Skip to content

DET0233 Detection Strategy for Network Device Configuration Dump via Config Repositories

Item Value
ID DET0233
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1602.002 (Network Device Configuration Dump)

Analytics

Network Devices

AN0647

Defenders may observe adversary attempts to collect or export full device configurations by detecting unusual SNMP queries, Smart Install (SMI) activity, or CLI/API commands that request running or startup configuration dumps. Correlated behaviors include high-volume read requests for sensitive OIDs, repeated use of ‘show running-config’ or equivalent commands from untrusted IPs, or unexpected TFTP/SCP/FTP transfers containing configuration files. These behaviors often appear in sequence: anomalous authentication or privilege escalation, followed by bulk configuration retrieval and outbound transfer.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) networkdevice:syslog Failed and successful logins to network devices outside approved admin IP ranges
Command Execution (DC0064) networkdevice:cli Execution of commands like ‘show running-config’, ‘copy running-config’, or ‘export config’
Network Traffic Content (DC0085) NSM:Flow Outbound SCP, TFTP, or FTP sessions carrying configuration file content
Network Connection Creation (DC0082) snmp:access GETBULK/GETNEXT requests for OIDs associated with configuration parameters
Mutable Elements
Field Description
AuthorizedAdminIPs Known trusted IP addresses permitted to execute configuration dump commands.
NormalConfigExportRate Baseline frequency of legitimate configuration exports; anomalies above threshold may indicate malicious activity.
AllowedTransferProtocols Expected transfer methods (e.g., SCP vs. TFTP). Unexpected use of weak protocols may indicate exfiltration.
TimeWindow Normal maintenance windows for authorized configuration exports; activity outside these windows may be suspicious.