diff --git a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml new file mode 100644 index 0000000000..627d70a8c7 --- /dev/null +++ b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml @@ -0,0 +1,102 @@ +name: Cisco IOS XE Guestshell Activation and Destroy +id: ff82a536-8fde-4963-a801-815826fcdf75 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects Cisco IOS-XE guestshell enable activity followed by activation and destroy lifecycle logs. + The detection focuses on HA_EM command logging for "guestshell enable" and "guestshell destroy", VMAN activation and destroy messages, and IM/IOX guestshell activation logs observed on some IOS-XE images. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("HA_EM", "VMAN", "IM", "AAA") + mnemonic IN ("LOG", "ACTIVATION_STATE", "IOX_INST_INFO", "INSTALL_STATE", "AAA_ACCOUNTING_MESSAGE") + message_text IN ( + "*guestshell enable*", + "*guestshell destroy*", + "*Successfully activated virtual service 'guestshell*", + "*IOX SERVICE guestshell*", + "*Destroying virtual service 'guestshell*", + "*Successfully destroyed virtual service 'guestshell*" + ) + | eval dest=coalesce(host, dvc, dest, "unknown") + | eval event_type=case( + like(message_text, "%guestshell enable%"), "guestshell_enable_command", + like(message_text, "%guestshell destroy%"), "guestshell_destroy_command", + like(message_text, "%Successfully activated virtual service 'guestshell%"), "vman_guestshell_activated", + like(message_text, "%IOX SERVICE guestshell%"), "im_iox_guestshell_activated", + like(message_text, "%Destroying virtual service 'guestshell%"), "vman_guestshell_destroying", + like(message_text, "%Successfully destroyed virtual service 'guestshell%"), "vman_guestshell_destroyed", + true(), "other" + ) + | bin _time span=30m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(message_text) as message + by _time dest + | where + ( + mvfind(event_types, "vman_guestshell_activated") >= 0 + OR + mvfind(event_types, "im_iox_guestshell_activated") >= 0 + OR + mvfind(event_types, "guestshell_enable_command") >= 0 + ) + AND + ( + mvfind(event_types, "vman_guestshell_destroying") >= 0 + OR + mvfind(event_types, "vman_guestshell_destroyed") >= 0 + OR + mvfind(event_types, "guestshell_destroy_command") >= 0 + ) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_guestshell_activation_and_destroy_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Enable EEM catchall command logging to capture the "guestshell enable" and "guestshell destroy" commands as HA_EM/LOG events. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: dest + type: system + score: 35 + message: Cisco IOS-XE device $dest$ had guestshell enabled and destroyed within a short period. +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1059 + - T1611 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal.yml b/detections/network/cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal.yml new file mode 100644 index 0000000000..6a7b02d3fe --- /dev/null +++ b/detections/network/cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal.yml @@ -0,0 +1,90 @@ +name: Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal +id: e20a6709-5f2c-4508-83fb-b3af6f705717 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects Cisco IOS-XE command sequences where show logging, clear logging, and exit occur within a short period. + It also detects the pattern where a loopback interface is removed before clearing logs and exiting. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM", "PARSER") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG", "CFGLOG_LOGGEDCMD") + message_text IN ("*show logging*", "*clear logging*", "*exit*", "*no interface Loopback*") + + | eval cmd=lower(coalesce(command, message_text)) + | eval event_type=case( + like(cmd, "%show logging%"), "show_logging", + like(cmd, "%clear logging%"), "clear_logging", + like(cmd, "%exit%"), "exit", + like(cmd, "%no interface loopback%"), "remove_loopback" + ) + | where isnotnull(event_type) + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=2m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(message_text) as message_text + values(cmd) as cmd + by _time dest + | where mvfind(event_types, "clear_logging") >= 0 + AND + mvfind(event_types, "exit") >= 0 + AND + ( + mvfind(event_types, "show_logging") >= 0 + OR + mvfind(event_types, "remove_loopback") >= 0 + ) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: dest + type: system + score: 35 + message: Cisco IOS-XE log clearing sequence was observed on $dest$. +threat_objects: [] +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1070.001 + - T1562 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml new file mode 100644 index 0000000000..f158830928 --- /dev/null +++ b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml @@ -0,0 +1,110 @@ +name: Cisco IOS XE Reconnaissance Command Activity +id: 71ac5328-2364-40cf-8381-92b8dc531399 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects bursts of Cisco IOS or NX-OS discovery commands associated with Salt Typhoon tradecraft. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") + message_text IN ( + "*show running-config*", + "*show tacacs*", + "*show cdp neighbors*", + "*show file systems*", + "*dir bootflash:*", + "*show clock*", + "*show platform software status control-processor brief*", + "*terminal length 0*", + "*terminal width 0*" + ) + + | rex field=message_text "^\w+:(?[^:@]+)(?:@[^:]*)?:(?[^:]*):(?.*?)(?:\s+\((?SUCCESS|FAILURE)\))?$" + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | eval command=lower(trim(coalesce(aaa_command, eem_command, ""))) + + | eval command_type=case( + like(command, "show running-config%"), "show_conf", + like(command, "show tacacs%"), "show_tacacs", + like(command, "show cdp neighbors detail%"), "show_cdp", + like(command, "show cdp neighbors%"), "show_cdp", + like(command, "show file systems%"), "show_file", + like(command, "dir bootflash:%"), "dir_bootflash", + like(command, "show clock%"), "show_clock", + like(command, "show platform software status control-processor brief%"), "show_platform", + like(command, "terminal length 0%"), "terminal", + like(command, "terminal width 0%"), "terminal", + true(), null()) + | where isnotnull(command_type) + | eval user=coalesce(aaa_user, user, "unknown") + | eval src_ip=coalesce(aaa_src, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=5m + | stats count min(_time) as firstTime + max(_time) as lastTime + dc(command_type) as unique_recon_commands + values(command_type) as command_types + values(command) as commands + by _time dest user src_ip + | where unique_recon_commands >= 4 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_reconnaissance_command_activity_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + On Nexus, local accounting can emit "%AAA-6-AAA_ACCOUNTING_MESSAGE". + On Catalyst, use TACACS+ command accounting or EEM catchall syslog for exec command visibility. +known_false_positives: | + Network audits and troubleshooting can produce similar command bursts. Tune the command list, threshold, and approved administrators for the environment. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: dest + type: system + score: 25 + message: User $user$ executed $unique_recon_commands$ Cisco reconnaissance command categories on $dest$. + - field: user + type: user + score: 25 + message: User $user$ executed Cisco reconnaissance commands on $dest$ from $src_ip$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1082 + - T1016 + - T1590 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:nexus:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_remote_access_probe_burst.yml b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml new file mode 100644 index 0000000000..eeb6b82435 --- /dev/null +++ b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml @@ -0,0 +1,91 @@ +name: Cisco IOS XE Remote Access Probe Burst +id: efb20922-17bc-4fb0-880c-be50cfc100dd +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects bursts of ping, SSH, and Telnet commands issued from Cisco IOS or NX-OS devices. The Salt Typhoon notes describe repeated SSH, Telnet-to-port-22, and ping activity across multiple IP addresses in a short time window. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") + message_text IN ("*ssh *", "*telnet *", "*ping *") + | rex field=message_text "^\w+:(?[^:@]+)(?:@[^:]*)?:(?[^:]*):(?.*?)(?:\s+\((?SUCCESS|FAILURE)\))?$" + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | eval command=lower(trim(coalesce(aaa_command, eem_command, ""))) + | where match(command, "^(ssh|telnet|ping)\s+") + | rex field=command "(?i)^(?:ssh(?:\s+-l\s+\S+)?|telnet|ping)\s+(?\d{1,3}(?:\.\d{1,3}){3})" + | eval command_type=case(match(command, "^ssh\s+"), "ssh", match(command, "^telnet\s+"), "telnet", match(command, "^ping\s+"), "ping") + | eval user=coalesce(aaa_user, user, "unknown") + | eval src_ip=coalesce(aaa_src, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=10m + | stats count as command_count + min(_time) as firstTime + max(_time) as lastTime + dc(target_ip) as distinct_targets + values(target_ip) as target_ips + values(command_type) as command_types + values(command) as commands + by _time dest user src_ip + | where command_count >= 8 OR distinct_targets >= 5 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_remote_access_probe_burst_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. +known_false_positives: | + Network reachability testing, migration validation, and troubleshooting can generate repeated ping, SSH, or Telnet commands. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: dest + type: system + score: 25 + message: User $user$ issued $command_count$ ping, SSH, or Telnet commands from Cisco device $dest$ across $distinct_targets$ targets. + - field: user + type: user + score: 25 + message: User $user$ issued a Cisco remote access probe burst from $dest$. +threat_objects: + - field: target_ips + type: ip_address + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1018 + - T1021.004 + - T1046 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:nexus:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml new file mode 100644 index 0000000000..f70f7e3ed1 --- /dev/null +++ b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml @@ -0,0 +1,70 @@ +name: Cisco IOS XE Request Platform Package Describe Shell Pattern +id: a113a8be-7386-46e0-a079-d9fd46f9631f +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: TTP +description: | + This analytic detects Cisco IOS-XE "request platform software package describe" commands containing suspicious shell-style filename patterns. Indicative of Slat Typhoon tradecraft. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") + message_text="*request platform software package describe*" + message_text IN ("*--filename=/(bash)n*", "*--filename=$(bash)n*") + + | eval dest=coalesce(host, dvc, dest, "unknown") + | stats count min(_time) as firstTime + max(_time) as lastTime + values(message_text) as message + by dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_request_platform_package_describe_shell_pattern_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Command visibility requires AAA command accounting or EEM catchall command logging. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +finding: + title: Suspicious request platform package describe command was issued on $dest$. + entity: + field: dest + type: system + score: 50 +threat_objects: [] +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1059 + - T1190 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml new file mode 100644 index 0000000000..904196285e --- /dev/null +++ b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml @@ -0,0 +1,98 @@ +name: Cisco IOS XE Tunnel Interface Configuration +id: 8654314d-8e4d-4971-9f35-b9d477bf668e +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects creation of a Cisco IOS-XE tunnel interface with tunnel source, tunnel destination, and an IP address in the 10.10.12.0 network. The Salt Typhoon notes identify this tunnel configuration pattern as suspicious. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("HA_EM", "PARSER") + mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD") + message_text IN ("*interface Tunnel*", "*tunnel source*", "*tunnel destination*", "*ip address 10.10.12.*") + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | rex field=message_text "(?.*?)" + | rex field=message_text "(?[^<]+)" + | rex field=message_text "(?[^<]+)" + | eval command=lower(trim(coalesce(parser_command, eem_command, ""))) + | eval event_type=case( + match(command, "^interface\s+tunnel"), "interface_tunnel", + match(command, "^tunnel\s+source"), "tunnel_source", + match(command, "^tunnel\s+destination"), "tunnel_destination", + match(command, "^ip\s+address\s+10\.10\.12\."), "tunnel_ip_address", + true(), null()) + | where isnotnull(event_type) + | eval user=coalesce(parser_user, user, "unknown") + | eval src_ip=coalesce(parser_src_ip, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=15m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(user) as user + values(src_ip) as src_ip + values(command) as commands + by _time dest + | where mvfind(event_types, "interface_tunnel") >= 0 + AND + mvfind(event_types, "tunnel_source") >= 0 + AND + mvfind(event_types, "tunnel_destination") >= 0 + AND + mvfind(event_types, "tunnel_ip_address") >= 0 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_tunnel_interface_configuration_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: dest + type: system + score: 30 + message: Cisco IOS-XE tunnel interface configuration matching Salt Typhoon notes was observed on $dest$ by $user$. + - field: user + type: user + score: 30 + message: User $user$ configured a suspicious Cisco IOS-XE tunnel interface on $dest$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1572 + - T1090 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml new file mode 100644 index 0000000000..9c432b2af4 --- /dev/null +++ b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml @@ -0,0 +1,100 @@ +name: Cisco IOS XE VTY Access Class Tampering +id: a01ca274-16cb-476d-a814-d2ffe29d8905 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects rapid modification of Cisco IOS-XE VTY access-class settings. The Salt Typhoon notes describe configure HTTP activity followed by line vty changes and removal/re-application of an access-class within 60 seconds. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("HA_EM", "PARSER") + mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD") + message_text IN ( + "*access-class*", + "*configure http*", + "*line vty*" + ) + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | rex field=message_text "(?.*?)" + | rex field=message_text "(?[^<]+)" + | rex field=message_text "(?[^<]+)" + | eval command=lower(trim(coalesce(parser_command, eem_command, ""))) + | eval event_type=case( + like(command, "configure http%") OR like(command, "ip http secure-server%"), "http_config", + like(command, "line vty%"), "line_vty", + like(command, "no access-class%"), "remove_access_class", + like(command, "access-class%"), "add_access_class", + true(), null()) + | where isnotnull(event_type) + | eval user=coalesce(parser_user, user, "unknown") + | eval src_ip=coalesce(parser_src_ip, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=1m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(user) as user + values(src_ip) as src_ip + values(command) as commands + by _time dest + | where mvfind(event_types, "line_vty") >= 0 + AND + mvfind(event_types, "remove_access_class") >= 0 + AND + mvfind(event_types, "add_access_class") >= 0 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_vty_access_class_tampering_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. +known_false_positives: | + VTY ACL changes occur during legitimate management access updates. Filter approved maintenance windows and known administrators. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: dest + type: system + score: 30 + message: Cisco IOS-XE VTY access-class settings were removed and reapplied on $dest$ by $user$. + - field: user + type: user + score: 30 + message: User $user$ modified Cisco IOS-XE VTY access-class settings on $dest$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1562 + - T1021 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml new file mode 100644 index 0000000000..2141d41d13 --- /dev/null +++ b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml @@ -0,0 +1,83 @@ +name: Cisco IOS XE WebUI Login From IOSd Local Port +id: 77a1751f-552f-456c-b9ae-cdb66eec3e42 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-19' +author: Nasreddine Bencherchali +status: production +type: TTP +description: | + This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111. + This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility="SEC_LOGIN" + mnemonic IN ("QUIET_MODE_ON", "LOGIN_SUCCESS", "LOGIN_FAILED") + message_text="*[localport: 21111]*" + | rex field=_raw "\[user:\s*(?[^\]]+)\]" + | rex field=_raw "\[Source:\s*(?[^\]]+)\]" + | rex field=_raw "\[localport:\s*(?[^\]]+)\]" + | rex field=_raw "\[Reason:\s*(?[^\]]+)\]" + | rex field=_raw "\[ACL:\s*(?[^\]]+)\]" + | eval dest=coalesce(host, dvc, dest, "unknown") + | stats count min(_time) as firstTime + max(_time) as lastTime + values(local_port) as local_port + values(acl) as acl + by dest user src_ip reason + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_webui_login_from_iosd_local_port_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Login failure logging must be enabled with "login on-failure log". +known_false_positives: | + This local port value should not appear for normal WebUI logins. So false positives should very minimal. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +finding: + title: WebUI authentication failure with local port 21111 from $src_ip$. + entity: + field: user + type: user + score: 50 +intermediate_findings: + entities: + - field: dest + type: system + score: 40 + message: WebUI authentication failure with local port 21111 from $src_ip$ on $dest$. +threat_objects: + - field: src_ip + type: ip_address +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1190 + - T1078 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml new file mode 100644 index 0000000000..23df2e63bf --- /dev/null +++ b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml @@ -0,0 +1,69 @@ +name: Cisco IOS XE WebUI Programmatic Configuration +id: f9686576-a23d-4c4d-bfad-a45499dc448a +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-19' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects Cisco IOS-XE configuration changes performed by the WebUI WSMA process. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility="SYS" + mnemonic="CONFIG_P" + message_text="*Configured programmatically by process SEP_webui_wsma_http*" + | rex field=_raw "process\s(?\S+)\sfrom.*as\s(?\S+)\son\s(?\S+)" + | eval dest=coalesce(host, dvc, dest, "unknown") + | stats count min(_time) as firstTime + max(_time) as lastTime + values(process) as process + values(vty) as vty + by dest user + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_webui_programmatic_configuration_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Enable WebUI activity logging by IOS-XE. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: user + type: user + score: 30 + message: User $user$ performed Cisco IOS-XE WebUI programmatic configuration on $dest$. +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1190 + - T1078 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/macros/cisco_ios.yml b/macros/cisco_ios.yml new file mode 100644 index 0000000000..af49e3f648 --- /dev/null +++ b/macros/cisco_ios.yml @@ -0,0 +1,8 @@ +name: cisco_ios +id: dee2e4eb-4925-4378-9b8d-4b14fbb40132 +version: 1 +creation_date: '2026-06-02' +modification_date: '2026-06-02' +author: Nasreddine Bencherchali, Splunk Threat Research Team +description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. +definition: sourcetype=cisco:ios