Technique on mitre.org

T1602.002: Network Device Configuration Dump

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

network_devices_abnormal_activity: PT-CR-475: Smart_Install_Usage: Possible vulnerability exploitation in Cisco Smart Install network_devices_compromise: PT-CR-575: Smart_Install_Exploitation_Tool_Usage: Use of Smart Install Exploitation Tool is detected

Detection

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)

ID	Data source and component	Description
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)

Mitigation

ID	M1030	Name	Network Segmentation	Description	Segregate SNMP traffic on a separate management network.

ID	M1031	Name	Network Intrusion Prevention	Description	Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director.

ID	M1037	Name	Filter Network Traffic	Description	Apply extended ACLs to block unauthorized protocols outside the trusted network.

ID	M1041	Name	Encrypt Sensitive Information	Description	Configure SNMPv3 to use the highest level of security (authPriv) available.

ID	M1051	Name	Update Software	Description	Keep system images and software updated and migrate to SNMPv3.

ID	M1054	Name	Software Configuration	Description	Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.

ID	Name	Description
M1030	Network Segmentation	Segregate SNMP traffic on a separate management network.
M1031	Network Intrusion Prevention	Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director.
M1037	Filter Network Traffic	Apply extended ACLs to block unauthorized protocols outside the trusted network.
M1041	Encrypt Sensitive Information	Configure SNMPv3 to use the highest level of security (authPriv) available.
M1051	Update Software	Keep system images and software updated and migrate to SNMPv3.
M1054	Software Configuration	Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.