Cisco Smart Install Oversized Packet Detection

name: Cisco Smart Install Oversized Packet Detection
id: 3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21
version: 3
date: '2026-03-10'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: TTP
description: |
    This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786
    within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and
    protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message
    sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance
    against Cisco devices exposing Smart Install.
data_source:
    - Splunk Stream TCP
search: |
    | tstats `security_content_summariesonly`
        avg(All_Traffic.packets) as avg_packets,
        max(All_Traffic.bytes) as max_bytes
        from datamodel=Network_Traffic
        where All_Traffic.dest_port=4786 AND All_Traffic.transport=tcp
        by All_Traffic.src_ip, All_Traffic.dest_ip, _time span=1h
    | `drop_dm_object_name("All_Traffic")`
    | where max_bytes > 500
    | eval severity=case(max_bytes>1400, "critical", max_bytes>1000, "high", 1=1, "medium")
    | `cisco_smart_install_oversized_packet_detection_filter`
how_to_implement: |
    To implement this search, ingest network traffic into the Network_Traffic data model (e.g., via Splunk Stream with
    sourcetype "stream:tcp"). The search analyzes TCP traffic to destination port 4786 (Cisco Smart Install) over hourly
    buckets, flags sessions with unusually large maximum bytes, and assigns a basic severity based on size thresholds.
    You may tune thresholds or restrict to perimeter-facing traffic. Consider blocking or disabling Smart Install where
    not required.
known_false_positives: |
    Legitimate Smart Install operations (e.g., image/config transfers) can produce larger payloads. Baseline typical sizes
    for your environment and allowlist known management stations when appropriate.
references:
    - https://blog.talosintelligence.com/static-tundra/
    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
drilldown_searches:
    - name: View the detection results for - "$dest_ip$"
      search: '%original_detection_search% | search dest_ip = "$dest_ip$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest_ip$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Buffer overflow attempt detected in Cisco Smart Install message to $dest_ip$ from $src_ip$
    risk_objects:
        - field: dest_ip
          type: system
          score: 50
    threat_objects:
        - field: src_ip
          type: ip_address
tags:
    analytic_story:
        - Cisco Smart Install Remote Code Execution CVE-2018-0171
    asset_type: Network
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
    cve:
        - CVE-2018-0171
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/cisco_smart_install/stream_tcp.log
          sourcetype: stream:tcp
          source: stream:tcp