T1602.002SubTechniquecollectionagent-callable

T1602.002Network Device Configuration Dump

Sub-technique of T1602

Platforms: Network

ATT&CK version: 14.1

What it is

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

ATT&CK tactics· 1

Collection

References

  1. https://attack.mitre.org/techniques/T1602/002
  2. https://us-cert.cisa.gov/ncas/alerts/TA18-106A
  3. https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
  4. https://www.us-cert.gov/ncas/alerts/TA18-086A
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.