Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Sigma rule (View on GitHub)
1title: Cisco Stage Data
2id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
3status: test
4description: Various protocols maybe used to put data on the device for exfil or infil
5author: Austin Clark
6date: 2019/08/12
7modified: 2023/01/04
8tags:
9 - attack.collection
10 - attack.lateral_movement
11 - attack.command_and_control
12 - attack.exfiltration
13 - attack.t1074
14 - attack.t1105
15 - attack.t1560.001
16logsource:
17 product: cisco
18 service: aaa
19detection:
20 keywords:
21 - 'tftp'
22 - 'rcp'
23 - 'puts'
24 - 'copy'
25 - 'configure replace'
26 - 'archive tar'
27 condition: keywords
28fields:
29 - CmdSet
30falsepositives:
31 - Generally used to copy configs or IOS images
32level: low
Related rules
- Executable Deployment from Remote Share
- Remote File Copy
- Suspicious Registry Modification of MaxMpxCt Parameters
- BITSAdmin Downloading Malicious Binaries
- CertUtil Downloading Malicious Binaries