Skip to content

DET0592 Detection Strategy for Data from Configuration Repository on Network Devices

Item Value
ID DET0592
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1602 (Data from Configuration Repository)

Analytics

Network Devices

AN1630

Defenders may observe adversary attempts to extract configuration data from management repositories by monitoring for anomalous SNMP queries, API calls, or protocol requests (e.g., NETCONF, RESTCONF) that enumerate system configuration. Suspicious sequences include repeated queries from untrusted IPs, abnormal query types requesting sensitive configuration data, or repository access occurring outside of normal administrative maintenance windows. Abnormal authentication attempts, sudden enumeration of device inventory, or bulk data transfer of configuration files may also be observed.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) NSM:Flow Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services
Network Traffic Content (DC0085) networkdevice:syslog Authentication failures or unusual community string usage in SNMP queries
Mutable Elements
Field Description
AuthorizedAdminIPs Expected IP ranges or hosts permitted to query configuration repositories; deviations may indicate compromise.
NormalAccessTimeWindow Time periods when configuration queries normally occur; anomalies outside these windows may be suspicious.
QueryVolumeThreshold Number of queries allowed within a given period before an anomaly is triggered.
ProtocolUsageBaseline Expected usage of SNMP, NETCONF, or RESTCONF; deviations from baseline patterns may indicate misuse.