Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Cisco Modify Configuration

Modifications to a config that will serve an adversary's impacts or persistence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Austin ClarkCreated Mon Aug 12Updated Mon Apr 28671ffc77-50a7-464f-9e3d-9ea2b493b26bnetwork
Log Source
Ciscoaaa
ProductCisco← raw: cisco
Serviceaaa← raw: aaa
Detection Logic
Detection Logic1 selector
detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
        - 'ntp server'
    condition: keywords
False Positives

Legitimate administrators may run these commands

MITRE ATT&CK
Rule Metadata
Rule ID
671ffc77-50a7-464f-9e3d-9ea2b493b26b
Status
test
Level
medium
Type
Detection
Created
Mon Aug 12
Modified
Mon Apr 28
Author
Austin Clark
Path
rules/network/cisco/aaa/cisco_cli_modify_config.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.impactattack.t1490attack.t1505attack.t1565.002attack.t1053
View on GitHub