mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
42 lines
1.0 KiB
YAML
42 lines
1.0 KiB
YAML
title: Cisco Modify Configuration
|
|
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
|
|
status: experimental
|
|
description: Modifications to a config that will serve an adversary's impacts or persistence
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1100/
|
|
- https://attack.mitre.org/techniques/T1168/
|
|
- https://attack.mitre.org/techniques/T1493/
|
|
author: Austin Clark
|
|
date: 2019/08/12
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.impact
|
|
- attack.t1493
|
|
- attack.t1100
|
|
- attack.t1168
|
|
- attack.t1490
|
|
- attack.t1565.002
|
|
- attack.t1505
|
|
- attack.t1053
|
|
logsource:
|
|
product: cisco
|
|
service: aaa
|
|
category: accounting
|
|
fields:
|
|
- CmdSet
|
|
detection:
|
|
keywords:
|
|
- 'ip http server'
|
|
- 'ip https server'
|
|
- 'kron policy-list'
|
|
- 'kron occurrence'
|
|
- 'policy-list'
|
|
- 'access-list'
|
|
- 'ip access-group'
|
|
- 'archive maximum'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Legitimate administrators may run these commands.
|
|
level: medium
|