Cisco Show Commands Input

Jan 4, 2023 · attack.credential_access attack.t1552.003 ·

See what commands are being input into the device by other people, full credentials can be in the history

Sigma rule (View on GitHub)

 1title: Cisco Show Commands Input
 2id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
 3status: test
 4description: See what commands are being input into the device by other people, full credentials can be in the history
 5author: Austin Clark
 6date: 2019/08/11
 7modified: 2023/01/04
 8tags:
 9    - attack.credential_access
10    - attack.t1552.003
11logsource:
12    product: cisco
13    service: aaa
14detection:
15    keywords:
16        - 'show history'
17        - 'show history all'
18        - 'show logging'
19    condition: keywords
20fields:
21    - CmdSet
22falsepositives:
23    - Not commonly run by administrators, especially if remote logging is configured
24level: medium

Related rules

Suspicious History File Operations - Linux
Suspicious History File Operations
Cisco Sniffing
Dump Credentials from Windows Credential Manager With PowerShell
Enumerate Credentials from Windows Credential Manager With PowerShell