← Back to Explore
splunk_escuAnomaly
Cisco SNMP Community String Configuration Changes
This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.
Detection Query
| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE (
(All_Changes.command="*snmp-server community*rw*")
OR
(All_Changes.command="*snmp-server community*ro*")
OR
(All_Changes.command="*snmp-server host*")
)
BY All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_snmp_community_string_configuration_changes_filter`Author
Bhavin Patel, Michael Haag, Splunk
Created
2026-03-10
Data Sources
Cisco IOS Logs
References
Tags
Cisco Smart Install Remote Code Execution CVE-2018-0171
Raw Content
name: Cisco SNMP Community String Configuration Changes
id: b0ce5521-2533-4f24-b8d5-c2ff977aae08
version: 3
date: '2026-03-10'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: Anomaly
description: This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.
data_source:
- Cisco IOS Logs
search: |-
| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE (
(All_Changes.command="*snmp-server community*rw*")
OR
(All_Changes.command="*snmp-server community*ro*")
OR
(All_Changes.command="*snmp-server host*")
)
BY All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_snmp_community_string_configuration_changes_filter`
how_to_implement: To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with appropriate logging levels enabled to capture configuration commands. Configure command logging on Cisco IOS devices using the "archive log config logging enable" command to ensure that SNMP configuration changes are properly logged.
known_false_positives: Legitimate SNMP configuration changes may trigger this detection during routine network maintenance or initial device setup. Network administrators often need to configure SNMP for monitoring and management purposes. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for SNMP configuration changes, and scheduled maintenance windows. You may also want to create a lookup table of approved SNMP hosts and filter out alerts for these destinations.
references:
- https://blog.talosintelligence.com/static-tundra/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/command/snmp-cr-book/snmp-s1.html#wp1307296356
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Suspicious SNMP community string configuration changes detected on Cisco device $dest$ by user $user$, which may indicate persistence establishment
risk_objects:
- field: dest
type: system
score: 20
- field: user
type: user
score: 20
threat_objects:
- field: command
type: command
tags:
analytic_story:
- Cisco Smart Install Remote Code Execution CVE-2018-0171
asset_type: Network
mitre_attack_id:
- T1562.001
- T1040
- T1552
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
cve:
- CVE-2018-0171
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/cisco_smart_install/cisco_ios.log
sourcetype: cisco:ios
source: cisco:ios