T1602.002

Network Device Configuration Dump

Collection

Adversaries may access network configuration files to collect sensitive data about network devices and infrastructure topology. Configuration files contain parameters defining device operation, including routing tables, access control lists, VPN pre-shared keys, SNMP community strings, BGP/OSPF authentication keys, and administrative credentials. Adversaries leverage management protocols such as SNMP (Simple Network Management Protocol) and Cisco's unauthenticated Smart Install (SMI) protocol to access or trigger export of these configurations to attacker-controlled servers via TFTP, FTP, or SCP. The Chinese state-sponsored group Salt Typhoon has actively used this technique to acquire credentials by dumping network device configurations. US-CERT Advisory TA18-106A specifically documents large-scale exploitation of SNMP and SMI to exfiltrate Cisco IOS running configurations from internet-facing routers.

Microsoft Sentinel / Defender
kusto 
// Detect network device configuration dump via SNMP, Smart Install (SMI), and TFTP
// PREREQUISITES: Network devices must forward syslog to a Sentinel-connected syslog collector;
// perimeter firewall logs must be ingested via CommonSecurityLog (CEF format)
//
// Branch 1: Cisco/network device syslog indicating config copy, archive, or SMI events
let ConfigDumpSyslog = Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any (
    "copy running-config", "copy startup-config", "copy nvram:",
    "ARCHIVE-5-CONFIG_LOG_CNFG_CMD", "SYS-5-CONFIG_I", "CONFIG_LOG_CNFG_CMD",
    "Smart Install", "vstack", "SMI_CLIENT", "SMI-5-",
    "tftp://", "ftp://", "scp://",
    "SNMP-3-AUTHFAIL"
  )
| extend ConfigCopyDetected = SyslogMessage has_any ("copy running-config", "copy startup-config", "copy nvram:")
| extend SMIDetected = SyslogMessage has_any ("Smart Install", "vstack", "SMI_CLIENT", "SMI-5-")
| extend RemoteTransferDetected = SyslogMessage has_any ("tftp://", "ftp://", "scp://")
| extend ArchiveDetected = SyslogMessage has_any ("ARCHIVE-5-CONFIG", "CONFIG_LOG_CNFG_CMD", "SYS-5-CONFIG_I")
| extend SNMPAuthFailure = SyslogMessage has "SNMP-3-AUTHFAIL"
| project TimeGenerated, HostName, HostIP, Facility, SeverityLevel, SyslogMessage,
          ConfigCopyDetected, SMIDetected, RemoteTransferDetected, ArchiveDetected, SNMPAuthFailure;
// Branch 2: Smart Install (SMI) connections on TCP/4786 — no authentication, direct exploitation vector
let SMIConnections = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort == 4786
| where Protocol has_any ("TCP", "6")
| extend ConfigCopyDetected = false
| extend SMIDetected = true
| extend RemoteTransferDetected = false
| extend ArchiveDetected = false
| extend SNMPAuthFailure = false
| project TimeGenerated,
          HostName = DeviceName,
          HostIP = DestinationIP,
          Facility = "",
          SeverityLevel = "",
          SyslogMessage = strcat("Smart Install TCP/4786 connection: ", SourceIP, " -> ", DestinationIP),
          ConfigCopyDetected, SMIDetected, RemoteTransferDetected, ArchiveDetected, SNMPAuthFailure;
// Branch 3: TFTP transfers involving configuration file keywords (device-initiated config exfil)
let TFTPConfigTransfers = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort == 69 or SourcePort == 69
| where Message has_any ("running-config", "startup-config", "nvram", ".cfg", "config")
| extend ConfigCopyDetected = false
| extend SMIDetected = false
| extend RemoteTransferDetected = true
| extend ArchiveDetected = false
| extend SNMPAuthFailure = false
| project TimeGenerated,
          HostName = DeviceName,
          HostIP = DestinationIP,
          Facility = "",
          SeverityLevel = "",
          SyslogMessage = strcat("TFTP config transfer: ", SourceIP, ":", tostring(SourcePort), " -> ", DestinationIP, ":", tostring(DestinationPort), " | ", Message),
          ConfigCopyDetected, SMIDetected, RemoteTransferDetected, ArchiveDetected, SNMPAuthFailure;
union ConfigDumpSyslog, SMIConnections, TFTPConfigTransfers
| sort by TimeGenerated desc
high severity medium confidence

Data Sources

Network: Network Traffic Network: Network Device Configuration Network Traffic: Network Traffic Flow

Required Tables

Syslog CommonSecurityLog

False Positives

  • Legitimate network administrators or NOC staff running scheduled configuration backups via TFTP or SNMP using tools such as RANCID, Oxidized, or SolarWinds Network Configuration Manager — these will trigger config copy syslog events and TFTP transfers from authorized NMS hosts
  • Network management platforms (SolarWinds, PRTG, Cisco Prime Infrastructure, Ansible AWX) performing routine SNMP polls and automated configuration archiving during defined maintenance windows
  • Cisco Smart Install legitimately configured for Zero-Touch Provisioning (ZTP) in branch office or retail deployments where new switches bootstrap from a director — any SMI traffic from the provisioning server to device subnets is expected
  • Security scanners and network auditing tools (Nessus, Qualys, Rapid7 InsightVM) performing scheduled SNMP enumeration as part of vulnerability assessments, generating SNMP-3-AUTHFAIL events if community strings have been rotated
  • Disaster recovery drills or network operations testing where engineers explicitly copy running configurations to test TFTP servers as part of backup validation procedures
Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1602.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1602Data from Configuration Repository

Related Sub-techniques

T1602.001SNMP (MIB Dump)

Same Tactic: Collection

Popular Detections