Cisco Disabling Logging
Turn off logging locally or remote
Sigma rule (View on GitHub)
1title: Cisco Disabling Logging
2id: 9e8f6035-88bf-4a63-96b6-b17c0508257e
3status: test
4description: Turn off logging locally or remote
5references:
6 - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
7author: Austin Clark
8date: 2019/08/11
9modified: 2023/01/04
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 product: cisco
15 service: aaa
16detection:
17 keywords:
18 - 'no logging'
19 - 'no aaa new-model'
20 condition: keywords
21fields:
22 - src
23 - CmdSet
24 - User
25 - Privilege_Level
26 - Remote_Address
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- AWS Config Disabling Channel/Recorder
- NetNTLM Downgrade Attack - Registry
- Hypervisor Enforced Code Integrity Disabled
- Powershell Defender Disable Scan Feature
- Tamper Windows Defender - PSClassic