MITRE ATT&CK Technique
Description
Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details. Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-19T23:51:05.953Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may target the Management Information Base (MIB) '
'to collect and/or mine valuable information in a network '
'managed using Simple Network Management Protocol (SNMP).\n'
'\n'
'The MIB is a configuration repository that stores variable '
'information accessible via SNMP in the form of object '
'identifiers (OID). Each OID identifies a variable that can be '
'read or set and permits active management tasks, such as '
'configuration changes, through remote modification of these '
'variables. SNMP can give administrators great insight in '
'their systems, such as, system information, description of '
'hardware, physical location, and software packages(Citation: '
'SANS Information Security Reading Room Securing SNMP Securing '
'SNMP). The MIB may also contain device operational '
'information, including running configuration, routing table, '
'and interface details.\n'
'\n'
'Adversaries may use SNMP queries to collect MIB content '
'directly from SNMP-managed devices in order to collect '
'network information that allows the adversary to build '
'network maps and facilitate future targeted '
'exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco '
'Blog Legacy Device Attacks) ',
'external_references': [{'external_id': 'T1602.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1602/001'},
{'description': 'Michael Stump. (2003). Information '
'Security Reading Room Securing SNMP: '
'A Look atNet-SNMP (SNMPv3). '
'Retrieved October 19, 2020.',
'source_name': 'SANS Information Security Reading '
'Room Securing SNMP Securing SNMP',
'url': 'https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051'},
{'description': 'US-CERT. (2018, April 20). Alert '
'(TA18-106A) Russian State-Sponsored '
'Cyber Actors Targeting Network '
'Infrastructure Devices. Retrieved '
'October 19, 2020.',
'source_name': 'US-CERT-TA18-106A',
'url': 'https://www.us-cert.gov/ncas/alerts/TA18-106A'},
{'description': 'Omar Santos. (2020, October 19). '
'Attackers Continue to Target Legacy '
'Devices. Retrieved October 20, 2020.',
'source_name': 'Cisco Blog Legacy Device Attacks',
'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'},
{'description': 'Cisco. (2008, June 10). Identifying '
'and Mitigating Exploitation of the '
'SNMP Version 3 Authentication '
'Vulnerabilities. Retrieved October '
'19, 2020.',
'source_name': 'Cisco Advisory SNMP v3 '
'Authentication Vulnerabilities',
'url': 'https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3'}],
'id': 'attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'collection'}],
'modified': '2025-10-24T17:49:34.969Z',
'name': 'SNMP (MIB Dump)',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Network Devices'],
'x_mitre_version': '1.1'}