Cisco Modify Configuration

calendar Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.impact attack.t1490 attack.t1505 attack.t1565.002 attack.t1053  ·
Share on: linkedin copy

Modifications to a config that will serve an adversary's impacts or persistence

Sigma rule (View on GitHub)

 1title: Cisco Modify Configuration
 2id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
 3status: test
 4description: Modifications to a config that will serve an adversary's impacts or persistence
 5author: Austin Clark
 6date: 2019-08-12
 7modified: 2025-04-28
 8tags:
 9    - attack.privilege-escalation
10    - attack.execution
11    - attack.persistence
12    - attack.impact
13    - attack.t1490
14    - attack.t1505
15    - attack.t1565.002
16    - attack.t1053
17logsource:
18    product: cisco
19    service: aaa
20detection:
21    keywords:
22        - 'ip http server'
23        - 'ip https server'
24        - 'kron policy-list'
25        - 'kron occurrence'
26        - 'policy-list'
27        - 'access-list'
28        - 'ip access-group'
29        - 'archive maximum'
30        - 'ntp server'
31    condition: keywords
32fields:
33    - CmdSet
34falsepositives:
35    - Legitimate administrators may run these commands
36level: medium

Related rules

to-top