Detectionhightest

Cisco Crypto Commands

Show when private keys are being exported from the device, or when new certificates are installed

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Austin ClarkCreated Mon Aug 12Updated Wed Jan 041f978c6a-4415-47fb-aca5-736a44d7ca3dnetwork

Log Source

Ciscoaaa

ProductCisco← raw: cisco

Serviceaaa← raw: aaa

Detection Logic

detection:
    keywords:
        - 'crypto pki export'
        - 'crypto pki import'
        - 'crypto pki trustpoint'
    condition: keywords

False Positives

Not commonly run by administrators. Also whitelist your known good certificates

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

1f978c6a-4415-47fb-aca5-736a44d7ca3d

Status

test

Level

high

Type

Detection

Created

Mon Aug 12

Modified

Wed Jan 04

Author

Path

rules/network/cisco/aaa/cisco_cli_crypto_actions.yml

Raw Tags

attack.credential-accessattack.defense-evasionattack.t1553.004attack.t1552.004