title: SNMP (MIB Dump) (T1602.001)
id: df00tech-t1602-001
status: experimental
description: "Adversaries may target the Management Information Base (MIB) to collect and mine valuable information from networks managed via Simple Network Management Protocol (SNMP). The MIB stores configuration variables accessible via object identifiers (OIDs), including system descriptions, hardware inventories, running configurations, routing tables, ARP caches, and interface details. Adversaries exploit SNMPv1/v2c's weak community-string authentication—using default strings such as 'public' and 'private'—to conduct bulk MIB walks against routers, switches, firewalls, and other managed devices, building detailed network maps that facilitate subsequent targeted exploitation. This technique was prominently documented in US-CERT alert TA18-106A describing APT actors targeting legacy Cisco infrastructure via SNMP to extract device configurations and network topology prior to destructive operations."
references:
  - https://attack.mitre.org/techniques/T1602/001/
  - https://df00tech.com/detections/T1602.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1602.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate network management platforms (SolarWinds Orion, PRTG, Nagios, Zabbix, LibreNMS) polling network devices via SNMP on UDP/161 for availability and performance monitoring — these generate high-volume, regular-interval SNMP traffic from known management server IPs"
  - "Network engineers manually running snmpwalk or snmpget to troubleshoot device configurations, verify SNMP community string setup, or validate OID responses during maintenance windows"
  - "Automated asset discovery tools (Nmap with snmp-info scripts, OpenNMS, Netdisco) performing scheduled network inventory scans that enumerate SNMP-capable devices"
  - "Authorized security assessments and vulnerability scans using SNMP enumeration modules (Metasploit auxiliary/scanner/snmp/snmp_enum, Nessus SNMP scanner, Qualys) during penetration testing engagements"
  - IT operations runbooks where admins use snmpbulkwalk to baseline device configurations before and after maintenance changes
level: high