This analytic detects the configuration of Trivial File Transfer Protocol (TFTP) services on Cisco IOS devices that may be leveraged by threat actors to exfiltrate sensitive configuration files. Specifically, the detection focuses on identifying commands related to TFTP-server setups that make access to critical configurations, such as 'startup-config' and 'running-config', possible after unauthorized access. Threat actor groups like Static Tundra have been known to use TFTP as a method to obtain sensitive device configurations, which can include network topologies and credentials. By monitoring for specific TFTP commands, this rule aims to catch any potentially malicious configurations on Cisco devices, thereby assisting in preventing the unauthorized dissemination of sensitive information.