Cisco Crypto Commands

Show when private keys are being exported from the device, or when new certificates are installed

Sigma rule (View on GitHub)

 1title: Cisco Crypto Commands
 2id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
 3status: test
 4description: Show when private keys are being exported from the device, or when new certificates are installed
 5references:
 6    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
 7author: Austin Clark
 8date: 2019/08/12
 9modified: 2023/01/04
10tags:
11    - attack.credential_access
12    - attack.defense_evasion
13    - attack.t1553.004
14    - attack.t1552.004
15logsource:
16    product: cisco
17    service: aaa
18detection:
19    keywords:
20        - 'crypto pki export'
21        - 'crypto pki import'
22        - 'crypto pki trustpoint'
23    condition: keywords
24falsepositives:
25    - Not commonly run by administrators. Also whitelist your known good certificates
26level: high

References

Related rules

to-top