Detectionmediumtest

Cisco Show Commands Input

See what commands are being input into the device by other people, full credentials can be in the history

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Austin ClarkCreated Sun Aug 11Updated Wed Jan 04b094d9fb-b1ad-4650-9f1a-fb7be9f1d34bnetwork

Log Source

Ciscoaaa

ProductCisco← raw: cisco

Serviceaaa← raw: aaa

Detection Logic

detection:
    keywords:
        - 'show history'
        - 'show history all'
        - 'show logging'
    condition: keywords

False Positives

Not commonly run by administrators, especially if remote logging is configured

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b

Status

test

Level

medium

Type

Detection

Created

Sun Aug 11

Modified

Wed Jan 04

Author

Path

rules/network/cisco/aaa/cisco_cli_input_capture.yml

Raw Tags

attack.credential-accessattack.t1552.003