Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
Sigma rule (View on GitHub)
1title: Cisco Modify Configuration
2id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
3status: test
4description: Modifications to a config that will serve an adversary's impacts or persistence
5author: Austin Clark
6date: 2019/08/12
7modified: 2023/01/04
8tags:
9 - attack.persistence
10 - attack.impact
11 - attack.t1490
12 - attack.t1505
13 - attack.t1565.002
14 - attack.t1053
15logsource:
16 product: cisco
17 service: aaa
18detection:
19 keywords:
20 - 'ip http server'
21 - 'ip https server'
22 - 'kron policy-list'
23 - 'kron occurrence'
24 - 'policy-list'
25 - 'access-list'
26 - 'ip access-group'
27 - 'archive maximum'
28 condition: keywords
29fields:
30 - CmdSet
31falsepositives:
32 - Legitimate administrators may run these commands
33level: medium
Related rules
- Delete Volume Shadow Copies via WMI with PowerShell - PS Script
- Boot Configuration Database (BCD) Manipulation - Registry Modification
- Use of bcdedit to Disrupt Boot Processes
- Suspicious Schtasks Child Process
- Command Shell Unusual or Suspicious Process Ancestry