Cisco Local Accounts

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1136.001 attack.t1098 ·

Find local accounts being created or modified as well as remote authentication configurations

Sigma rule (View on GitHub)

 1title: Cisco Local Accounts
 2id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
 3status: test
 4description: Find local accounts being created or modified as well as remote authentication configurations
 5author: Austin Clark
 6date: 2019-08-12
 7modified: 2023-01-04
 8tags:
 9    - attack.privilege-escalation
10    - attack.persistence
11    - attack.t1136.001
12    - attack.t1098
13logsource:
14    product: cisco
15    service: aaa
16detection:
17    keywords:
18        - 'username'
19        - 'aaa'
20    condition: keywords
21fields:
22    - CmdSet
23falsepositives:
24    - When remote authentication is in place, this should not change often
25level: high

Related rules

Privileged User Has Been Created
A Member Was Added to a Security-Enabled Global Group
A Member Was Removed From a Security-Enabled Global Group
A New Trust Was Created To A Domain
A Security-Enabled Global Group Was Deleted