T1602.002 Splunk · SPL

Detect Network Device Configuration Dump in Splunk

Adversaries may access network configuration files to collect sensitive data about network devices and infrastructure topology. Configuration files contain parameters defining device operation, including routing tables, access control lists, VPN pre-shared keys, SNMP community strings, BGP/OSPF authentication keys, and administrative credentials. Adversaries leverage management protocols such as SNMP (Simple Network Management Protocol) and Cisco's unauthenticated Smart Install (SMI) protocol to access or trigger export of these configurations to attacker-controlled servers via TFTP, FTP, or SCP. The Chinese state-sponsored group Salt Typhoon has actively used this technique to acquire credentials by dumping network device configurations. US-CERT Advisory TA18-106A specifically documents large-scale exploitation of SNMP and SMI to exfiltrate Cisco IOS running configurations from internet-facing routers.

MITRE ATT&CK

Tactic
Collection
Technique
T1602 Data from Configuration Repository
Sub-technique
T1602.002 Network Device Configuration Dump
Canonical reference
https://attack.mitre.org/techniques/T1602/002/

SPL Detection Query

Splunk (SPL)
spl 
(index=network OR index=syslog OR index=main)
(
  sourcetype="cisco:ios"
  OR sourcetype="cisco:ios:syslog"
  OR sourcetype="cisco:asa"
  OR sourcetype="cisco:nexus"
  OR sourcetype="juniper"
  OR sourcetype="juniper:junos:syslog"
  OR sourcetype="fortigate_event"
  OR sourcetype=syslog
)
(
  "copy running-config" OR "copy startup-config" OR "copy nvram:"
  OR "ARCHIVE-5-CONFIG" OR "SYS-5-CONFIG_I" OR "CONFIG_LOG_CNFG_CMD"
  OR "Smart Install" OR "SMI_CLIENT" OR "vstack"
  OR "tftp://" OR "ftp://" OR "scp://"
  OR "SNMP-3-AUTHFAIL"
)
| eval ConfigCopy=if(match(_raw, "copy (running|startup)-config|copy nvram:"), 1, 0)
| eval SMIActivity=if(match(_raw, "Smart Install|SMI_CLIENT|SMI-5|vstack"), 1, 0)
| eval RemoteTransfer=if(match(_raw, "tftp://|ftp://|scp://"), 1, 0)
| eval ArchiveOperation=if(match(_raw, "ARCHIVE-5-CONFIG|CONFIG_LOG_CNFG_CMD|SYS-5-CONFIG_I"), 1, 0)
| eval SNMPAuthFail=if(match(_raw, "SNMP-3-AUTHFAIL"), 1, 0)
| eval SuspicionScore=ConfigCopy + SMIActivity + RemoteTransfer + ArchiveOperation + SNMPAuthFail
| where SuspicionScore > 0
| table _time, host, src_ip, dest_ip, sourcetype, ConfigCopy, SMIActivity, RemoteTransfer, ArchiveOperation, SNMPAuthFail, SuspicionScore, _raw
| sort -SuspicionScore, -_time
high severity medium confidence

Detects network device configuration dump activity using Cisco IOS, Juniper JunOS, and generic syslog sourcetypes. Evaluates five behavioral indicators: (1) config copy commands targeting running-config/startup-config, (2) Smart Install client activity, (3) remote file transfer protocols (tftp/ftp/scp) indicating config exfiltration, (4) IOS archive and config logging events (SYS-5-CONFIG_I, ARCHIVE-5-CONFIG_LOG_CNFG_CMD), and (5) SNMP authentication failures indicating community string brute forcing as a precursor. Assigns a cumulative suspicion score for analyst prioritization. A score of 2+ from a single event indicates high-confidence malicious activity (e.g., SMI + remote transfer, or config copy + TFTP destination). Requires network devices to forward syslog to Splunk.

Data Sources

Network: Network TrafficNetwork: Network Device ConfigurationSyslog: Cisco IOSSyslog: Juniper JunOS

Required Sourcetypes

cisco:ioscisco:ios:syslogsyslog

False Positives & Tuning

  • Legitimate network administrators or NOC staff running scheduled configuration backups via TFTP or SNMP using tools such as RANCID, Oxidized, or SolarWinds Network Configuration Manager — these will trigger config copy syslog events and TFTP transfers from authorized NMS hosts
  • Network management platforms (SolarWinds, PRTG, Cisco Prime Infrastructure, Ansible AWX) performing routine SNMP polls and automated configuration archiving during defined maintenance windows
  • Cisco Smart Install legitimately configured for Zero-Touch Provisioning (ZTP) in branch office or retail deployments where new switches bootstrap from a director — any SMI traffic from the provisioning server to device subnets is expected
  • Security scanners and network auditing tools (Nessus, Qualys, Rapid7 InsightVM) performing scheduled SNMP enumeration as part of vulnerability assessments, generating SNMP-3-AUTHFAIL events if community strings have been rotated
  • Disaster recovery drills or network operations testing where engineers explicitly copy running configurations to test TFTP servers as part of backup validation procedures
Download portable Sigma rule (.yml)

Other platforms for T1602.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SNMP Enumeration of Network Device Configuration OIDs

    Expected signal: Network device syslog: %SNMP-3-AUTHFAIL events for each failed community string attempt, logged to syslog collector. NetFlow records: UDP/161 SNMP request/response flows from the testing host to the device. If Splunk Stream SNMP decoder is deployed, pdu_type=getNextRequest and getBulkRequest events from the source IP are visible. If 'private' community string is not configured, the third command generates an additional AUTHFAIL.

  2. Test 2Cisco Config Copy via SNMP SET (CISCO-CONFIG-COPY-MIB)

    Expected signal: Cisco IOS syslog: %SYS-5-CONFIG_I or %ARCHIVE-5-CONFIG_LOG_CNFG_CMD events logged with the TFTP server IP. TFTP transfer from 192.168.1.1 (the device) to 192.168.100.10 (test TFTP server) appears in NetFlow — note the Device-Initiated direction. The running configuration file (stolen-config.cfg) appears on the TFTP server containing plaintext or type-7 encoded passwords, SNMP community strings, routing keys, and full topology.

  3. Test 3Cisco Smart Install (SMI) Port Discovery and Exploitation Check

    Expected signal: Firewall logs (CommonSecurityLog): multiple TCP SYN packets from the scanning host to destination port 4786 across the /24 subnet — visible as high-volume short-lived connections. Network device may log SMI connection attempts in IOS syslog if SMI is enabled and the connection reaches the device. Nmap version probe for TCP/4786 may trigger network IDS signatures.

  4. Test 4SNMP Community String Brute Force with onesixtyone

    Expected signal: Cisco IOS syslog: multiple %SNMP-3-AUTHFAIL messages from the scanning host IP, one per failed community string attempt — up to 11 events for the wordlist above. These appear in Syslog table in Sentinel and cisco:ios sourcetype in Splunk. NetFlow: rapid UDP/161 request-response pairs from scanner to device. SNMP trap receiver: authentication failure traps (snmpTrapEnterprise OID .1.3.6.1.6.3.18.1.4.0) sent to configured trap destinations identifying the scanner's IP.

Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1602.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1602Data from Configuration Repository

Related Sub-techniques

T1602.001SNMP (MIB Dump)

Related Techniques

T1602Data from Configuration RepositoryT1602.001SNMP (MIB Dump)T1046Network Service DiscoveryT1110.001Password GuessingT1078.004Cloud AccountsT1557Adversary-in-the-MiddleT1565.002Transmitted Data ManipulationT1136.002Domain AccountT1020Automated Exfiltration

Same Tactic: Collection

Popular Detections