SigmaHQ/rules/network/cisco/aaa/cisco_cli_input_capture.yml

title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: experimental
description: See what commands are being input into the device by other people, full credentials can be in the history
author: Austin Clark
date: 2019/08/11
modified: 2020/09/02
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - CmdSet
detection:
    keywords:
        - 'show history'
        - 'show history all'
        - 'show logging'
    condition: keywords
falsepositives:
    - Not commonly run by administrators, especially if remote logging is configured
level: medium
tags:
    - attack.credential_access
    - attack.t1139          # an old one
    - attack.t1552.003
fix: converted CRLF line break to LF 2020-03-25 13:36:34 +00:00			`title: Cisco Show Commands Input`
			`id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b`
			`status: experimental`
			`description: See what commands are being input into the device by other people, full credentials can be in the history`
			`author: Austin Clark`
			`date: 2019/08/11`
review network/cisco/aaa 2020-09-02 22:34:41 +00:00			`modified: 2020/09/02`
fix: converted CRLF line break to LF 2020-03-25 13:36:34 +00:00			`logsource:`
			`product: cisco`
			`service: aaa`
			`category: accounting`
			`fields:`
			`- CmdSet`
			`detection:`
			`keywords:`
			`- 'show history'`
			`- 'show history all'`
			`- 'show logging'`
			`condition: keywords`
			`falsepositives:`
review network/cisco/aaa 2020-09-02 22:34:41 +00:00			`- Not commonly run by administrators, especially if remote logging is configured`
fix: converted CRLF line break to LF 2020-03-25 13:36:34 +00:00			`level: medium`
Second round 2020-09-15 13:02:30 +00:00			`tags:`
			`- attack.credential_access`
			`- attack.t1139 # an old one`
			`- attack.t1552.003`