Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threathightest

Exploitation Indicators Of CVE-2023-20198

Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Lars B. P. Frydenskov (Trifork Security)Created Fri Oct 202ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b2023
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Ciscosyslog
ProductCisco← raw: cisco
Servicesyslog← raw: syslog

Definition

Requirements: Cisco IOS XE system logs needs to be configured and ingested

Detection Logic
Detection Logic2 selectors
detection:
    keyword_event:
        - '%WEBUI-6-INSTALL_OPERATION_INFO:'
        - '%SYS-5-CONFIG_P:'
        - '%SEC_LOGIN-5-WEBLOGIN_SUCCESS:'
    keyword_user:
        - 'cisco_tac_admin'
        - 'cisco_support'
        - 'cisco_sys_manager'
    condition: keyword_event and keyword_user
False Positives

Rare false positives might occur if there are valid users named "cisco_tac_admin" or "cisco_support", which are not created by default or CISCO representatives

References
1
Resolving title…
sec.cloudapps.cisco.com
2
Resolving title…
thestack.technology
MITRE ATT&CK

Other

detection.emerging-threats
Rule Metadata
Rule ID
2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b
Status
test
Level
high
Type
Emerging Threat
Created
Fri Oct 20
Author
Lars B. P. Frydenskov (Trifork Security)
Path
rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml
Raw Tags
attack.privilege-escalationattack.initial-accessdetection.emerging-threats
View on GitHub