Cisco Stage Data

Various protocols maybe used to put data on the device for exfil or infil

Sigma rule (View on GitHub)

 1title: Cisco Stage Data
 2id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
 3status: test
 4description: Various protocols maybe used to put data on the device for exfil or infil
 5author: Austin Clark
 6date: 2019/08/12
 7modified: 2023/01/04
 8tags:
 9    - attack.collection
10    - attack.lateral_movement
11    - attack.command_and_control
12    - attack.exfiltration
13    - attack.t1074
14    - attack.t1105
15    - attack.t1560.001
16logsource:
17    product: cisco
18    service: aaa
19detection:
20    keywords:
21        - 'tftp'
22        - 'rcp'
23        - 'puts'
24        - 'copy'
25        - 'configure replace'
26        - 'archive tar'
27    condition: keywords
28fields:
29    - CmdSet
30falsepositives:
31    - Generally used to copy configs or IOS images
32level: low

Related rules

to-top