Cisco Local Accounts
Find local accounts being created or modified as well as remote authentication configurations
Sigma rule (View on GitHub)
1title: Cisco Local Accounts
2id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
3status: test
4description: Find local accounts being created or modified as well as remote authentication configurations
5author: Austin Clark
6date: 2019/08/12
7modified: 2023/01/04
8tags:
9 - attack.persistence
10 - attack.t1136.001
11 - attack.t1098
12logsource:
13 product: cisco
14 service: aaa
15detection:
16 keywords:
17 - 'username'
18 - 'aaa'
19 condition: keywords
20fields:
21 - CmdSet
22falsepositives:
23 - When remote authentication is in place, this should not change often
24level: high
Related rules
- PowerShell Create Local User
- Creation Of An User Account
- Password Change on Directory Service Restore Mode (DSRM) Account
- Suspicious Windows ANONYMOUS LOGON Local Account Created
- Cisco Modify Configuration