Cisco Discovery
Find information about network devices that is not stored in config files
Sigma rule (View on GitHub)
1title: Cisco Discovery
2id: 9705a6a1-6db6-4a16-a987-15b7151e299b
3status: test
4description: Find information about network devices that is not stored in config files
5references:
6 - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
7author: Austin Clark
8date: 2019-08-12
9modified: 2023-01-04
10tags:
11 - attack.discovery
12 - attack.t1083
13 - attack.t1201
14 - attack.t1057
15 - attack.t1018
16 - attack.t1082
17 - attack.t1016
18 - attack.t1049
19 - attack.t1033
20 - attack.t1124
21logsource:
22 product: cisco
23 service: aaa
24detection:
25 keywords:
26 - 'dir'
27 - 'show arp'
28 - 'show cdp'
29 - 'show clock'
30 - 'show ip interface'
31 - 'show ip route'
32 - 'show ip sockets'
33 - 'show processes'
34 - 'show ssh'
35 - 'show users'
36 - 'show version'
37 condition: keywords
38falsepositives:
39 - Commonly used by administrators for troubleshooting
40level: low
References
Related rules
- HackTool - SharpView Execution
- Nltest.EXE Execution
- Active Directory Computers Enumeration With Get-AdComputer
- Bitbucket User Details Export Attempt Detected
- Capabilities Discovery - Linux