Cisco IOS XE Implant Access

Name:Cisco IOS XE Implant Access
id:07c36cda-6567-43c3-bc1a-89dff61e2cd9
version:8
date:2026-03-27
author:Michael Haag, Splunk
status:production
type:TTP
Description:The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface. It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel. This activity can be significant as it indicates potential access request to the implant If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.
Data_source:

• -Suricata

search:| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url="*/webui/logoutconfirm.html?logon_hash=*"
Web.http_method=POST
Web.status=200

BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_implant_access_filter`

how_to_implement:This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, Suricata, or Splunk for Palo Alto.
known_false_positives:False positives may be present from vulnerability scanners or legitimate access requests. Apply appropriate filters as needed.
References:
  -https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
  -https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
drilldown_searches:
 name:'View the detection results for - "$dest$"'
 search:'%original_detection_search% | search dest = "$dest$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$dest$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  cve:
    - 'CVE-2023-20198'
  analytic_story:
    - 'Cisco IOS XE Software Web Management User Interface vulnerability'
  asset_type:Network
  atomic_guid:
  mitre_attack_id:
    - 'T1190'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:network

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/iosxe/ciscocve202320198.log
  source: not_applicable
  sourcetype: suricata
manual_test:None