Cisco Collect Data

Collect pertinent data from the configuration files

Sigma rule (View on GitHub)

 1title: Cisco Collect Data
 2id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
 3status: test
 4description: Collect pertinent data from the configuration files
 5references:
 6    - https://blog.router-switch.com/2013/11/show-running-config/
 7    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
 8    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
 9author: Austin Clark
10date: 2019/08/11
11modified: 2023/01/04
12tags:
13    - attack.discovery
14    - attack.credential_access
15    - attack.collection
16    - attack.t1087.001
17    - attack.t1552.001
18    - attack.t1005
19logsource:
20    product: cisco
21    service: aaa
22detection:
23    keywords:
24        - 'show running-config'
25        - 'show startup-config'
26        - 'show archive config'
27        - 'more'
28    condition: keywords
29falsepositives:
30    - Commonly run by administrators
31level: low

References

Related rules

to-top