Detection rules › Splunk
Cisco IOS XE Implant Access
The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface. It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel. This activity can be significant as it indicates potential access request to the implant If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
Rule body splunk
name: Cisco IOS XE Implant Access
id: 07c36cda-6567-43c3-bc1a-89dff61e2cd9
version: 10
creation_date: '2023-10-17'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: |-
The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface.
It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel.
This activity can be significant as it indicates potential access request to the implant
If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.
data_source:
- Suricata
search: |-
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/webui/logoutconfirm.html?logon_hash=*"
Web.http_method=POST
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_implant_access_filter`
how_to_implement: |-
This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, Suricata, or Splunk for Palo Alto.
known_false_positives: |-
False positives may be present from vulnerability scanners or legitimate access requests. Apply appropriate filters as needed.
references:
- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
- https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
finding:
title: Possible exploitation of CVE-2023-20198 against $dest$ via $url$ by $src$.
entity:
field: dest
type: system
score: 50
threat_objects:
- field: src
type: ip_address
analytic_story:
- Cisco IOS XE Software Web Management User Interface vulnerability
asset_type: Network
cve:
- CVE-2023-20198
mitre_attack_id:
- T1190
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: web
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log
source: not_applicable
sourcetype: suricata
test_type: unit
Stages and Predicates
Stage 1: tstats
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/webui/logoutconfirm.html?logon_hash=*"
Web.http_method=POST
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
Stage 2: search
| `drop_dm_object_name("Web")`
Stage 3: search
| `security_content_ctime(firstTime)`
Stage 4: search
| `security_content_ctime(lastTime)`
Stage 5: search
| `cisco_ios_xe_implant_access_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Web.http_method | eq |
|
Web.status | eq |
|
Web.url | eq |
|