Detectionmediumtest

Cisco Denial of Service

Detect a system being shutdown or put into different boot mode

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Austin ClarkCreated Thu Aug 15Updated Wed Jan 04d94a35f0-7a29-45f6-90a0-80df6159967cnetwork

Log Source

Ciscoaaa

ProductCisco← raw: cisco

Serviceaaa← raw: aaa

Detection Logic

detection:
    keywords:
        - 'shutdown'
        - 'config-register 0x2100'
        - 'config-register 0x2142'
    condition: keywords

False Positives

Legitimate administrators may run these commands, though rarely.

MITRE ATT&CK

Tactics

Techniques

Sub-techniques

Rule Metadata

Rule ID

d94a35f0-7a29-45f6-90a0-80df6159967c

Status

test

Level

medium

Type

Detection

Created

Thu Aug 15

Modified

Wed Jan 04

Author

Path

rules/network/cisco/aaa/cisco_cli_dos.yml

Raw Tags

attack.impactattack.t1495attack.t1529attack.t1565.001