Detect Data from Configuration Repository in Splunk
This detection identifies adversaries targeting network device configuration repositories to collect sensitive system administration data. Attackers exploit SNMP (Simple Network Management Protocol) community strings to perform MIB (Management Information Base) dumps, use TFTP/SCP/FTP to retrieve running or startup configurations from routers, switches, and firewalls, or abuse network management platforms (NMS) such as SolarWinds, PRTG, or Cisco DNA Center. Detection focuses on anomalous SNMP bulk-walk queries originating from non-management hosts, unexpected TFTP transfers from network infrastructure devices, unusual authentication events against network management systems, and high-volume SNMP OID enumeration patterns indicative of automated reconnaissance tools.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1602 Data from Configuration Repository
- Canonical reference
- https://attack.mitre.org/techniques/T1602/
SPL Detection Query
index=* (sourcetype=syslog OR sourcetype="cisco:ios" OR sourcetype="cisco:asa" OR sourcetype="juniper:junos" OR sourcetype=netscreen)
| eval hour=strftime(_time, "%H"), day_of_week=strftime(_time, "%w")
| rex field=_raw "(?i)(snmp|community|tftp|config|MIB|OID|bulk|walk)"
(* Detect SNMP community string usage from unexpected hosts *)
| eval is_snmp_event=if(match(_raw, "(?i)SNMP.*community|community.*string.*accepted|SNMP.*authentication.*failure"), 1, 0)
(* Detect TFTP config transfers *)
| eval is_tftp_event=if(match(_raw, "(?i)tftp.*sent|tftp.*received|config.*transfer|TFTP.*\.(cfg|conf|confg)"), 1, 0)
(* Detect config archive access *)
| eval is_config_access=if(match(_raw, "(?i)archive.*config|show.*running|copy.*running|startup.*config.*tftp"), 1, 0)
| eval snmp_community=if(match(_raw, "(?i)community[\s=:]+([\w!@#$%^&*]+)"), 1, 0)
| eval score=0
| eval score=score + if(is_snmp_event=1, 30, 0)
| eval score=score + if(is_tftp_event=1, 40, 0)
| eval score=score + if(is_config_access=1, 35, 0)
| eval score=score + if(hour < 6 OR hour > 22, 20, 0)
| eval score=score + if(day_of_week=0 OR day_of_week=6, 15, 0)
| where score >= 30
| eval risk_level=case(score >= 70, "CRITICAL", score >= 50, "HIGH", score >= 30, "MEDIUM", true(), "LOW")
| rex field=_raw "(?i)(?:from|src[\s=]+|source[\s=]+)(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| stats count as event_count, max(score) as max_score, max(risk_level) as risk_level,
values(sourcetype) as sourcetypes, values(host) as affected_devices,
values(src_ip) as source_ips,
sum(is_snmp_event) as snmp_events,
sum(is_tftp_event) as tftp_events,
sum(is_config_access) as config_access_events
by bin(_time, 15m)
| where max_score >= 30
| sort - max_score
| table _time, affected_devices, source_ips, event_count, max_score, risk_level, snmp_events, tftp_events, config_access_events, sourcetypesDetects configuration repository access patterns in network device syslogs including SNMP community string usage, TFTP configuration file transfers, and unauthorized 'copy running-config' or archive access commands. Applies risk scoring with time-of-day and day-of-week weighting to surface anomalous access patterns from network device logs shipped to Splunk.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized NMS polling (SolarWinds, PRTG, LibreNMS) generating continuous SNMP community string authentication events on a regular schedule
- Scheduled backup jobs using TFTP or SCP to archive device configurations nightly — these will score high on TFTP + config_access combined
- NOC/helpdesk staff running 'show running-config' commands during troubleshooting activities logged by device AAA/TACACS
- Vendor maintenance windows where upstream equipment receives configuration pushes and generates TFTP traffic
Other platforms for T1602
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SNMP MIB Bulk Walk Using snmpwalk
Expected signal: Linux process exec events showing snmpwalk/snmptable with -v2c flag and community string argument. DeviceProcessEvents (if MDE Linux agent deployed) or auditd exec logs. Network flow telemetry showing UDP/161 traffic to target IP.
- Test 2Network Device Configuration Dump via TFTP
Expected signal: DeviceNetworkEvents showing UDP/69 connection. DeviceProcessEvents showing tftp.exe execution with remote host IP argument. Windows Security Event 5156 (Windows Filtering Platform permitted connection) for TFTP traffic. TFTP server access logs showing GET request for config file.
- Test 3SNMP Community String Brute Force with onesixtyone
Expected signal: High-volume UDP/161 packets from single source IP visible in NetFlow/IPFIX or network TAP data. Network device syslog SNMP-3-AUTHFAIL entries for failed community strings. DeviceNetworkEvents if source host has MDE agent showing rapid UDP connections to port 161 across multiple destinations.
References (8)
- https://attack.mitre.org/techniques/T1602/
- https://attack.mitre.org/techniques/T1602/001/
- https://attack.mitre.org/techniques/T1602/002/
- https://us-cert.cisa.gov/ncas/alerts/TA18-106A
- https://us-cert.cisa.gov/ncas/alerts/TA17-156A
- https://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf003.html
- https://www.rfc-editor.org/rfc/rfc3411
- https://www.ncsc.gov.uk/guidance/network-device-hardening
Unlock Pro Content
Get the full detection package for T1602 including response playbook, investigation guide, and atomic red team tests.