Cisco Local Accounts

Aug 12, 2024 · attack.persistence attack.t1136.001 attack.t1098 ·

Find local accounts being created or modified as well as remote authentication configurations

Sigma rule (View on GitHub)

 1title: Cisco Local Accounts
 2id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
 3status: test
 4description: Find local accounts being created or modified as well as remote authentication configurations
 5author: Austin Clark
 6date: 2019-08-12
 7modified: 2023-01-04
 8tags:
 9    - attack.persistence
10    - attack.t1136.001
11    - attack.t1098
12logsource:
13    product: cisco
14    service: aaa
15detection:
16    keywords:
17        - 'username'
18        - 'aaa'
19    condition: keywords
20fields:
21    - CmdSet
22falsepositives:
23    - When remote authentication is in place, this should not change often
24level: high

Related rules

Privileged User Has Been Created
A Member Was Added to a Security-Enabled Global Group
A Member Was Removed From a Security-Enabled Global Group
A New Trust Was Created To A Domain
A Security-Enabled Global Group Was Deleted