title: Data from Configuration Repository (T1602)
id: df00tech-t1602
status: experimental
description: "This detection identifies adversaries targeting network device configuration repositories to collect sensitive system administration data. Attackers exploit SNMP (Simple Network Management Protocol) community strings to perform MIB (Management Information Base) dumps, use TFTP/SCP/FTP to retrieve running or startup configurations from routers, switches, and firewalls, or abuse network management platforms (NMS) such as SolarWinds, PRTG, or Cisco DNA Center. Detection focuses on anomalous SNMP bulk-walk queries originating from non-management hosts, unexpected TFTP transfers from network infrastructure devices, unusual authentication events against network management systems, and high-volume SNMP OID enumeration patterns indicative of automated reconnaissance tools."
references:
  - https://attack.mitre.org/techniques/T1602/
  - https://df00tech.com/detections/T1602
author: df00tech
date: 2026/03/20
tags:
  - attack.t1602
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate network management systems (SolarWinds, PRTG, Nagios, Zabbix) performing scheduled SNMP polling of network infrastructure"
  - IT operations teams running snmpwalk/snmpget during troubleshooting or capacity planning activities
  - "Authorized TFTP-based network device backup jobs executed by configuration management tools like Oxidized, RANCID, or BackupNinja"
  - "Network monitoring agents and vulnerability scanners (Nessus, Qualys) querying SNMP-enabled devices during credentialed scans"
level: high