Splunk

Cisco IOS XE Request Platform Package Describe Shell Pattern

Last updated 2 days ago on 2026-07-17

About

This analytic detects Cisco IOS-XE "request platform software package describe" commands containing suspicious shell-style filename patterns. Indicative of Slat Typhoon tradecraft.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a(external, opens in a new tab or window)https://blog.talosintelligence.com/salt-typhoon-analysis/(external, opens in a new tab or window)
False Positives
No false positives have been identified at this time.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_ios` facility IN ("AAA", "HA_EM") mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") message_text="*request platform software package describe*" message_text IN ("*--filename=/(bash)n*", "*--filename=$(bash)n*") | eval dest=coalesce(host, dvc, dest, "unknown") | stats count min(_time) as firstTime max(_time) as lastTime values(message_text) as message by dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_request_platform_package_describe_shell_pattern_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).