T1602.001 Splunk · SPL

Detect SNMP (MIB Dump) in Splunk

Adversaries may target the Management Information Base (MIB) to collect and mine valuable information from networks managed via Simple Network Management Protocol (SNMP). The MIB stores configuration variables accessible via object identifiers (OIDs), including system descriptions, hardware inventories, running configurations, routing tables, ARP caches, and interface details. Adversaries exploit SNMPv1/v2c's weak community-string authentication—using default strings such as 'public' and 'private'—to conduct bulk MIB walks against routers, switches, firewalls, and other managed devices, building detailed network maps that facilitate subsequent targeted exploitation. This technique was prominently documented in US-CERT alert TA18-106A describing APT actors targeting legacy Cisco infrastructure via SNMP to extract device configurations and network topology prior to destructive operations.

MITRE ATT&CK

Tactic
Collection
Technique
T1602 Data from Configuration Repository
Sub-technique
T1602.001 SNMP (MIB Dump)
Canonical reference
https://attack.mitre.org/techniques/T1602/001/

SPL Detection Query

Splunk (SPL)
spl 
| multisearch
    [
    search index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\snmpwalk.exe" OR Image="*\\snmpget.exe" OR Image="*\\snmpbulkwalk.exe"
       OR Image="*\\snmptable.exe" OR Image="*\\snmpset.exe" OR Image="*\\snmpgetnext.exe"
       OR (CommandLine="*snmp*" AND (CommandLine="*.1.3.6*" OR CommandLine="*-c public*"
           OR CommandLine="*-c private*" OR CommandLine="*-c cisco*" OR CommandLine="*-v2c*")))
    | eval detection_type="snmp_tool_execution_windows"
    | eval using_default_community=if(match(lower(CommandLine), "-c public|-c private|-c cisco|-c monitor"), 1, 0)
    | eval mib_walk=if(match(CommandLine, "\\.1\\.3\\.6"), 1, 0)
    | eval risk_score=case(using_default_community=1 AND mib_walk=1, 95, using_default_community=1, 85, mib_walk=1, 75, 1=1, 70)
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_type, using_default_community, mib_walk, risk_score
    ]
    [
    search index=linux (sourcetype="linux_secure" OR sourcetype="syslog")
      (process="snmpwalk" OR process="snmpget" OR process="snmpbulkwalk"
       OR process="snmpbulkget" OR process="snmptable" OR process="snmpset"
       OR message="*snmpwalk*" OR message="*snmpget*" OR message="*snmpbulk*")
    | eval detection_type="snmp_tool_execution_linux"
    | eval using_default_community=if(match(lower(coalesce(message, "")), "-c public|-c private|-c cisco"), 1, 0)
    | eval mib_walk=if(match(coalesce(message, ""), "\\.1\\.3\\.6"), 1, 0)
    | eval risk_score=if(using_default_community=1, 85, 70)
    | table _time, host, user, process, message, detection_type, using_default_community, mib_walk, risk_score
    ]
    [
    search index=network (sourcetype="syslog" OR sourcetype="cisco:ios" OR sourcetype="cisco:asa"
      OR sourcetype="juniper:junos" OR sourcetype="paloalto:firewall")
      ("SNMP" OR "snmp")
      ("Authentication failure" OR "authenticationFailure" OR "Unknown community"
       OR "wrong community" OR "No Such Name" OR "invalid community" OR "community string")
    | stats count as failure_count, values(_raw) as sample_events by host, span(_time, 1h)
    | where failure_count >= 5
    | eval detection_type="snmp_auth_failures"
    | eval risk_score=case(failure_count > 50, 92, failure_count > 20, 78, 1=1, 62)
    | table _time, host, failure_count, sample_events, detection_type, risk_score
    ]
    [
    search index=network sourcetype="stream:udp" dest_port=161
    | stats count as snmp_requests, dc(dest_ip) as unique_targets, values(dest_ip) as target_ips
        by src_ip, src_host, span(_time, 10m)
    | where snmp_requests > 20 OR unique_targets > 3
    | eval detection_type="high_volume_snmp_scan"
    | eval risk_score=case(unique_targets > 20, 95, unique_targets > 10, 85, snmp_requests > 100, 80, 1=1, 65)
    | table _time, src_host, src_ip, snmp_requests, unique_targets, target_ips, detection_type, risk_score
    ]
| sort - _time
high severity medium confidence

Four-path detection using multisearch across Windows, Linux, network device syslog, and network stream data: (1) Sysmon EventCode=1 on Windows identifies SNMP enumeration binary execution and command lines using default community strings or MIB-II OID prefixes; (2) linux_secure/syslog identifies SNMP tool processes on Linux hosts; (3) Network device syslog (Cisco IOS, Juniper JunOS, Palo Alto) detects SNMP authentication failures indicating community string guessing — triggered at 5+ failures per hour; (4) stream:udp on UDP/161 detects high-volume SNMP scanning with more than 20 requests per 10 minutes or more than 3 unique targets. Risk scores reflect severity of indicators with highest scores (92-95) for bulk unauthorized enumeration with default community strings.

Data Sources

Process: Process CreationNetwork Traffic: Network Traffic FlowApplication Log: Application Log ContentSysmon Event ID 1Network Device Syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationallinux_securesyslogcisco:iosstream:udp

False Positives & Tuning

  • Network monitoring platforms (SolarWinds, PRTG, Nagios, Zabbix) polling devices via SNMP for availability monitoring — generate persistent high-volume UDP/161 traffic from known NMS servers at regular intervals
  • Network engineers using snmpwalk/snmpget for manual diagnostics and troubleshooting during maintenance windows, especially in operations teams without strict change management
  • Authorized penetration tests using SNMP enumeration tools where the testing team's source IP may not be in allowlists at detection time
  • Vendor remote support sessions where networking vendors poll devices using SNMP to collect diagnostic information
  • CI/CD pipelines for network automation that validate device configurations via SNMP queries after deployment changes
Download portable Sigma rule (.yml)

Other platforms for T1602.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MIB-II Walk Using snmpwalk with Default Community String

    Expected signal: Linux: /proc/[pid]/cmdline contains 'snmpwalk' with '-c public' and the target IP — visible in auditd execve events if auditd is configured, or in bash history at ~/.bash_history. Network device syslog will NOT log a successful community string match but WILL log if the string is wrong. Outbound UDP/161 packets visible in network capture or NetFlow records. Process execution visible in Sysmon Event ID 1 if run from a Windows host via WSL.

  2. Test 2Cisco Running Configuration Retrieval via SNMP

    Expected signal: Process execution of snmpwalk with OID .1.3.6.1.4.1.9.2.1 visible in bash history and process monitoring. File creation of /tmp/cisco_mib_output.txt with MIB content. Cisco device syslog: no authentication log on success with correct community string, but 'SNMP-3-AUTHFAIL' if community string is wrong. Network NetFlow shows UDP/161 with large response payload (multi-KB) indicating successful data return.

  3. Test 3Python pysnmp Automated MIB Enumeration Script

    Expected signal: Process creation for python3 with -c flag containing 'pysnmp', 'CommunityData', and 'public' — visible in Sysmon Event ID 1 CommandLine. Network connection on UDP/161 to TARGET_IP. No standard SNMP binary is invoked so binary-name-based detections miss this; detection relies on CommandLine content inspection or network traffic analysis.

  4. Test 4SNMP Community String Brute Force with onesixtyone

    Expected signal: onesixtyone process creation with -c flag and target IP visible in Sysmon/auditd. File creation of /tmp/snmp_communities.txt containing community string wordlist. Network device generates '%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from <source_ip>' for each failed community string attempt. Multiple rapid UDP/161 packets to the device visible in network capture.

  5. Test 5SNMP ARP and Routing Table Extraction

    Expected signal: Three sequential snmpwalk processes with distinct OID arguments visible in process creation logs. Process command lines contain '.1.3.6.1.2.1.3.1' (atTable), '.1.3.6.1.2.1.4.24.4' (ipCidrRouteTable), and '.1.3.6.1.2.1.2.2' (ifTable). Three bursts of UDP/161 traffic to TARGET_IP visible in network telemetry. Response traffic (device -> attacker) will contain IP addresses, MAC addresses, and network prefixes.

Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1602.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1602Data from Configuration Repository

Related Sub-techniques

T1602.002Network Device Configuration Dump

Related Techniques

T1602Data from Configuration RepositoryT1602.002Network Device Configuration DumpT1046Network Service DiscoveryT1590.005IP AddressesT1590.004Network TopologyT1110.001Password GuessingT1040Network SniffingT1498Network Denial of ServiceT1565.002Transmitted Data Manipulation

Same Tactic: Collection

Popular Detections