Cisco Show Commands Input

Aug 12, 2024 · attack.credential-access attack.t1552.003 ·

See what commands are being input into the device by other people, full credentials can be in the history

Sigma rule (View on GitHub)

 1title: Cisco Show Commands Input
 2id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
 3status: test
 4description: See what commands are being input into the device by other people, full credentials can be in the history
 5author: Austin Clark
 6date: 2019-08-11
 7modified: 2023-01-04
 8tags:
 9    - attack.credential-access
10    - attack.t1552.003
11logsource:
12    product: cisco
13    service: aaa
14detection:
15    keywords:
16        - 'show history'
17        - 'show history all'
18        - 'show logging'
19    condition: keywords
20fields:
21    - CmdSet
22falsepositives:
23    - Not commonly run by administrators, especially if remote logging is configured
24level: medium

Related rules

Suspicious History File Operations
Suspicious History File Operations - Linux
AADInternals PowerShell Cmdlets Execution - ProccessCreation
AADInternals PowerShell Cmdlets Execution - PsScript
ADCS Certificate Template Configuration Vulnerability