Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
Sigma rule (View on GitHub)
1title: Cisco Modify Configuration
2id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
3status: test
4description: Modifications to a config that will serve an adversary's impacts or persistence
5author: Austin Clark
6date: 2019-08-12
7modified: 2025-04-28
8tags:
9 - attack.persistence
10 - attack.impact
11 - attack.t1490
12 - attack.t1505
13 - attack.t1565.002
14 - attack.t1053
15logsource:
16 product: cisco
17 service: aaa
18detection:
19 keywords:
20 - 'ip http server'
21 - 'ip https server'
22 - 'kron policy-list'
23 - 'kron occurrence'
24 - 'policy-list'
25 - 'access-list'
26 - 'ip access-group'
27 - 'archive maximum'
28 - 'ntp server'
29 condition: keywords
30fields:
31 - CmdSet
32falsepositives:
33 - Legitimate administrators may run these commands
34level: medium
Related rules
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- File Recovery From Backup Via Wbadmin.EXE
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Time Machine Backup Disabled Via Tmutil - MacOS