Description
Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.
Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.
Platforms
Mitigations (6)
Encrypt Sensitive InformationM1041
Configure SNMPv3 to use the highest level of security (authPriv) available.(Citation: US-CERT TA17-156A SNMP Abuse 2017)
Network SegmentationM1030
Segregate SNMP traffic on a separate management network.(Citation: US-CERT TA17-156A SNMP Abuse 2017)
Network Intrusion PreventionM1031
Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
Software ConfigurationM1054
Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used.(Citation: Cisco Securing SNMP)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
Filter Network TrafficM1037
Apply extended ACLs to block unauthorized protocols outside the trusted network.(Citation: US-CERT TA17-156A SNMP Abuse 2017)
Update SoftwareM1051
Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has attempted to acquire credentials by dumping network device configurations.(Citation: Cisco S... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has gathered data pertaining to VPN configurations.(Citation: Koi Glassworm New Tricks December 2... |
References
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
Frequently Asked Questions
What is T1602.002 (Network Device Configuration Dump)?
T1602.002 is a MITRE ATT&CK technique named 'Network Device Configuration Dump'. It belongs to the Collection tactic(s). Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of...
How can T1602.002 be detected?
Detection of T1602.002 (Network Device Configuration Dump) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1602.002?
There are 6 documented mitigations for T1602.002. Key mitigations include: Encrypt Sensitive Information, Network Segmentation, Network Intrusion Prevention, Software Configuration, Filter Network Traffic.
Which threat groups use T1602.002?
Known threat groups using T1602.002 include: Salt Typhoon.