Data from Configuration Repository
This detection identifies adversaries targeting network device configuration repositories to collect sensitive system administration data. Attackers exploit SNMP (Simple Network Management Protocol) community strings to perform MIB (Management Information Base) dumps, use TFTP/SCP/FTP to retrieve running or startup configurations from routers, switches, and firewalls, or abuse network management platforms (NMS) such as SolarWinds, PRTG, or Cisco DNA Center. Detection focuses on anomalous SNMP bulk-walk queries originating from non-management hosts, unexpected TFTP transfers from network infrastructure devices, unusual authentication events against network management systems, and high-volume SNMP OID enumeration patterns indicative of automated reconnaissance tools.
What is T1602 Data from Configuration Repository?
Data from Configuration Repository (T1602) maps to the Collection tactic — the adversary is trying to gather data of interest to their goal in MITRE ATT&CK.
This page provides production-ready detection logic for Data from Configuration Repository, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1602 Data from Configuration Repository
- Canonical reference
- https://attack.mitre.org/techniques/T1602/
let management_subnets = dynamic(["10.10.10.0/24", "192.168.1.0/24"]);
let snmp_ports = dynamic([161, 162]);
let config_transfer_ports = dynamic([69, 22, 21]);
let lookback = 1h;
// Detect SNMP traffic from non-management hosts
let snmp_anomalies = DeviceNetworkEvents
| where TimeGenerated >= ago(lookback)
| where RemotePort in (snmp_ports) or LocalPort in (snmp_ports)
| where Protocol == "Udp"
| extend IsManagementHost = ipv4_is_in_range(LocalIP, "10.10.10.0/24") or ipv4_is_in_range(LocalIP, "192.168.1.0/24")
| where IsManagementHost == false
| extend AlertType = "SNMP_From_Non_Management_Host"
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, AlertType;
// Detect TFTP transfers (network device config pulls)
let tftp_transfers = DeviceNetworkEvents
| where TimeGenerated >= ago(lookback)
| where RemotePort == 69 or LocalPort == 69
| extend AlertType = "TFTP_Config_Transfer"
| project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, AlertType;
// Detect SNMP-related process execution (snmpwalk, snmpget, snmpbulkwalk)
let snmp_tools = DeviceProcessEvents
| where TimeGenerated >= ago(lookback)
| where ProcessCommandLine has_any ("snmpwalk", "snmpbulkwalk", "snmpget", "snmpset", "snmptable", "onesixtyone", "braa", "-v2c", "community")
| extend AlertType = "SNMP_Enumeration_Tool"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AlertType;
// Detect access to network management system files
let nms_access = DeviceFileEvents
| where TimeGenerated >= ago(lookback)
| where FolderPath has_any ("SolarWinds", "PRTG", "ManageEngine", "CiscoWorks", "tftproot", "tftp", "cisco")
or FileName has_any (".cfg", "-confg", "-running", "-startup", ".conf") and FolderPath has_any ("backup", "config", "tftp", "network")
| extend AlertType = "NMS_Config_File_Access"
| project TimeGenerated, DeviceName, AccountName, FolderPath, FileName, ActionType, AlertType;
union snmp_anomalies, tftp_transfers, snmp_tools, nms_access
| summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated),
Devices = make_set(DeviceName), AlertTypes = make_set(AlertType)
by bin(TimeGenerated, 15m), RemoteIP = coalesce(RemoteIP, "")
| where Count >= 1
| extend RiskScore = case(
AlertTypes has "SNMP_Enumeration_Tool" and AlertTypes has "TFTP_Config_Transfer", 90,
AlertTypes has "SNMP_Enumeration_Tool", 75,
AlertTypes has "TFTP_Config_Transfer", 70,
AlertTypes has "SNMP_From_Non_Management_Host", 60,
AlertTypes has "NMS_Config_File_Access", 55,
40)
| where RiskScore >= 55
| project FirstSeen, LastSeen, RemoteIP, Count, AlertTypes, Devices, RiskScore
| sort by RiskScore descDetects SNMP enumeration tools (snmpwalk, snmpbulkwalk, braa, onesixtyone), SNMP traffic originating from non-management hosts, TFTP-based configuration file transfers, and access to network management system configuration files. Correlates multiple signals with a risk score to surface high-confidence alerts while reducing noise from legitimate NMS polling.
Data Sources
Required Tables
False Positives
- Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure
- IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
- Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja
- Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans
Sigma rule & cross-platform mapping
The detection logic for Data from Configuration Repository (T1602) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for T1602
References (7)
- https://attack.mitre.org/techniques/T1602/
- https://attack.mitre.org/techniques/T1602/001/
- https://attack.mitre.org/techniques/T1602/002/
- https://us-cert.cisa.gov/ncas/alerts/TA18-106A
- https://us-cert.cisa.gov/ncas/alerts/TA17-156A
- https://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf003.html
- https://www.rfc-editor.org/rfc/rfc3411
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SNMP MIB Bulk Walk Using snmpwalk
Expected signal: Linux process exec events showing snmpwalk/snmptable with -v2c flag and community string argument. DeviceProcessEvents (if MDE Linux agent deployed) or auditd exec logs. Network flow telemetry showing UDP/161 traffic to target IP.
- Test 2Network Device Configuration Dump via TFTP
Expected signal: DeviceNetworkEvents showing UDP/69 connection. DeviceProcessEvents showing tftp.exe execution with remote host IP argument. Windows Security Event 5156 (Windows Filtering Platform permitted connection) for TFTP traffic. TFTP server access logs showing GET request for config file.
- Test 3SNMP Community String Brute Force with onesixtyone
Expected signal: High-volume UDP/161 packets from single source IP visible in NetFlow/IPFIX or network TAP data. Network device syslog SNMP-3-AUTHFAIL entries for failed community strings. DeviceNetworkEvents if source host has MDE agent showing rapid UDP connections to port 161 across multiple destinations.
Unlock Pro Content
Get the full detection package for T1602 including response playbook, investigation guide, and atomic red team tests.