1. Home
  2. Techniques
  3. Enterprise
  4. Data from Configuration Repository
  5. Network Device Configuration Dump

Data from Configuration Repository: Network Device Configuration Dump

ID Name
T1602.001 SNMP (MIB Dump)
T1602.002 Network Device Configuration Dump

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.[1][2] These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

ID: T1602.002
Sub-technique of:  T1602
Tactic: Collection
Platforms: Network
Permissions Required: Administrator
Version: 1.0
Created: 20 October 2020
Last Modified: 17 February 2022
Version Permalink

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information

Configure SNMPv3 to use the highest level of security (authPriv) available.[3]

M1037 Filter Network Traffic

Apply extended ACLs to block unauthorized protocols outside the trusted network.[3]
M1031 Network Intrusion Prevention

Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director.[1]
M1030 Network Segmentation

Segregate SNMP traffic on a separate management network.[3]

M1054 Software Configuration

Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.[4][1]

M1051 Update Software

Keep system images and software updated and migrate to SNMPv3.[2]

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)
Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access network configuration content)

References

  1. US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  2. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  1. US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020.
  2. Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020.