 detection logic. Detects encryption weakening on network devices by correlating three signals: (1) syslog messages from Cisco/generic network devices containing crypto
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
- Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates
- Security assessments or penetration testing engagements that test downgrade attacks against network devices
- Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration
Other platforms for T1600
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Weak Cipher Configuration via SSH
Expected signal: Syslog from device: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (src_ip)' and '%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON' — plus new syslog entry showing des/md5/group1 policy creation. SSH session will appear in TACACS+/RADIUS accounting.
- Test 2SNMP Write Operation to Modify Network Device Crypto Settings
Expected signal: Network device syslog: SNMP SET operation logged with source IP and community string. If SNMP trap is configured: trap sent to NMS showing sysLocation OID modification. TACACS+ accounting may log if device AAA is configured for SNMP. Network flow logs will show UDP/161 traffic from test host.
- Test 3Python Netmiko Script Deploying Null Encryption Configuration
Expected signal: Windows: Sysmon EventCode=1 showing python.exe spawning with CommandLine containing 'netmiko' and '192.168.100.1'. Sysmon EventCode=3 showing outbound TCP/22 from python.exe to device IP. Network device syslog: '%SYS-5-CONFIG_I: Configured from console by admin on vty0' and '%CRYPTO-6-ISAKMP: New transform: esp-null/esp-md5-hmac'. TACACS+ accounting entry for configuration session.
References (7)
- https://attack.mitre.org/techniques/T1600/
- https://attack.mitre.org/techniques/T1600/001/
- https://attack.mitre.org/techniques/T1600/002/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://community.cisco.com/t5/security-blogs/synful-knock-a-cisco-router-implant/ba-p/3815823
- https://www.mandiant.com/resources/synful-knock-detecting-cisco-router-implants
- https://www.cisa.gov/sites/default/files/publications/Cisco_Router_Implant_AA20-296A.pdf
Unlock Pro Content
Get the full detection package for T1600 including response playbook, investigation guide, and atomic red team tests.