EXPLORE
Sign In
← Back to Explore
splunk_escuCorrelation

Cisco Privileged Account Creation with Suspicious SSH Activity

This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and SSH-related Snort detections ("SSH Connection to sshd_operns" or "SSH Connection to Non-Standard Port") fire for the same network device. This behavior is highly indicative of persistence establishment following initial compromise.

MITRE ATT&CK

T1021.004T1136T1078
lateral-movement

Detection Query

| tstats `security_content_summariesonly`
  min(_time) as firstTime
  max(_time) as lastTime

  sum(All_Risk.calculated_risk_score) as risk_score
  count(All_Risk.calculated_risk_score) as risk_event_count

  values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
  dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count

  values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
  dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count

  values(All_Risk.tag) as tag
  values(source) as source
  dc(source) as source_count

  values(contributing_events_search)

  values(All_Risk.threat_object)

  from datamodel=Risk.All_Risk where

  source IN (
    "*Cisco IOS Suspicious Privileged Account Creation*",
    "*Cisco Secure Firewall - SSH Connection to sshd_operns*",
    "*Cisco Secure Firewall - SSH Connection to Non-Standard Port*"
  )
  by All_Risk.normalized_risk_object
| `drop_dm_object_name(All_Risk)`
| eval has_account_creation=if(
                                match(source, "Cisco IOS Suspicious Privileged Account Creation"),
                                1, 0
                              )
| eval has_ssh_detection=if(
                              match(source, "SSH Connection to sshd_operns")
                              OR
                              match(source, "SSH Connection to Non-Standard Port"),
                              1, 0
                            )
| where has_account_creation=1
        AND
        has_ssh_detection=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_privileged_account_creation_with_suspicious_ssh_activity_filter`

Author

Nasreddine Bencherchali, Splunk

Created

2026-02-25

References

Tags

Cisco Secure Firewall Threat Defense AnalyticsSalt Typhoon
Raw Content
name: Cisco Privileged Account Creation with Suspicious SSH Activity
id: 7f8e2b4c-9a3d-4e1f-8c5b-6d7e8f9a0b1c
version: 3
date: '2026-02-25'
author: Nasreddine Bencherchali, Splunk
status: production
type: Correlation
description: |
    This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events
    This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and SSH-related Snort detections ("SSH Connection to sshd_operns" or "SSH Connection to Non-Standard Port") fire for the same network device.
    This behavior is highly indicative of persistence establishment following initial compromise.
data_source: []
search: |
    | tstats `security_content_summariesonly`
      min(_time) as firstTime
      max(_time) as lastTime

      sum(All_Risk.calculated_risk_score) as risk_score
      count(All_Risk.calculated_risk_score) as risk_event_count

      values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
      dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count

      values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
      dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count

      values(All_Risk.tag) as tag
      values(source) as source
      dc(source) as source_count

      values(contributing_events_search)

      values(All_Risk.threat_object)

      from datamodel=Risk.All_Risk where

      source IN (
        "*Cisco IOS Suspicious Privileged Account Creation*",
        "*Cisco Secure Firewall - SSH Connection to sshd_operns*",
        "*Cisco Secure Firewall - SSH Connection to Non-Standard Port*"
      )
      by All_Risk.normalized_risk_object
    | `drop_dm_object_name(All_Risk)`
    | eval has_account_creation=if(
                                    match(source, "Cisco IOS Suspicious Privileged Account Creation"),
                                    1, 0
                                  )
    | eval has_ssh_detection=if(
                                  match(source, "SSH Connection to sshd_operns")
                                  OR
                                  match(source, "SSH Connection to Non-Standard Port"),
                                  1, 0
                                )
    | where has_account_creation=1
            AND
            has_ssh_detection=1
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_privileged_account_creation_with_suspicious_ssh_activity_filter`
how_to_implement: |
    This correlation search requires that the following detections are enabled and generating risk events - "Cisco IOS Suspicious Privileged Account Creation", "Cisco Secure Firewall - SSH Connection to sshd_operns", and "Cisco Secure Firewall - SSH Connection to Non-Standard Port". These detections must be configured to generate risk on the same entity field (the network device IP). The search correlates risk events within a 24-hour time window. Ensure that both Cisco IOS logs (sourcetype "cisco:ios") and Cisco Secure Firewall Threat Defense Intrusion Event logs are being ingested and that the underlying detections are properly configured.
known_false_positives: |
    No false positives have been identified yet.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
drilldown_searches:
    - name: View the detection results for - "$normalized_risk_object$"
      search: '%original_detection_search% | search  normalized_risk_object = "$normalized_risk_object$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$normalized_risk_object$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$normalized_risk_object$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
tags:
    analytic_story:
        - Cisco Secure Firewall Threat Defense Analytics
        - Salt Typhoon
    asset_type: Network
    mitre_attack_id:
        - T1021.004
        - T1136
        - T1078
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_correlation.log
          source: not_applicable
          sourcetype: stash