title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: experimental
description: Find information about network devices that are not stored in config files.
references:
    - https://attack.mitre.org/tactics/TA0007/
author: Austin Clark
date: 2019/08/12
tags:
    - attack.discovery
    - attack.t1083
    - attack.t1201
    - attack.t1057
    - attack.t1018
    - attack.t1082
    - attack.t1016
    - attack.t1049
    - attack.t1033
    - attack.t1124
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
detection:
    keywords:
        - 'dir'
        - 'show processes'
        - 'show arp'
        - 'show cdp'
        - 'show version'
        - 'show ip route'
        - 'show ip interface'
        - 'show ip sockets'
        - 'show users'
        - 'show ssh'
        - 'show clock'
    condition: keywords
falsepositives:
    - Commonly used by administrators for troubleshooting
level: low