Cisco Modify Configuration

Aug 12, 2024 · attack.persistence attack.impact attack.t1490 attack.t1505 attack.t1565.002 attack.t1053 ·

Modifications to a config that will serve an adversary's impacts or persistence

Sigma rule (View on GitHub)

 1title: Cisco Modify Configuration
 2id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
 3status: test
 4description: Modifications to a config that will serve an adversary's impacts or persistence
 5author: Austin Clark
 6date: 2019-08-12
 7modified: 2023-01-04
 8tags:
 9    - attack.persistence
10    - attack.impact
11    - attack.t1490
12    - attack.t1505
13    - attack.t1565.002
14    - attack.t1053
15logsource:
16    product: cisco
17    service: aaa
18detection:
19    keywords:
20        - 'ip http server'
21        - 'ip https server'
22        - 'kron policy-list'
23        - 'kron occurrence'
24        - 'policy-list'
25        - 'access-list'
26        - 'ip access-group'
27        - 'archive maximum'
28    condition: keywords
29fields:
30    - CmdSet
31falsepositives:
32    - Legitimate administrators may run these commands
33level: medium

Cisco Modify Configuration

Sigma rule (View on GitHub)

Related rules