Defenders may observe adversary attempts to collect or export full device configurations by detecting unusual SNMP queries, Smart Install (SMI) activity, or CLI/API commands that request running or startup configuration dumps. Correlated behaviors include high-volume read requests for sensitive OIDs, repeated use of 'show running-config' or equivalent commands from untrusted IPs, or unexpected TFTP/SCP/FTP transfers containing configuration files. These behaviors often appear in sequence: anomalous authentication or privilege escalation, followed by bulk configuration retrieval and outbound transfer.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | networkdevice:syslog | Failed and successful logins to network devices outside approved admin IP ranges |
| Command Execution (DC0064) | networkdevice:cli | Execution of commands like 'show running-config', 'copy running-config', or 'export config' |
| Network Traffic Content (DC0085) | NSM:Flow | Outbound SCP, TFTP, or FTP sessions carrying configuration file content |
| Network Connection Creation (DC0082) | snmp:access | GETBULK/GETNEXT requests for OIDs associated with configuration parameters |
| Field | Description |
|---|---|
| AuthorizedAdminIPs | Known trusted IP addresses permitted to execute configuration dump commands. |
| NormalConfigExportRate | Baseline frequency of legitimate configuration exports; anomalies above threshold may indicate malicious activity. |
| AllowedTransferProtocols | Expected transfer methods (e.g., SCP vs. TFTP). Unexpected use of weak protocols may indicate exfiltration. |
| TimeWindow | Normal maintenance windows for authorized configuration exports; activity outside these windows may be suspicious. |