title: Network Device Configuration Dump (T1602.002)
id: df00tech-t1602-002
status: experimental
description: "Adversaries may access network configuration files to collect sensitive data about network devices and infrastructure topology. Configuration files contain parameters defining device operation, including routing tables, access control lists, VPN pre-shared keys, SNMP community strings, BGP/OSPF authentication keys, and administrative credentials. Adversaries leverage management protocols such as SNMP (Simple Network Management Protocol) and Cisco's unauthenticated Smart Install (SMI) protocol to access or trigger export of these configurations to attacker-controlled servers via TFTP, FTP, or SCP. The Chinese state-sponsored group Salt Typhoon has actively used this technique to acquire credentials by dumping network device configurations. US-CERT Advisory TA18-106A specifically documents large-scale exploitation of SNMP and SMI to exfiltrate Cisco IOS running configurations from internet-facing routers."
references:
  - https://attack.mitre.org/techniques/T1602/002/
  - https://df00tech.com/detections/T1602.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1602.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate network administrators or NOC staff running scheduled configuration backups via TFTP or SNMP using tools such as RANCID, Oxidized, or SolarWinds Network Configuration Manager — these will trigger config copy syslog events and TFTP transfers from authorized NMS hosts"
  - "Network management platforms (SolarWinds, PRTG, Cisco Prime Infrastructure, Ansible AWX) performing routine SNMP polls and automated configuration archiving during defined maintenance windows"
  - Cisco Smart Install legitimately configured for Zero-Touch Provisioning (ZTP) in branch office or retail deployments where new switches bootstrap from a director — any SMI traffic from the provisioning server to device subnets is expected
  - "Security scanners and network auditing tools (Nessus, Qualys, Rapid7 InsightVM) performing scheduled SNMP enumeration as part of vulnerability assessments, generating SNMP-3-AUTHFAIL events if community strings have been rotated"
  - Disaster recovery drills or network operations testing where engineers explicitly copy running configurations to test TFTP servers as part of backup validation procedures
level: high