Detectionlowtest
Cisco Discovery
Find information about network devices that is not stored in config files
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Ciscoaaa
ProductCisco← raw: cisco
Serviceaaa← raw: aaa
Detection Logic
Detection Logic1 selector
detection:
keywords:
- 'dir'
- 'show arp'
- 'show cdp'
- 'show clock'
- 'show ip interface'
- 'show ip route'
- 'show ip sockets'
- 'show processes'
- 'show ssh'
- 'show users'
- 'show version'
condition: keywordsFalse Positives
Commonly used by administrators for troubleshooting
References
MITRE ATT&CK
Tactics
Techniques
T1083 · File and Directory DiscoveryT1201 · Password Policy DiscoveryT1057 · Process DiscoveryT1018 · Remote System DiscoveryT1082 · System Information DiscoveryT1016 · System Network Configuration DiscoveryT1049 · System Network Connections DiscoveryT1033 · System Owner/User DiscoveryT1124 · System Time Discovery
Rule Metadata
Rule ID
9705a6a1-6db6-4a16-a987-15b7151e299b
Status
test
Level
low
Type
Detection
Created
Mon Aug 12
Modified
Wed Jan 04
Author
Path
rules/network/cisco/aaa/cisco_cli_discovery.yml
Raw Tags
attack.discoveryattack.t1083attack.t1201attack.t1057attack.t1018attack.t1082attack.t1016attack.t1049attack.t1033attack.t1124