Detectionhightest
Cisco Local Accounts
Find local accounts being created or modified as well as remote authentication configurations
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Ciscoaaa
ProductCisco← raw: cisco
Serviceaaa← raw: aaa
Detection Logic
Detection Logic1 selector
detection:
keywords:
- 'username'
- 'aaa'
condition: keywordsFalse Positives
When remote authentication is in place, this should not change often
MITRE ATT&CK
Techniques
Sub-techniques
Rule Metadata
Rule ID
6d844f0f-1c18-41af-8f19-33e7654edfc3
Status
test
Level
high
Type
Detection
Created
Mon Aug 12
Modified
Wed Jan 04
Author
Path
rules/network/cisco/aaa/cisco_cli_local_accounts.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1136.001attack.t1098