Cisco Local Accounts

Jan 4, 2023 · attack.persistence attack.t1136.001 attack.t1098 ·

Find local accounts being created or modified as well as remote authentication configurations

Sigma rule (View on GitHub)

 1title: Cisco Local Accounts
 2id: 6d844f0f-1c18-41af-8f19-33e7654edfc3
 3status: test
 4description: Find local accounts being created or modified as well as remote authentication configurations
 5author: Austin Clark
 6date: 2019/08/12
 7modified: 2023/01/04
 8tags:
 9    - attack.persistence
10    - attack.t1136.001
11    - attack.t1098
12logsource:
13    product: cisco
14    service: aaa
15detection:
16    keywords:
17        - 'username'
18        - 'aaa'
19    condition: keywords
20fields:
21    - CmdSet
22falsepositives:
23    - When remote authentication is in place, this should not change often
24level: high

Related rules

PowerShell Create Local User
Creation Of An User Account
Password Change on Directory Service Restore Mode (DSRM) Account
Suspicious Windows ANONYMOUS LOGON Local Account Created
Cisco Modify Configuration