Detect Weaken Encryption in Splunk
This detection identifies adversary attempts to weaken or disable encryption on network devices, enabling interception or manipulation of otherwise protected traffic. The detection monitors syslog telemetry from network infrastructure (routers, switches, firewalls, VPN concentrators) for configuration changes affecting cryptographic settings, cipher suite downgrade events, IPsec/SSL policy modifications, and use of management protocols (SSH, NETCONF, SNMP write) to alter crypto configurations. It also tracks endpoint-side indicators such as suspicious use of network device management tools and connections from unexpected hosts to device management interfaces.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1600 Weaken Encryption
- Canonical reference
- https://attack.mitre.org/techniques/T1600/
SPL Detection Query
index=network_devices OR index=syslog OR index=firewall
(sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="juniper" OR sourcetype="paloalto:firewall" OR sourcetype="fortinet:fortigate:traffic")
| eval message_lower=lower(coalesce(message, _raw))
| search message_lower IN ("*no crypto*", "*disable crypto*", "*encryption des*", "*cipher null*", "*null-encryption*", "*key-length 512*", "*key-length 768*", "*weak cipher*", "*rc4*", "*3des*removed*", "*crypto isakmp*", "*no crypto ipsec*", "*ssl cipher*")
| eval change_type=case(
match(message_lower, "no crypto|disable crypto|no crypto ipsec|no crypto map"), "CryptoDisabled",
match(message_lower, "encryption des(?!.*3des)|cipher des(?!.*3des)"), "WeakCipherDES",
match(message_lower, "null.?encryption|cipher null"), "NullEncryptionEnabled",
match(message_lower, "key.?length (512|768)"), "ReducedKeySpace",
match(message_lower, "rc4"), "WeakCipherRC4",
true(), "CryptoModification"
)
| eval vendor=case(
sourcetype="cisco:ios" OR match(message_lower, "%crypto|%vpn"), "Cisco",
sourcetype="juniper", "Juniper",
sourcetype="paloalto:firewall", "Palo Alto",
sourcetype="fortinet:fortigate:traffic", "Fortinet",
true(), "Unknown"
)
| eval risk_score=case(
change_type="NullEncryptionEnabled", 100,
change_type="CryptoDisabled", 90,
change_type="WeakCipherDES", 70,
change_type="ReducedKeySpace", 75,
change_type="WeakCipherRC4", 65,
true(), 50
)
| stats count as event_count, earliest(_time) as first_seen, latest(_time) as last_seen, values(change_type) as change_types, max(risk_score) as max_risk, values(vendor) as vendors by host, src_ip
| eval duration_minutes=round((last_seen-first_seen)/60,1)
| where max_risk >= 50
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk
| table host, src_ip, change_types, vendors, event_count, max_risk, duration_minutes, first_seen, last_seenQueries network device syslog (Cisco IOS, ASA, Juniper, Palo Alto, Fortinet) for messages indicating encryption weakening: 'no crypto' commands, null-encryption configurations, weak cipher (DES, RC4) activation, and reduced key length settings. Scores each device/source combination by risk level with NullEncryptionEnabled and CryptoDisabled carrying the highest scores.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Planned network cryptography audits that intentionally test weak cipher configurations in isolated lab environments
- Network configuration compliance tools applying baseline templates that pass through intermediate weak states
- Break-fix scenarios where engineers temporarily disable IPsec to restore connectivity before reconfiguring
- Legacy device interoperability requirements forcing use of older cipher suites when connecting to end-of-life equipment
Other platforms for T1600
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Cisco IOS Weak Cipher Configuration via SSH
Expected signal: Syslog from device: '%SYS-5-CONFIG_I: Configured from console by admin on vty0 (src_ip)' and '%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON' — plus new syslog entry showing des/md5/group1 policy creation. SSH session will appear in TACACS+/RADIUS accounting.
- Test 2SNMP Write Operation to Modify Network Device Crypto Settings
Expected signal: Network device syslog: SNMP SET operation logged with source IP and community string. If SNMP trap is configured: trap sent to NMS showing sysLocation OID modification. TACACS+ accounting may log if device AAA is configured for SNMP. Network flow logs will show UDP/161 traffic from test host.
- Test 3Python Netmiko Script Deploying Null Encryption Configuration
Expected signal: Windows: Sysmon EventCode=1 showing python.exe spawning with CommandLine containing 'netmiko' and '192.168.100.1'. Sysmon EventCode=3 showing outbound TCP/22 from python.exe to device IP. Network device syslog: '%SYS-5-CONFIG_I: Configured from console by admin on vty0' and '%CRYPTO-6-ISAKMP: New transform: esp-null/esp-md5-hmac'. TACACS+ accounting entry for configuration session.
References (7)
- https://attack.mitre.org/techniques/T1600/
- https://attack.mitre.org/techniques/T1600/001/
- https://attack.mitre.org/techniques/T1600/002/
- https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
- https://community.cisco.com/t5/security-blogs/synful-knock-a-cisco-router-implant/ba-p/3815823
- https://www.mandiant.com/resources/synful-knock-detecting-cisco-router-implants
- https://www.cisa.gov/sites/default/files/publications/Cisco_Router_Implant_AA20-296A.pdf
Unlock Pro Content
Get the full detection package for T1600 including response playbook, investigation guide, and atomic red team tests.