Detection / HNTPublic file

Cisco SD-WAN Manager Post-Exploitation Activity

Hunts Cisco SD-WAN Manager logs for privilege changes, rogue peering, configuration access, and cleanup behavior reported around exploitation of CVE-2026-20245.

Sigma source

Raw YAML
title: Cisco SD-WAN Manager Post-Exploitation Activity
id: 65669fac-243d-449c-89c7-defdb087a8d8
status: experimental
author: FRAME ZERO
date: 2026-07-14
description: Hunts Cisco SD-WAN Manager logs for privilege changes, rogue peering, configuration access, and cleanup behavior reported around exploitation of CVE-2026-20245.
references:
  - https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager/
  - https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/226014-remediate-catalyst-sd-wan-security.html
logsource:
  product: cisco
  service: sd_wan
detection:
  selection_root_account:
    message|contains|all:
      - 'troot'
      - 'root'
  selection_privilege_change:
    message|contains|all:
      - 'su'
      - 'admin'
  selection_default_account_change:
    message|contains|all:
      - 'admin'
      - 'password'
  selection_configuration_access:
    message|contains:
      - 'attached-template'
      - 'running-configuration'
      - 'device configuration'
      - 'controller details'
  selection_rogue_peering:
    message|contains:
      - 'unauthorized peering'
      - 'rogue peering'
      - 'certificate authentication'
  selection_cleanup:
    message|contains:
      - '/etc/passwd'
      - '/etc/shadow'
      - 'tenant-list configuration'
      - 'restore'
  condition: 1 of selection_*
falsepositives:
  - Authorized password changes, privilege checks, configuration exports, certificate operations, or tenant administration
  - Cisco TAC diagnostics and admin-tech collection during an approved investigation
  - Planned rollback or restoration activity recorded during maintenance
level: medium
tags:
  - attack.privilege-escalation
  - attack.t1136.001
  - attack.collection
  - attack.t1552.004
  - attack.defense-evasion
  - attack.t1070
telemetry_assumptions:
  - Authentication, script, rollback, web, API, command-history, peering, and configuration logs are forwarded off-device into a searchable message field.
  - Analysts correlate matches by account, session, device, and change window instead of treating one message as confirmed exploitation.
  - Vendor-native fields should replace the generic message field only after local mapping and validation.
related_publication: cisco-sd-wan-manager-zero-day-root-escalation

Relationships

Related files