Cisco IOS XE Implant Access

name: Cisco IOS XE Implant Access
id: 07c36cda-6567-43c3-bc1a-89dff61e2cd9
version: 8
date: '2026-03-27'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
    - Suricata
description: |-
    The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface.
    It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel.
    This activity can be significant as it indicates potential access request to the implant
    If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.
search: |-
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime

    FROM datamodel=Web WHERE

    Web.url="*/webui/logoutconfirm.html?logon_hash=*"
    Web.http_method=POST
    Web.status=200

    BY Web.http_user_agent Web.status Web.http_method
       Web.url Web.url_length Web.src Web.dest
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_ios_xe_implant_access_filter`
how_to_implement: |-
    This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, Suricata, or Splunk for Palo Alto.
known_false_positives: |-
    False positives may be present from vulnerability scanners or legitimate access requests. Apply appropriate filters as needed.
references:
    - https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
    - https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Possible exploitation of CVE-2023-20198 against $dest$ via $url$ by $src$.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: src
          type: ip_address
tags:
    cve:
        - CVE-2023-20198
    analytic_story:
        - Cisco IOS XE Software Web Management User Interface vulnerability
    asset_type: Network
    atomic_guid: []
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log
          source: not_applicable
          sourcetype: suricata