Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
Sigma rule (View on GitHub)
1title: Cisco Crypto Commands
2id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
3status: test
4description: Show when private keys are being exported from the device, or when new certificates are installed
5references:
6 - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
7author: Austin Clark
8date: 2019/08/12
9modified: 2023/01/04
10tags:
11 - attack.credential_access
12 - attack.defense_evasion
13 - attack.t1553.004
14 - attack.t1552.004
15logsource:
16 product: cisco
17 service: aaa
18detection:
19 keywords:
20 - 'crypto pki export'
21 - 'crypto pki import'
22 - 'crypto pki trustpoint'
23 condition: keywords
24falsepositives:
25 - Not commonly run by administrators. Also whitelist your known good certificates
26level: high
References
Related rules
- Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- Suspicious SYSTEM User Process Creation
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Cisco BGP Authentication Failures