Splunk

Cisco IOS XE Reconnaissance Command Activity

Last updated 2 days ago on 2026-07-17

About

This analytic detects bursts of Cisco IOS or NX-OS discovery commands associated with Salt Typhoon tradecraft. Adversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths. This reconnaissance phase involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
Network audits and troubleshooting can produce similar command bursts. Tune the command list, threshold, and approved administrators for the environment.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility IN ("AAA", "HA_EM") mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") message_text IN ( "*show running-config*", "*show tacacs*", "*show cdp neighbors*", "*show file systems*", "*dir bootflash:*", "*show clock*", "*show platform software status control-processor brief*", "*terminal length 0*", "*terminal width 0*" ) | rex field=message_text "^\w+:(?<aaa_src>[^:@]+)(?:@[^:]*)?:(?<aaa_user>[^:]*):(?<aaa_command>.*?)(?:\s+\((?<aaa_result>SUCCESS|FAILURE)\))?$" | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$" | eval command=lower(trim(coalesce(aaa_command, eem_command, ""))) | eval command_type=case( like(command, "show running-config%"), "show_conf", like(command, "show tacacs%"), "show_tacacs", like(command, "show cdp neighbors detail%"), "show_cdp", like(command, "show cdp neighbors%"), "show_cdp", like(command, "show file systems%"), "show_file", like(command, "dir bootflash:%"), "dir_bootflash", like(command, "show clock%"), "show_clock", like(command, "show platform software status control-processor brief%"), "show_platform", like(command, "terminal length 0%"), "terminal", like(command, "terminal width 0%"), "terminal", true(), null()) | where isnotnull(command_type) | eval user=coalesce(aaa_user, user, "unknown") | eval src_ip=coalesce(aaa_src, src_ip, "unknown") | eval dest=coalesce(host, dvc, dest, "unknown") | bin _time span=5m | stats count min(_time) as firstTime max(_time) as lastTime dc(command_type) as unique_recon_commands values(command_type) as command_types values(command) as commands by _time dest user src_ip | where unique_recon_commands >= 4 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_reconnaissance_command_activity_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).