Detect SNMP (MIB Dump) in Sumo Logic CSE
Adversaries may target the Management Information Base (MIB) to collect and mine valuable information from networks managed via Simple Network Management Protocol (SNMP). The MIB stores configuration variables accessible via object identifiers (OIDs), including system descriptions, hardware inventories, running configurations, routing tables, ARP caches, and interface details. Adversaries exploit SNMPv1/v2c's weak community-string authentication—using default strings such as 'public' and 'private'—to conduct bulk MIB walks against routers, switches, firewalls, and other managed devices, building detailed network maps that facilitate subsequent targeted exploitation. This technique was prominently documented in US-CERT alert TA18-106A describing APT actors targeting legacy Cisco infrastructure via SNMP to extract device configurations and network topology prior to destructive operations.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1602 Data from Configuration Repository
- Sub-technique
- T1602.001 SNMP (MIB Dump)
- Canonical reference
- https://attack.mitre.org/techniques/T1602/001/
Sumo Detection Query
_sourceCategory=network/snmp OR _sourceCategory=endpoint/process | json auto | where dest_port = 161 or process_name in ("snmpwalk", "snmpbulkwalk", "braa", "onesixtyone") | if(matches(process_name, "*braa*") or matches(process_name, "*onesixtyone*"), "High", if(matches(process_name, "*snmpwalk*") or matches(process_name, "*snmpbulkwalk*"), "Medium", "Low")) as RiskLevel | stats count by src_ip, dest_ip, process_name, RiskLevel | sort by count descSumo Logic query for T1602.001 detection using source category filters and aggregation. Three-path detection for SNMP MIB enumeration targeting network infrastructure: (1) DeviceProcessEve
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs
- Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows
- Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices
- Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements
- IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes
Other platforms for T1602.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MIB-II Walk Using snmpwalk with Default Community String
Expected signal: Linux: /proc/[pid]/cmdline contains 'snmpwalk' with '-c public' and the target IP — visible in auditd execve events if auditd is configured, or in bash history at ~/.bash_history. Network device syslog will NOT log a successful community string match but WILL log if the string is wrong. Outbound UDP/161 packets visible in network capture or NetFlow records. Process execution visible in Sysmon Event ID 1 if run from a Windows host via WSL.
- Test 2Cisco Running Configuration Retrieval via SNMP
Expected signal: Process execution of snmpwalk with OID .1.3.6.1.4.1.9.2.1 visible in bash history and process monitoring. File creation of /tmp/cisco_mib_output.txt with MIB content. Cisco device syslog: no authentication log on success with correct community string, but 'SNMP-3-AUTHFAIL' if community string is wrong. Network NetFlow shows UDP/161 with large response payload (multi-KB) indicating successful data return.
- Test 3Python pysnmp Automated MIB Enumeration Script
Expected signal: Process creation for python3 with -c flag containing 'pysnmp', 'CommunityData', and 'public' — visible in Sysmon Event ID 1 CommandLine. Network connection on UDP/161 to TARGET_IP. No standard SNMP binary is invoked so binary-name-based detections miss this; detection relies on CommandLine content inspection or network traffic analysis.
- Test 4SNMP Community String Brute Force with onesixtyone
Expected signal: onesixtyone process creation with -c flag and target IP visible in Sysmon/auditd. File creation of /tmp/snmp_communities.txt containing community string wordlist. Network device generates '%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from <source_ip>' for each failed community string attempt. Multiple rapid UDP/161 packets to the device visible in network capture.
- Test 5SNMP ARP and Routing Table Extraction
Expected signal: Three sequential snmpwalk processes with distinct OID arguments visible in process creation logs. Process command lines contain '.1.3.6.1.2.1.3.1' (atTable), '.1.3.6.1.2.1.4.24.4' (ipCidrRouteTable), and '.1.3.6.1.2.1.2.2' (ifTable). Three bursts of UDP/161 traffic to TARGET_IP visible in network telemetry. Response traffic (device -> attacker) will contain IP addresses, MAC addresses, and network prefixes.
References (8)
- https://attack.mitre.org/techniques/T1602/001/
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
- https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3
- https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-16/snmp-xe-16-book/nm-snmp-cfg-snmp-support.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1602.001/T1602.001.md
- https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml
Unlock Pro Content
Get the full detection package for T1602.001 including response playbook, investigation guide, and atomic red team tests.