Quick and dirty RouterOS forensics
Author
Hilton D
Date Published
Here are some commands you can use to conduct a basic forensic examination of a RouterOs device or VM. Note that this it not a full fledged forensic acquisition — this is just a quick single pass look if you don’t have time to pull the data off the flash chips.
Check for suspicious logins (should cover webfig and ssh methods)
1/log/print where topics~"system"
Review recent config change history
1/system/history/print detail
/system/history is a very powerful audit feature, especially if you are conducting incident response on an engagement that doesn’t have centralised logs (aka most sites). This is because it includes the detail of the change, the actor and a timestamp, for example :
1Flags: U - undoable, R - redoable, F - floating-undo2 U redo=/ip firewall filter set *12 comment="allow letsencrypt challenges"\r\n3 undo=/ip firewall filter set *12 action=accept chain=input comment=\\r\n "allow web"4 dst-port=80 protocol=tcp\r\n5 action="filter rule changed" by="admin" policy=write time=aug/14/2023 17:25:2067 U redo=/ip firewall filter set *E log=yes log-prefix=admin-vpn\r\n8 undo=/ip firewall filter set *E action=accept chain=input comment=\\r\n "Allow SSTP"9 dst-port=4433 protocol=tcp\r\n10 action="filter rule changed" by="admin" policy=write time=aug/14/2023 17:24:591112 U redo=/ip firewall filter set *14 log=yes log-prefix=admin-web\r\n13 undo=/ip firewall filter set *14 action=accept chain=input comment=\\r\n "allow14 remote webadmin" dst-port=443 protocol=tcp \\r\n src-address-list=ssh-allow\r\n15 action="filter rule changed" by="admin" policy=write time=aug/14/2023 17:24:30
To one up this you could fetch the /system/history using Ansible and store those in a centralised logging or audit system.
How to use Mikrotik RouterOs for incident response and network defence, including practical examples.