Cisco Crypto Commands

Aug 12, 2024 · attack.credential-access attack.defense-evasion attack.t1553.004 attack.t1552.004 ·

Show when private keys are being exported from the device, or when new certificates are installed

Sigma rule (View on GitHub)

 1title: Cisco Crypto Commands
 2id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
 3status: test
 4description: Show when private keys are being exported from the device, or when new certificates are installed
 5references:
 6    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
 7author: Austin Clark
 8date: 2019-08-12
 9modified: 2023-01-04
10tags:
11    - attack.credential-access
12    - attack.defense-evasion
13    - attack.t1553.004
14    - attack.t1552.004
15logsource:
16    product: cisco
17    service: aaa
18detection:
19    keywords:
20        - 'crypto pki export'
21        - 'crypto pki import'
22        - 'crypto pki trustpoint'
23    condition: keywords
24falsepositives:
25    - Not commonly run by administrators. Also whitelist your known good certificates
26level: high

References

Cisco IOS Security Command Reference: Commands A to C - crypto pki authenticate through cws whitelisting [Support]

crypto pki authenticate through cws whitelisting

Read More

Cisco Crypto Commands

Sigma rule (View on GitHub)

References

Cisco IOS Security Command Reference: Commands A to C - crypto pki authenticate through cws whitelisting [Support]

Related rules