Analytic Stories
WhisperGate
sAMAccountName Spoofing and Domain Controller Impersonation
Gomir
Snake Malware
F5 BIG-IP Vulnerability CVE-2022-1388
Snake Keylogger
GCP Cross Account Activity
Cleo File Transfer Software
XMRig
Rhysida Ransomware
Citrix Netscaler ADC CVE-2023-3519
XorDDos
Deobfuscate-Decode Files or Information
DHS Report TA18-074A
Qakbot
Dev Sec Ops
BlackMatter Ransomware
Quasar RAT
Brute Ratel C4
IIS Components
Citrix ShareFile RCE CVE-2023-24489
ShrinkLocker
Backdoor Pingpong
RedLine Stealer
Chaos Ransomware
Handala Wiper
Trickbot
Web Fraud Detection
Compromised User Account
Apache Tomcat Session Deserialization Attacks
Office 365 Detections
Windows BootKits
IcedID
Windows Attack Surface Reduction
Suspicious MSHTA Activity
Suspicious Cloud User Activities
JBoss Vulnerability
SysAid On-Prem Software CVE-2023-47246 Vulnerability
Windows RDP Artifacts and Defense Evasion
Swift Slicer
PaperCut MF NG Vulnerability
CISA AA23-347A
ESXi Post Compromise
Reverse Network Proxy
Trusted Developer Utilities Proxy Execution
Fortinet FortiNAC CVE-2022-39952
Ivanti Virtual Traffic Manager CVE-2024-7593
Windows Audit Policy Tampering
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
Suspicious Windows Registry Activities
Suspicious Emails
Netsh Abuse
Remcos
Forest Blizzard
Malicious PowerShell
Suspicious Regsvcs Regasm Activity
Apache Struts Vulnerability
Suspicious AWS EC2 Activities
AWS User Monitoring
Suspicious AWS Traffic
Host Redirection
AWS Network ACL Activity
Suspicious AWS Login Activities
AWS Security Hub Alerts
AWS Cross Account Activity
Windows File Extension and Association Abuse
Windows Persistence Techniques
AWS Suspicious Provisioning Activities
Windows DNS SIGRed CVE-2020-1350
Phemedrone Stealer
Active Directory Kerberos Attacks
Active Directory Lateral Movement
Lateral Movement
Cloud Cryptomining
Suspicious DNS Traffic
JetBrains TeamCity Vulnerabilities
Active Directory Password Spraying
Termite Ransomware
Scattered Spider
Juniper JunOS Remote Code Execution
Cisco Smart Install Remote Code Execution CVE-2018-0171
ProxyShell
Azure Active Directory Account Takeover
ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day
AWS Identity and Access Management Account Takeover
Caddy Wiper
Nexus APT Threat Activity
Cactus Ransomware
OpenSSL CVE-2022-3602
Disk Wiper
Interlock Ransomware
Microsoft MSHTML Remote Code Execution CVE-2021-40444
Data Destruction
BlackSuit Ransomware
Suspicious GCP Storage Activities
Ivanti EPM Vulnerabilities
AWS Defense Evasion
ProxyNotShell
SQL Injection
DarkSide Ransomware
Ryuk Ransomware
Confluence Data Center and Confluence Server Vulnerabilities
Suspicious Cloud Provisioning Activities
Sandworm Tools
CVE-2022-40684 Fortinet Appliance Auth bypass
MSIX Package Abuse
Windows Defense Evasion Tactics
Spearphishing Attachments
AcidPour
Clop Ransomware
Winter Vivern
Detect Zerologon Attack
Zscaler Browser Proxy Threats
WS FTP Server Critical Vulnerabilities
Earth Estries
Suspicious Cloud Authentication Activities
DarkCrystal RAT
Windows Privilege Escalation
Windows Error Reporting Service Elevation of Privilege Vulnerability
Suspicious AWS S3 Activities
Data Exfiltration
PXA Stealer
LockBit Ransomware
Lumma Stealer
Prohibited Traffic Allowed or Protocol Mismatch
Spectre And Meltdown Vulnerabilities
Windows Service Abuse
VanHelsing Ransomware
Living Off The Land
Crypto Stealer
Seashell Blizzard
Unusual AWS EC2 Modifications
NOBELIUM Group
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Local Privilege Escalation With KrbRelayUp
F5 TMUI RCE CVE-2020-5902
Kubernetes Security
Jenkins Server Vulnerabilities
Windows Registry Abuse
Flax Typhoon
Windows AppLocker
Okta MFA Exhaustion
Cyclops Blink
APT29 Diplomatic Deceptions with WINELOADER
Derusbi
Office 365 Account Takeover
Salt Typhoon
Ivanti EPMM Remote Unauthenticated Access
JetBrains TeamCity Unauthenticated RCE
Subvert Trust Controls SIP and Trust Provider Hijacking
Industroyer2
Suspicious Rundll32 Activity
Suspicious Cloud Instance Activities
DNS Hijacking
Dynamic DNS
Baron Samedit CVE-2021-3156
Revil Ransomware
Remote Employment Fraud
Use of Cleartext Protocols
Okta Account Takeover
Graceful Wipe Out Attack
Active Directory Discovery
Credential Dumping
GCP Account Takeover
Monitor for Unauthorized Software
Kubernetes Sensitive Role Activity
Prestige Ransomware
BishopFox Sliver Adversary Emulation Framework
Defense Evasion or Unauthorized Access Via SDDL Tampering
AWS S3 Bucket Security Monitoring
Warzone RAT
Collection and Staging
BlackLotus Campaign
Storm-2460 CLFS Zero Day Exploitation
Atlassian Confluence Server and Data Center CVE-2022-26134
Router and Infrastructure Security
Data Protection
Asset Tracking
Brand Monitoring
Earth Alux
CrushFTP Vulnerabilities
Command And Control
Signed Binary Proxy Execution InstallUtil
Scheduled Tasks
WinDealer RAT
Text4Shell CVE-2022-42889
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
Compromised Windows Host
PetitPotam NTLM Relay on Active Directory Certificate Services
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
VMware Aria Operations vRealize CVE-2023-20887
Windows Post-Exploitation
SnappyBee
Common Phishing Frameworks
GitHub Malicious Activity
Medusa Rootkit
WinRAR Spoofing Attack CVE-2023-38831
AgentTesla
Suspicious Okta Activity
Monitor for Updates
Suspicious Compiled HTML Activity
PlugX
DarkGate Malware
SAP NetWeaver Exploitation
DNS Amplification Attacks
Microsoft SharePoint Vulnerabilities
Gozi Malware
Amadey
Kubernetes Scanning Activity
Container Implantation Monitoring and Investigation
Suspicious Zoom Child Processes
XWorm
Monitor Backup Solution
China-Nexus Threat Activity
Network Discovery
AMOS Stealer
BlackByte Ransomware
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
CVE-2023-21716 Word RTF Heap Corruption
Interlock Rat
MoonPeak
Ingress Tool Transfer
Cisco Secure Firewall Threat Defense Analytics
Log4Shell CVE-2021-44228
CVE-2023-23397 Outlook Elevation of Privilege
MOVEit Transfer Authentication Bypass
Cisco IOS XE Software Web Management User Interface vulnerability
Black Basta Ransomware
Fake CAPTCHA Campaigns
Windows Log Manipulation
Information Sabotage
Hermetic Wiper
Suspicious Regsvr32 Activity
Windows Certificate Services
Linux Privilege Escalation
WordPress Vulnerabilities
Hidden Cobra Malware
Emotet Malware DHS Report TA18-201A
Orangeworm Attack Group
Critical Alerts
CISA AA22-264A
Cobalt Strike
ColdRoot MacOS RAT
Trusted Developer Utilities Proxy Execution MSBuild
Windows System Binary Proxy Execution MSIExec
HAFNIUM Group
MetaSploit
Security Solution Tampering
CISA AA22-320A
Meduza Stealer
SamSam Ransomware
3CX Supply Chain Attack
Insider Threat
AcidRain
NailaoLocker Ransomware
Kubernetes Sensitive Object Access Activity
Suspicious WMI Use
Silver Sparrow
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
Cloud Federated Credential Abuse
AWS IAM Privilege Escalation
AWS Cryptomining
Cisco Network Visibility Module Analytics
Ransomware
Windows Drivers
Office 365 Persistence Mechanisms
Linux Post-Exploitation
Meterpreter
VMware Server Side Injection and Privilege Escalation
AsyncRAT
Compromised Linux Host
Outlook RCE CVE-2024-21378
Office 365 Collection Techniques
Ivanti Sentry Authentication Bypass CVE-2023-38035
CISA AA22-277A
BITS Jobs
Azure Active Directory Persistence
Spring4Shell CVE-2022-22965
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
SystemBC
FIN7
SQL Server Abuse
CISA AA22-257A
Linux Rootkit
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
PHP-CGI RCE Attack on Japanese Organizations
AwfulShred
Ivanti Connect Secure VPN Vulnerabilities
Remote Monitoring and Management Software
Linux Living Off The Land
Linux Persistence Techniques
F5 Authentication Bypass with TMUI
Domain Trust Discovery
MOVEit Transfer Critical Vulnerability
ValleyRAT
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
Braodo Stealer
Azure Active Directory Privilege Escalation
Malicious Inno Setup Loader
Azorult
Masquerading - Rename System Utilities
CISA AA24-241A
Cisco Duo Suspicious Activity
Water Gamayun
Suspicious Command-Line Executions
Unusual Processes
Ransomware Cloud
Double Zero Destructor
Sneaky Active Directory Persistence Tricks
NjRAT
Volt Typhoon
Windows Discovery Techniques
Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
Active Directory Privilege Escalation
ConnectWise ScreenConnect Vulnerabilities
Disabling Security Tools
PrintNightmare CVE-2021-34527
AWS Bedrock Security
Medusa Ransomware

Analytic Stories

WhisperGate

sAMAccountName Spoofing and Domain Controller Impersonation

Gomir

Snake Malware

F5 BIG-IP Vulnerability CVE-2022-1388

Snake Keylogger

GCP Cross Account Activity

Cleo File Transfer Software

XMRig

Rhysida Ransomware

Citrix Netscaler ADC CVE-2023-3519

XorDDos

Deobfuscate-Decode Files or Information

DHS Report TA18-074A

Qakbot

Dev Sec Ops

BlackMatter Ransomware

Quasar RAT

Brute Ratel C4

IIS Components

Citrix ShareFile RCE CVE-2023-24489

ShrinkLocker

Backdoor Pingpong

RedLine Stealer

Chaos Ransomware

Handala Wiper

Trickbot

Web Fraud Detection

Compromised User Account

Apache Tomcat Session Deserialization Attacks

Office 365 Detections

Windows BootKits

IcedID

Windows Attack Surface Reduction

Suspicious MSHTA Activity

Suspicious Cloud User Activities

JBoss Vulnerability

SysAid On-Prem Software CVE-2023-47246 Vulnerability

Windows RDP Artifacts and Defense Evasion

Swift Slicer

PaperCut MF NG Vulnerability

CISA AA23-347A

ESXi Post Compromise

Reverse Network Proxy

Trusted Developer Utilities Proxy Execution

Fortinet FortiNAC CVE-2022-39952

Ivanti Virtual Traffic Manager CVE-2024-7593

Windows Audit Policy Tampering

Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190

Suspicious Windows Registry Activities

Suspicious Emails

Netsh Abuse

Remcos

Forest Blizzard

Malicious PowerShell

Suspicious Regsvcs Regasm Activity

Apache Struts Vulnerability

Suspicious AWS EC2 Activities

AWS User Monitoring

Suspicious AWS Traffic

Host Redirection

AWS Network ACL Activity

Suspicious AWS Login Activities

AWS Security Hub Alerts

AWS Cross Account Activity

Windows File Extension and Association Abuse

Windows Persistence Techniques

AWS Suspicious Provisioning Activities

Windows DNS SIGRed CVE-2020-1350

Phemedrone Stealer

Active Directory Kerberos Attacks

Active Directory Lateral Movement

Lateral Movement

Cloud Cryptomining

Suspicious DNS Traffic

JetBrains TeamCity Vulnerabilities

Active Directory Password Spraying

Termite Ransomware

Scattered Spider

Juniper JunOS Remote Code Execution

Cisco Smart Install Remote Code Execution CVE-2018-0171

ProxyShell

Azure Active Directory Account Takeover

ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day

AWS Identity and Access Management Account Takeover

Caddy Wiper

Nexus APT Threat Activity

Cactus Ransomware

OpenSSL CVE-2022-3602

Disk Wiper

Interlock Ransomware

Microsoft MSHTML Remote Code Execution CVE-2021-40444

Data Destruction

BlackSuit Ransomware

Suspicious GCP Storage Activities

Ivanti EPM Vulnerabilities

AWS Defense Evasion

ProxyNotShell

SQL Injection

DarkSide Ransomware

Ryuk Ransomware

Confluence Data Center and Confluence Server Vulnerabilities

Suspicious Cloud Provisioning Activities

Sandworm Tools

CVE-2022-40684 Fortinet Appliance Auth bypass

MSIX Package Abuse

Windows Defense Evasion Tactics

Spearphishing Attachments

AcidPour

Clop Ransomware

Winter Vivern

Detect Zerologon Attack

Zscaler Browser Proxy Threats

WS FTP Server Critical Vulnerabilities

Earth Estries

Suspicious Cloud Authentication Activities

DarkCrystal RAT

Windows Privilege Escalation

Windows Error Reporting Service Elevation of Privilege Vulnerability

Suspicious AWS S3 Activities

Data Exfiltration

PXA Stealer

LockBit Ransomware

Lumma Stealer

Prohibited Traffic Allowed or Protocol Mismatch

Spectre And Meltdown Vulnerabilities

Windows Service Abuse

VanHelsing Ransomware

Living Off The Land

Crypto Stealer

Seashell Blizzard

Unusual AWS EC2 Modifications

NOBELIUM Group

Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring

Local Privilege Escalation With KrbRelayUp

F5 TMUI RCE CVE-2020-5902

Kubernetes Security

Jenkins Server Vulnerabilities

Windows Registry Abuse

Flax Typhoon

Windows AppLocker

Okta MFA Exhaustion

Cyclops Blink

APT29 Diplomatic Deceptions with WINELOADER

Derusbi

Office 365 Account Takeover

Salt Typhoon

Ivanti EPMM Remote Unauthenticated Access

JetBrains TeamCity Unauthenticated RCE

Subvert Trust Controls SIP and Trust Provider Hijacking

Industroyer2

Suspicious Rundll32 Activity

Suspicious Cloud Instance Activities

DNS Hijacking

Dynamic DNS

Baron Samedit CVE-2021-3156

Revil Ransomware

Remote Employment Fraud

Use of Cleartext Protocols

Okta Account Takeover

Graceful Wipe Out Attack

Active Directory Discovery

Credential Dumping

GCP Account Takeover

Monitor for Unauthorized Software

Kubernetes Sensitive Role Activity

Prestige Ransomware

BishopFox Sliver Adversary Emulation Framework

Defense Evasion or Unauthorized Access Via SDDL Tampering

AWS S3 Bucket Security Monitoring

Warzone RAT

Collection and Staging

BlackLotus Campaign

Storm-2460 CLFS Zero Day Exploitation

Atlassian Confluence Server and Data Center CVE-2022-26134

Router and Infrastructure Security

Data Protection

Asset Tracking

Brand Monitoring

Earth Alux

CrushFTP Vulnerabilities

Command And Control

Signed Binary Proxy Execution InstallUtil

Scheduled Tasks

WinDealer RAT

Text4Shell CVE-2022-42889

Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357

Compromised Windows Host

PetitPotam NTLM Relay on Active Directory Certificate Services

Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns

VMware Aria Operations vRealize CVE-2023-20887

Windows Post-Exploitation

SnappyBee

Common Phishing Frameworks

GitHub Malicious Activity

Medusa Rootkit

WinRAR Spoofing Attack CVE-2023-38831

AgentTesla

Suspicious Okta Activity

Monitor for Updates

Suspicious Compiled HTML Activity

PlugX

DarkGate Malware

SAP NetWeaver Exploitation

DNS Amplification Attacks

Microsoft SharePoint Vulnerabilities

Gozi Malware

Amadey

Kubernetes Scanning Activity

Container Implantation Monitoring and Investigation

Suspicious Zoom Child Processes

XWorm

Monitor Backup Solution

China-Nexus Threat Activity

Network Discovery

AMOS Stealer

BlackByte Ransomware

Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966

CVE-2023-21716 Word RTF Heap Corruption

Interlock Rat

MoonPeak

Ingress Tool Transfer

Cisco Secure Firewall Threat Defense Analytics

Log4Shell CVE-2021-44228

CVE-2023-23397 Outlook Elevation of Privilege

MOVEit Transfer Authentication Bypass

Cisco IOS XE Software Web Management User Interface vulnerability

Black Basta Ransomware

Fake CAPTCHA Campaigns

Windows Log Manipulation

Information Sabotage

Hermetic Wiper

Suspicious Regsvr32 Activity

Windows Certificate Services

Linux Privilege Escalation

WordPress Vulnerabilities

Hidden Cobra Malware

Emotet Malware DHS Report TA18-201A

Orangeworm Attack Group

Critical Alerts

CISA AA22-264A

Cobalt Strike

ColdRoot MacOS RAT

Trusted Developer Utilities Proxy Execution MSBuild

Windows System Binary Proxy Execution MSIExec

HAFNIUM Group

MetaSploit

Security Solution Tampering

CISA AA22-320A

Meduza Stealer

SamSam Ransomware

3CX Supply Chain Attack

Insider Threat

AcidRain

NailaoLocker Ransomware

Kubernetes Sensitive Object Access Activity

Suspicious WMI Use

Silver Sparrow

VMware ESXi AD Integration Authentication Bypass CVE-2024-37085

Cloud Federated Credential Abuse

AWS IAM Privilege Escalation

AWS Cryptomining

Cisco Network Visibility Module Analytics

Ransomware

Windows Drivers

Office 365 Persistence Mechanisms

Linux Post-Exploitation

Meterpreter

VMware Server Side Injection and Privilege Escalation

AsyncRAT

Compromised Linux Host

Outlook RCE CVE-2024-21378

Office 365 Collection Techniques

Ivanti Sentry Authentication Bypass CVE-2023-38035

CISA AA22-277A

BITS Jobs

Azure Active Directory Persistence

Spring4Shell CVE-2022-22965

CVE-2023-36884 Office and Windows HTML RCE Vulnerability

SystemBC

FIN7

SQL Server Abuse

CISA AA22-257A

Linux Rootkit

Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360

PHP-CGI RCE Attack on Japanese Organizations

AwfulShred

Ivanti Connect Secure VPN Vulnerabilities

Remote Monitoring and Management Software

Linux Living Off The Land

Linux Persistence Techniques

F5 Authentication Bypass with TMUI

Domain Trust Discovery

MOVEit Transfer Critical Vulnerability

ValleyRAT

CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server

Braodo Stealer

Azure Active Directory Privilege Escalation

Malicious Inno Setup Loader

Azorult

Masquerading - Rename System Utilities

CISA AA24-241A

Cisco Duo Suspicious Activity

Water Gamayun

Suspicious Command-Line Executions

Unusual Processes

Ransomware Cloud

Double Zero Destructor

Sneaky Active Directory Persistence Tricks

NjRAT

Volt Typhoon

Windows Discovery Techniques

Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777

Active Directory Privilege Escalation

ConnectWise ScreenConnect Vulnerabilities

Disabling Security Tools

PrintNightmare CVE-2021-34527

AWS Bedrock Security

Medusa Ransomware

Cisco Smart Install Remote Code Execution CVE-2018-0171

Cisco TFTP Server Configuration for Data Exfiltration :
network Network 2025-08-21 version:1
This analytic detects the configuration of TFTP services on Cisco IOS devices that could be used to exfiltrate sensitive configuration files. Threat actors like Static Tundra have been observed configuring TFTP servers to make device configuration files accessible for exfiltration after gaining initial access. The detection specifically looks for commands that expose critical configuration files such as startup-config, running-config, and other sensitive system information through TFTP. This activity is particularly concerning as it may represent an attempt to steal credentials, network topology information, and other sensitive data stored in device configurations.

Cisco Smart Install Oversized Packet Detection :
network Network 2025-08-21 version:1
This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786 within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance against Cisco devices exposing Smart Install.

Cisco Network Interface Modifications :
network Network 2025-08-21 version:1
This analytic detects the creation or modification of network interfaces on Cisco devices, which could indicate an attacker establishing persistence or preparing for lateral movement. After gaining initial access to network devices, threat actors like Static Tundra often create new interfaces (particularly loopback interfaces) to establish covert communication channels or maintain persistence. This detection specifically looks for the configuration of new interfaces, interface state changes, and the assignment of IP addresses to interfaces. These activities are particularly concerning when they involve unusual interface names or descriptions containing suspicious terms.

Cisco IOS Suspicious Privileged Account Creation :
network Network 2025-08-21 version:1
This analytic detects the creation of privileged user accounts on Cisco IOS devices, which could indicate an attacker establishing backdoor access. The detection focuses on identifying when user accounts are created with privilege level 15 (the highest administrative privilege level in Cisco IOS) or when existing accounts have their privileges elevated. This type of activity is particularly concerning when performed by unauthorized users or during unusual hours, as it may represent a key step in establishing persistence following the exploitation of vulnerabilities like CVE-2018-0171 in Cisco Smart Install. Threat actors like Static Tundra have been observed creating privileged accounts as part of their attack chain after gaining initial access to network devices.

Cisco Secure Firewall - Static Tundra Smart Install Abuse :
network Network 2025-08-21 version:1
This analytic detects activity associated with "Static Tundra" threat actor abuse of the Cisco Smart Install (SMI) protocol using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify occurrences of Smart Install exploitation and protocol abuse, including denial-of-service and buffer overflow attempts. The detection triggers when multiple Cisco Smart Install-related Snort signatures are observed in a short period from the same source, which is indicative of active exploitation or reconnaissance against Cisco devices that expose SMI.

Cisco SNMP Community String Configuration Changes :
network Network 2025-08-21 version:1
This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.

Cisco Smart Install Port Discovery and Status :
network Network 2025-08-21 version:1
This analytic detects network traffic to TCP port 4786, which is used by the Cisco Smart Install protocol. Smart Install is a plug-and-play configuration and image-management feature that helps customers to deploy Cisco switches. This protocol has been exploited via CVE-2018-0171, a vulnerability that allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions. Recently, Cisco Talos reported that a Russian state-sponsored threat actor called "Static Tundra" has been actively exploiting this vulnerability to compromise unpatched and end-of-life network devices. Monitoring for traffic to this port can help identify potential exploitation attempts or unauthorized Smart Install activity.

Cisco Configuration Archive Logging Analysis :
network Network 2025-08-21 version:1
This analytic provides comprehensive monitoring of configuration changes on Cisco devices by analyzing archive logs. Configuration archive logging captures all changes made to a device's configuration, providing a detailed audit trail that can be used to identify suspicious or malicious activities. This detection is particularly valuable for identifying patterns of malicious configuration changes that might indicate an attacker's presence, such as the creation of backdoor accounts, SNMP community string modifications, and TFTP server configurations for data exfiltration. By analyzing these logs, security teams can gain a holistic view of configuration changes across sessions and users, helping to detect sophisticated attack campaigns like those conducted by threat actors such as Static Tundra.