T1602.001 SNMP (MIB Dump) Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
let SNMPTools = dynamic(["snmpwalk.exe", "snmpget.exe", "snmpbulkwalk.exe", "snmptable.exe", "snmpset.exe", "snmpgetnext.exe", "snmpdf.exe", "snmpnetstat.exe"]);
let WeakCommunities = dynamic(["-c public", "-c private", "-c cisco", "-c monitor", "-c manager", "-c secret", "-c admin", "community public", "community private"]);
// Detection Path 1: SNMP enumeration tools executed on Windows/Linux endpoints
let EndpointSNMPTools = DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where FileName in~ (SNMPTools)
    or (ProcessCommandLine has "snmp"
        and (ProcessCommandLine has ".1.3.6"
             or ProcessCommandLine has_any (WeakCommunities)
             or ProcessCommandLine has "-v1"
             or ProcessCommandLine has "-v2c"
             or ProcessCommandLine has "-OXsq"))
| extend AlertType = "SNMP_Tool_Execution"
| extend UsingDefaultCommunity = ProcessCommandLine has_any (WeakCommunities)
| extend MIBWalkDetected = ProcessCommandLine has ".1.3.6"
| extend BulkWalk = FileName has_any ("snmpbulk", "snmpwalk")
| extend RiskScore = case(
    UsingDefaultCommunity and MIBWalkDetected, 95,
    UsingDefaultCommunity, 85,
    MIBWalkDetected, 75,
    70)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          AlertType, UsingDefaultCommunity, MIBWalkDetected, BulkWalk, RiskScore;
// Detection Path 2: High-volume outbound SNMP UDP/161 traffic indicating automated MIB walk
let SNMPTrafficBurst = DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemotePort == 161
| summarize
    SNMPRequests = count(),
    UniqueTargets = dcount(RemoteIP),
    TargetIPs = make_set(RemoteIP, 25),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
     AccountName = InitiatingProcessAccountName,
     bin(Timestamp, 10m)
| where SNMPRequests > 20 or UniqueTargets > 3
| extend AlertType = "High_Volume_SNMP_Scan"
| extend RiskScore = case(
    UniqueTargets > 20, 95,
    UniqueTargets > 10, 85,
    SNMPRequests > 100, 80,
    65)
| project Timestamp, DeviceName, AccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          AlertType, SNMPRequests, UniqueTargets, TargetIPs, RiskScore;
// Detection Path 3: SNMP authentication failures on network devices (Syslog)
let SNMPAuthFailures = Syslog
| where TimeGenerated > ago(TimeWindow)
| where SyslogMessage has_any ("SNMP", "snmp")
| where SyslogMessage has_any (
    "Authentication failure", "authentication failure", "authenticationFailure",
    "Unknown community", "wrong community", "No Such Name",
    "invalid community", "Community name mismatch", "community string")
| summarize
    FailureCount = count(),
    SampleMessages = make_set(SyslogMessage, 3),
    UniqueSourceIPs = dcount(extract(@"from\s+(\d+\.\d+\.\d+\.\d+)", 1, SyslogMessage))
  by HostName, bin(TimeGenerated, 1h)
| where FailureCount >= 5
| extend AlertType = "SNMP_Auth_Failures_Network_Device"
| extend RiskScore = case(FailureCount > 50, 92, FailureCount > 20, 78, 62)
| project Timestamp = TimeGenerated, DeviceName = HostName,
          AccountName = "NetworkDevice",
          FileName = "snmpd",
          ProcessCommandLine = strcat("Failures: ", tostring(FailureCount), " UniqueSourceIPs: ", tostring(UniqueSourceIPs), " Sample: ", tostring(SampleMessages)),
          AlertType, FailureCount, UniqueSourceIPs, RiskScore;
// Combined output across all detection paths
EndpointSNMPTools
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, AlertType, RiskScore
| union (SNMPTrafficBurst
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, AlertType, RiskScore)
| union (SNMPAuthFailures
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, AlertType, RiskScore)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Application Log: Application Log Content Microsoft Defender for Endpoint Azure Monitor Syslog

Required Tables

DeviceProcessEvents DeviceNetworkEvents Syslog

False Positives

Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs
Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows
Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices
Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements
IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes

Splunk

spl

| multisearch
    [
    search index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\snmpwalk.exe" OR Image="*\\snmpget.exe" OR Image="*\\snmpbulkwalk.exe"
       OR Image="*\\snmptable.exe" OR Image="*\\snmpset.exe" OR Image="*\\snmpgetnext.exe"
       OR (CommandLine="*snmp*" AND (CommandLine="*.1.3.6*" OR CommandLine="*-c public*"
           OR CommandLine="*-c private*" OR CommandLine="*-c cisco*" OR CommandLine="*-v2c*")))
    | eval detection_type="snmp_tool_execution_windows"
    | eval using_default_community=if(match(lower(CommandLine), "-c public|-c private|-c cisco|-c monitor"), 1, 0)
    | eval mib_walk=if(match(CommandLine, "\\.1\\.3\\.6"), 1, 0)
    | eval risk_score=case(using_default_community=1 AND mib_walk=1, 95, using_default_community=1, 85, mib_walk=1, 75, 1=1, 70)
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_type, using_default_community, mib_walk, risk_score
    ]
    [
    search index=linux (sourcetype="linux_secure" OR sourcetype="syslog")
      (process="snmpwalk" OR process="snmpget" OR process="snmpbulkwalk"
       OR process="snmpbulkget" OR process="snmptable" OR process="snmpset"
       OR message="*snmpwalk*" OR message="*snmpget*" OR message="*snmpbulk*")
    | eval detection_type="snmp_tool_execution_linux"
    | eval using_default_community=if(match(lower(coalesce(message, "")), "-c public|-c private|-c cisco"), 1, 0)
    | eval mib_walk=if(match(coalesce(message, ""), "\\.1\\.3\\.6"), 1, 0)
    | eval risk_score=if(using_default_community=1, 85, 70)
    | table _time, host, user, process, message, detection_type, using_default_community, mib_walk, risk_score
    ]
    [
    search index=network (sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa"
      OR sourcetype="juniper:junos" OR sourcetype="paloalto:firewall")
      ("SNMP" OR "snmp")
      ("Authentication failure" OR "authenticationFailure" OR "Unknown community"
       OR "wrong community" OR "No Such Name" OR "invalid community" OR "community string")
    | stats count as failure_count, values(_raw) as sample_events by host, span(_time, 1h)
    | where failure_count >= 5
    | eval detection_type="snmp_auth_failures"
    | eval risk_score=case(failure_count > 50, 92, failure_count > 20, 78, 1=1, 62)
    | table _time, host, failure_count, sample_events, detection_type, risk_score
    ]
    [
    search index=network sourcetype="stream:udp" dest_port=161
    | stats count as snmp_requests, dc(dest_ip) as unique_targets, values(dest_ip) as target_ips
        by src_ip, src_host, span(_time, 10m)
    | where snmp_requests > 20 OR unique_targets > 3
    | eval detection_type="high_volume_snmp_scan"
    | eval risk_score=case(unique_targets > 20, 95, unique_targets > 10, 85, snmp_requests > 100, 80, 1=1, 65)
    | table _time, src_host, src_ip, snmp_requests, unique_targets, target_ips, detection_type, risk_score
    ]
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Traffic Flow Application Log: Application Log Content Sysmon Event ID 1 Network Device Syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure syslog cisco:ios stream:udp

False Positives

Network monitoring platforms (SolarWinds, PRTG, Nagios, Zabbix) polling devices via SNMP for availability monitoring — generate persistent high-volume UDP/161 traffic from known NMS servers at regular intervals
Network engineers using snmpwalk/snmpget for manual diagnostics and troubleshooting during maintenance windows, especially in operations teams without strict change management
Authorized penetration tests using SNMP enumeration tools where the testing team's source IP may not be in allowlists at detection time
Vendor remote support sessions where networking vendors poll devices using SNMP to collect diagnostic information
CI/CD pipelines for network automation that validate device configurations via SNMP queries after deployment changes

Elastic Security (EQL)

eql

any where process.name : ("snmpwalk", "snmpbulkwalk", "braa", "onesixtyone", "snmpenum", "snmpcheck") or (network.transport : "udp" and destination.port == 161 and network.bytes > 5000)

high severity medium confidence

Data Sources

Elastic Endpoint Security Network Traffic

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-*

False Positives

Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs
Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows
Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices
Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements
IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", destinationport as "DestPort", UTF8(payload) as "Payload", devicetime as "EventTime", CASE WHEN "DestPort" = 161 AND eventcount > 50 THEN 80 WHEN UTF8(payload) ILIKE '%community%' AND UTF8(payload) ILIKE '%OID%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE destinationport = 161 AND LOGSOURCETYPENAME(devicetype) IN ('Cisco IOS', 'Cisco IOS XE', 'Linux OS', 'Juniper Networks Junos') ORDER BY eventcount DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Network Traffic Linux OS Windows OS

Required Tables

events

False Positives

Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs
Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows
Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices
Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements
IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes

Sumo Logic CSE

sql

_sourceCategory=network/snmp OR _sourceCategory=endpoint/process | json auto | where dest_port = 161 or process_name in ("snmpwalk", "snmpbulkwalk", "braa", "onesixtyone") | if(matches(process_name, "*braa*") or matches(process_name, "*onesixtyone*"), "High", if(matches(process_name, "*snmpwalk*") or matches(process_name, "*snmpbulkwalk*"), "Medium", "Low")) as RiskLevel | stats count by src_ip, dest_ip, process_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Network Traffic Endpoint Process Events

Required Tables

network/snmp endpoint/process

False Positives

Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs
Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows
Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices
Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements
IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes

Google Chronicle / SecOps

yaral

rule detect_snmp_enumeration {
  meta:
    author = "Argus"
    description = "Detects SNMP-based network device enumeration"
    severity = "HIGH"
    technique = "T1602"
  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.target.port = 161
    $e.network.ip_protocol = "UDP"
    $e.network.sent_bytes > 1000
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Network Traffic

Required Tables

NETWORK_CONNECTION PROCESS_LAUNCH

False Positives

Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs
Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows
Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices
Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements
IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /snmpwalk|snmpbulkwalk|braa|onesixtyone|snmpenum|snmpcheck/i
| case {
    ImageFileName = /braa|onesixtyone/i | ToolType := "Mass SNMP Scanner";
    ImageFileName = /snmpwalk|snmpbulkwalk/i | ToolType := "SNMP Walker";
    * | ToolType := "SNMP Tool"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, ToolType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs
Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows
Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices
Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements
IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes

SNMP (MIB Dump)

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections