Cisco Denial of Service

Aug 12, 2024 · attack.impact attack.t1495 attack.t1529 attack.t1565.001 ·

Detect a system being shutdown or put into different boot mode

Sigma rule (View on GitHub)

 1title: Cisco Denial of Service
 2id: d94a35f0-7a29-45f6-90a0-80df6159967c
 3status: test
 4description: Detect a system being shutdown or put into different boot mode
 5author: Austin Clark
 6date: 2019-08-15
 7modified: 2023-01-04
 8tags:
 9    - attack.impact
10    - attack.t1495
11    - attack.t1529
12    - attack.t1565.001
13logsource:
14    product: cisco
15    service: aaa
16detection:
17    keywords:
18        - 'shutdown'
19        - 'config-register 0x2100'
20        - 'config-register 0x2142'
21    condition: keywords
22fields:
23    - CmdSet
24falsepositives:
25    - Legitimate administrators may run these commands, though rarely.
26level: medium

Related rules

Azure DNS Zone Modified or Deleted
Azure Device or Configuration Modified or Deleted
Commands to Clear or Remove the Syslog - Builtin
History File Deletion
Potential Suspicious Change To Sensitive/Critical Files