EXPLORE

EXPLORE DETECTIONS

🔍
2,129 detections found

Cisco Configuration Archive Logging Analysis

This analytic provides comprehensive monitoring of configuration changes on Cisco devices by analyzing archive logs. Configuration archive logging captures all changes made to a device's configuration, providing a detailed audit trail that can be used to identify suspicious or malicious activities. This detection is particularly valuable for identifying patterns of malicious configuration changes that might indicate an attacker's presence, such as the creation of backdoor accounts, SNMP community string modifications, and TFTP server configurations for data exfiltration. By analyzing these logs, security teams can gain a holistic view of configuration changes across sessions and users, helping to detect sophisticated attack campaigns like those conducted by threat actors such as Static Tundra.

Splunk

Cisco Duo Admin Login Unusual Browser

The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture.

Splunk

Cisco Duo Admin Login Unusual Country

The following analytic detects instances where a Duo admin login originates from a country outside of the United States, which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, alter configurations, or exfiltrate sensitive information.

Splunk

Cisco Duo Admin Login Unusual Os

The following analytic identifies Duo admin login attempts from operating systems that are unusual for your environment, excluding commonly used OS such as Mac OS X. Please adjust to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out logins from expected operating systems. The analytic then aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. Detecting admin logins from unexpected operating systems is critical for a SOC, as it may indicate credential compromise, unauthorized access, or attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage to organizational security controls.

Splunk

Cisco Duo Bulk Policy Deletion

The following analytic detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action. It identifies this behavior by searching Duo activity logs for the policy_bulk_delete action, extracting the names of deleted policies, and counting them. If the count exceeds three, the event is flagged. This behavior is significant for a Security Operations Center (SOC) because mass deletion of security policies can indicate malicious activity, such as an attacker or rogue administrator attempting to weaken or disable security controls, potentially paving the way for further compromise. Detecting and investigating such actions promptly is critical, as the impact of this attack could include reduced security posture, increased risk of unauthorized access, and potential data breaches. Monitoring for bulk policy deletions helps ensure that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain compliance.

Splunk

Cisco Duo Bypass Code Generation

The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections. It works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify instances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable attackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor. Such activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is critical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent unauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication standards and reduces the risk of credential-based attacks.

Splunk

Cisco Duo Policy Allow Devices Without Screen Lock

The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the environment due to reduced device security requirements.

Splunk

Cisco Duo Policy Allow Network Bypass 2FA

The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA). It identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present, indicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and filtering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical for a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially enabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy change to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection enables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes.

Splunk

Cisco Duo Policy Allow Old Flash

The following analytic identifies instances where a Duo administrator creates or updates a policy to allow the use of outdated Flash components, specifically by detecting policy changes with the flash_remediation=no remediation attribute. It leverages Duo activity logs ingested via the Cisco Security Cloud App, searching for policy_update or policy_create actions and parsing the policy description for indicators of weakened security controls. This behavior is significant for a SOC because permitting old Flash increases the attack surface, as Flash is widely known for its security vulnerabilities and is no longer supported. Attackers may exploit such policy changes to bypass security controls, introduce malware, or escalate privileges within the environment. Detecting and responding to these policy modifications helps prevent potential exploitation, reduces organizational risk, and ensures adherence to security best practices. Immediate investigation is recommended to determine if the change was authorized or indicative of malicious activity.

Splunk

Cisco Duo Policy Allow Old Java

The following analytic detects when a Duo policy is created or updated to allow the use of outdated Java versions, which can introduce significant security risks. It works by searching Duo administrator activity logs for policy creation or update actions where the policy explicitly sets 'java_remediation' to 'no remediation', indicating that no restrictions are enforced against old Java. The analytic aggregates relevant details such as the user, admin email, and action context for further investigation. Identifying this behavior is critical for a Security Operations Center (SOC) because allowing outdated Java can expose an organization to known vulnerabilities, malware, and exploitation techniques. Attackers or malicious insiders may attempt to weaken security controls by modifying policies to permit insecure software, increasing the risk of compromise. Prompt detection enables SOC analysts to respond quickly, revert risky changes, and mitigate potential threats before they are exploited.

Splunk

Cisco Duo Policy Allow Tampered Devices

The following analytic detects when a Duo policy is created or updated to allow tampered or rooted devices, such as jailbroken smartphones, to access protected resources. It identifies this behavior by searching Duo administrator activity logs for policy changes where the allow_rooted_devices setting is enabled. This is accomplished by filtering for policy creation or update actions and parsing the policy description for the relevant configuration. Allowing tampered devices poses a significant security risk, as these devices may bypass built-in security controls, run unauthorized software, or be more susceptible to compromise. For a Security Operations Center (SOC), identifying such policy changes is critical because it may indicate either a misconfiguration or a malicious attempt to weaken authentication requirements, potentially enabling attackers to access sensitive systems with compromised devices. The impact of this attack can include unauthorized access, data breaches, and lateral movement within the environment, making prompt detection and response essential to maintaining organizational security.

Splunk

Cisco Duo Policy Bypass 2FA

The following analytic detects instances where a Duo policy is created or updated to allow access without two-factor authentication (2FA). It identifies this behavior by searching Duo administrator activity logs for policy changes that set the authentication status to "Allow access without 2FA." By monitoring for these specific actions, the analytic highlights potential attempts to weaken authentication controls, which could be indicative of malicious activity or insider threats. This behavior is critical for a SOC to identify, as bypassing 2FA significantly reduces the security posture of an organization, making it easier for attackers to gain unauthorized access to sensitive systems and data. Detecting and responding to such policy changes promptly helps prevent potential account compromise and mitigates the risk of broader security breaches.

Splunk

Cisco Duo Policy Deny Access

The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication status is set to "Deny access." By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection enables rapid investigation and remediation to maintain organizational security and availability.

Splunk

Cisco Duo Policy Skip 2FA for Other Countries

The following analytic detects when a Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default. It identifies this behavior by searching Duo administrator activity logs for policy creation or update actions where the policy description indicates that access is permitted without 2FA for certain user locations. This is achieved by parsing the relevant fields in the logs and filtering for the specific condition of 'Allow access without 2FA.' This behavior is significant for a Security Operations Center (SOC) because bypassing 2FA for any user group or location weakens the organization's security posture and increases the risk of unauthorized access. Attackers or malicious insiders may exploit such policy changes to circumvent strong authentication controls, potentially leading to account compromise, data breaches, or lateral movement within the environment. Early detection of these policy modifications enables the SOC to investigate and respond before attackers can leverage the weakened controls, thereby reducing the risk and impact of a successful attack.

Splunk

Cisco Duo Set User Status to Bypass 2FA

The following analytic detects instances where a Duo user's status is changed to "Bypass" for 2FA, specifically when the previous status was "Active." This behavior is identified by analyzing Duo activity logs for user update actions, extracting the status transitions, and filtering for cases where a user is set to bypass multi-factor authentication. This is a critical event for a Security Operations Center (SOC) to monitor, as bypassing 2FA significantly weakens account security and may indicate malicious insider activity or account compromise. Attackers or unauthorized administrators may exploit this change to disable strong authentication controls, increasing the risk of unauthorized access to sensitive systems and data. Early detection of such changes enables rapid investigation and response, helping to prevent potential breaches and limit the impact of credential-based attacks.

Splunk

Cisco IOS Suspicious Privileged Account Creation

This analytic detects the creation of privileged user accounts on Cisco IOS devices, which could indicate an attacker establishing backdoor access. The detection focuses on identifying when user accounts are created with privilege level 15 (the highest administrative privilege level in Cisco IOS) or when existing accounts have their privileges elevated. This type of activity is particularly concerning when performed by unauthorized users or during unusual hours, as it may represent a key step in establishing persistence following the exploitation of vulnerabilities like CVE-2018-0171 in Cisco Smart Install. Threat actors like Static Tundra have been observed creating privileged accounts as part of their attack chain after gaining initial access to network devices.

Splunk

Cisco IOS XE Guestshell Activation and Destroy

This analytic detects Cisco IOS-XE guestshell enable activity followed by activation and destroy lifecycle logs. The detection focuses on HA_EM command logging for "guestshell enable" and "guestshell destroy", VMAN activation and destroy messages, and IM/IOX guestshell activation logs observed on some IOS-XE images.

Splunk

Cisco IOS XE Implant Access

The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface. It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel. This activity can be significant as it indicates potential access request to the implant If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.

Splunk

Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal

This analytic detects Cisco IOS-XE command sequences where show logging, clear logging, and exit occur within a short period. It also detects the pattern where a loopback interface is removed before clearing logs and exiting.

Splunk

Cisco IOS XE Reconnaissance Command Activity

This analytic detects bursts of Cisco IOS or NX-OS discovery commands associated with Salt Typhoon tradecraft. Adversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths. This reconnaissance phase involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions.

Splunk

Cisco IOS XE Remote Access Probe Burst

This analytic detects bursts of ping, SSH, and Telnet commands issued from Cisco IOS or NX-OS devices. The Salt Typhoon notes describe repeated SSH, Telnet-to-port-22, and ping activity across multiple IP addresses in a short time window.

Splunk

Cisco IOS XE Request Platform Package Describe Shell Pattern

This analytic detects Cisco IOS-XE "request platform software package describe" commands containing suspicious shell-style filename patterns. Indicative of Slat Typhoon tradecraft.

Splunk

Cisco IOS XE Tunnel Interface Configuration

This analytic detects creation of a Cisco IOS-XE tunnel interface with tunnel source, tunnel destination, and an IP address in the 10.10.12.0 network. The Salt Typhoon notes identify this tunnel configuration pattern as suspicious.

Splunk

Cisco IOS XE VTY Access Class Tampering

This analytic detects rapid modification of Cisco IOS-XE VTY access-class settings. The Salt Typhoon notes describe configure HTTP activity followed by line vty changes and removal/re-application of an access-class within 60 seconds.

Splunk
PreviousPage 9 of 89Next