T1602 Data from Configuration Repository Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let management_subnets = dynamic(["10.10.10.0/24", "192.168.1.0/24"]);
let snmp_ports = dynamic([161, 162]);
let config_transfer_ports = dynamic([69, 22, 21]);
let lookback = 1h;
// Detect SNMP traffic from non-management hosts
let snmp_anomalies = DeviceNetworkEvents
| where TimeGenerated >= ago(lookback)
| where RemotePort in (snmp_ports) or LocalPort in (snmp_ports)
| where Protocol == "Udp"
| extend IsManagementHost = ipv4_is_in_range(LocalIP, "10.10.10.0/24") or ipv4_is_in_range(LocalIP, "192.168.1.0/24")
| where IsManagementHost == false
| extend AlertType = "SNMP_From_Non_Management_Host"
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, AlertType;
// Detect TFTP transfers (network device config pulls)
let tftp_transfers = DeviceNetworkEvents
| where TimeGenerated >= ago(lookback)
| where RemotePort == 69 or LocalPort == 69
| extend AlertType = "TFTP_Config_Transfer"
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, AlertType;
// Detect SNMP-related process execution (snmpwalk, snmpget, snmpbulkwalk)
let snmp_tools = DeviceProcessEvents
| where TimeGenerated >= ago(lookback)
| where ProcessCommandLine has_any ("snmpwalk", "snmpbulkwalk", "snmpget", "snmpset", "snmptable", "onesixtyone", "braa", "-v2c", "community")
| extend AlertType = "SNMP_Enumeration_Tool"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AlertType;
// Detect access to network management system files
let nms_access = DeviceFileEvents
| where TimeGenerated >= ago(lookback)
| where FolderPath has_any ("SolarWinds", "PRTG", "ManageEngine", "CiscoWorks", "tftproot", "tftp", "cisco")
    or FileName has_any (".cfg", "-confg", "-running", "-startup", ".conf") and FolderPath has_any ("backup", "config", "tftp", "network")
| extend AlertType = "NMS_Config_File_Access"
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ActionType, AlertType;
union snmp_anomalies, tftp_transfers, snmp_tools, nms_access
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated),
    Devices = make_set(DeviceName), AlertTypes = make_set(AlertType)
    by bin(TimeGenerated, 15m), RemoteIP = coalesce(RemoteIP, "")
| where Count >= 1
| extend RiskScore = case(
    AlertTypes has "SNMP_Enumeration_Tool" and AlertTypes has "TFTP_Config_Transfer", 90,
    AlertTypes has "SNMP_Enumeration_Tool", 75,
    AlertTypes has "TFTP_Config_Transfer", 70,
    AlertTypes has "SNMP_From_Non_Management_Host", 60,
    AlertTypes has "NMS_Config_File_Access", 55,
    40)
| where RiskScore >= 55
| project FirstSeen, LastSeen, RemoteIP, Count, AlertTypes, Devices, RiskScore
| sort by RiskScore desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceNetworkEvents DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure
IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja
Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans

Splunk

spl

index=* (sourcetype=syslog OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="juniper:junos" OR sourcetype=netscreen)
| eval hour=strftime(_time, "%H"), day_of_week=strftime(_time, "%w")
| rex field=_raw "(?i)(snmp|community|tftp|config|MIB|OID|bulk|walk)"
(* Detect SNMP community string usage from unexpected hosts *)
| eval is_snmp_event=if(match(_raw, "(?i)SNMP.*community|community.*string.*accepted|SNMP.*authentication.*failure"), 1, 0)
(* Detect TFTP config transfers *)
| eval is_tftp_event=if(match(_raw, "(?i)tftp.*sent|tftp.*received|config.*transfer|TFTP.*\.(cfg|conf|confg)"), 1, 0)
(* Detect config archive access *)
| eval is_config_access=if(match(_raw, "(?i)archive.*config|show.*running|copy.*running|startup.*config.*tftp"), 1, 0)
| eval snmp_community=if(match(_raw, "(?i)community[\s=:]+([\w!@#$%^&*]+)"), 1, 0)
| eval score=0
| eval score=score + if(is_snmp_event=1, 30, 0)
| eval score=score + if(is_tftp_event=1, 40, 0)
| eval score=score + if(is_config_access=1, 35, 0)
| eval score=score + if(hour < 6 OR hour > 22, 20, 0)
| eval score=score + if(day_of_week=0 OR day_of_week=6, 15, 0)
| where score >= 30
| eval risk_level=case(score >= 70, "CRITICAL", score >= 50, "HIGH", score >= 30, "MEDIUM", true(), "LOW")
| rex field=_raw "(?i)(?:from|src[\s=]+|source[\s=]+)(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| stats count as event_count, max(score) as max_score, max(risk_level) as risk_level,
    values(sourcetype) as sourcetypes, values(host) as affected_devices,
    values(src_ip) as source_ips,
    sum(is_snmp_event) as snmp_events,
    sum(is_tftp_event) as tftp_events,
    sum(is_config_access) as config_access_events
    by bin(_time, 15m)
| where max_score >= 30
| sort - max_score
| table _time, affected_devices, source_ips, event_count, max_score, risk_level, snmp_events, tftp_events, config_access_events, sourcetypes

high severity medium confidence

Data Sources

Network Device Syslog Cisco IOS/ASA Logs Juniper JunOS Logs

Required Sourcetypes

syslog cisco:ios cisco:asa juniper:junos

False Positives

Authorized NMS polling (SolarWinds, PRTG, LibreNMS) generating continuous SNMP community string authentication events on a regular schedule
Scheduled backup jobs using TFTP or SCP to archive device configurations nightly — these will score high on TFTP + config_access combined
NOC/helpdesk staff running 'show running-config' commands during troubleshooting activities logged by device AAA/TACACS
Vendor maintenance windows where upstream equipment receives configuration pushes and generates TFTP traffic

Elastic Security (EQL)

eql

any where process.name : ("snmpwalk", "snmpbulkwalk", "braa", "onesixtyone", "snmpenum", "snmpcheck") or (network.transport : "udp" and destination.port == 161 and network.bytes > 5000)

high severity medium confidence

Data Sources

Elastic Endpoint Security Network Traffic

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-*

False Positives

Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure
IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja
Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", destinationport as "DestPort", UTF8(payload) as "Payload", devicetime as "EventTime", CASE WHEN "DestPort" = 161 AND eventcount > 50 THEN 80 WHEN UTF8(payload) ILIKE '%community%' AND UTF8(payload) ILIKE '%OID%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE destinationport = 161 AND LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Cisco IOS XE', 'Linux OS', 'Juniper Networks Junos') ORDER BY eventcount DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Network Traffic Linux OS Windows OS

Required Tables

events

False Positives

Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure
IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja
Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans

Sumo Logic CSE

sql

_sourceCategory=network/snmp OR _sourceCategory=endpoint/process | json auto | where dest_port = 161 or process_name in ("snmpwalk", "snmpbulkwalk", "braa", "onesixtyone") | if(matches(process_name, "*braa*") or matches(process_name, "*onesixtyone*"), "High", if(matches(process_name, "*snmpwalk*") or matches(process_name, "*snmpbulkwalk*"), "Medium", "Low")) as RiskLevel | stats count by src_ip, dest_ip, process_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Network Traffic Endpoint Process Events

Required Tables

network/snmp endpoint/process

False Positives

Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure
IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja
Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans

Google Chronicle / SecOps

yaral

rule detect_snmp_enumeration {
  meta:
    author = "Argus"
    description = "Detects SNMP-based network device enumeration"
    severity = "HIGH"
    technique = "T1602"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.target.port = 161
    $e.network.ip_protocol = "UDP"
    $e.network.sent_bytes > 1000
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Network Traffic

Required Tables

NETWORK_CONNECTION PROCESS_LAUNCH

False Positives

Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure
IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja
Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /snmpwalk|snmpbulkwalk|braa|onesixtyone|snmpenum|snmpcheck/i
| case {
    ImageFileName = /braa|onesixtyone/i | ToolType := "Mass SNMP Scanner";
    ImageFileName = /snmpwalk|snmpbulkwalk/i | ToolType := "SNMP Walker";
    * | ToolType := "SNMP Tool"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, ToolType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure
IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja
Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans

Data from Configuration Repository

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Collection

Popular Detections