Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

16 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Cisco Duo Successful MFA Authentication Via Bypass Code

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Ciscoduo
TA0006 · Credential AccessTA0005 · Defense EvasionTA0001 · Initial Access
Nikita KhalimonenkovWed Apr 17identity
Detectionhightest

Cisco Clear Logs

Clear command history in network OS which is used for defense evasion

Ciscoaaa
TA0005 · Defense EvasionT1070.003 · Clear Command History
Austin ClarkMon Aug 12network
Detectionlowtest

Cisco Collect Data

Collect pertinent data from the configuration files

Ciscoaaa
TA0007 · DiscoveryTA0006 · Credential AccessTA0009 · CollectionT1087.001 · Local Account+2
Austin ClarkSun Aug 11network
Detectionhightest

Cisco Crypto Commands

Show when private keys are being exported from the device, or when new certificates are installed

Ciscoaaa
TA0006 · Credential AccessTA0005 · Defense EvasionT1553.004 · Install Root CertificateT1552.004 · Private Keys
Austin ClarkMon Aug 12network
Detectionhightest

Cisco Disabling Logging

Turn off logging locally or remote

Ciscoaaa
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Austin ClarkSun Aug 11network
Detectionlowtest

Cisco Discovery

Find information about network devices that is not stored in config files

Ciscoaaa
TA0007 · DiscoveryT1083 · File and Directory DiscoveryT1201 · Password Policy DiscoveryT1057 · Process Discovery+6
Austin ClarkMon Aug 12network
Detectionmediumtest

Cisco Denial of Service

Detect a system being shutdown or put into different boot mode

Ciscoaaa
TA0040 · ImpactT1495 · Firmware CorruptionT1529 · System Shutdown/RebootT1565.001 · Stored Data Manipulation
Austin ClarkThu Aug 15network
Detectionmediumtest

Cisco File Deletion

See what files are being deleted from flash file systems

Ciscoaaa
TA0005 · Defense EvasionTA0040 · ImpactT1070.004 · File DeletionT1561.001 · Disk Content Wipe+1
Austin ClarkMon Aug 12network
Detectionmediumtest

Cisco Show Commands Input

See what commands are being input into the device by other people, full credentials can be in the history

Ciscoaaa
TA0006 · Credential AccessT1552.003 · Bash History
Austin ClarkSun Aug 11network
Detectionhightest

Cisco Local Accounts

Find local accounts being created or modified as well as remote authentication configurations

Ciscoaaa
TA0004 · Privilege EscalationTA0003 · PersistenceT1136.001 · Local AccountT1098 · Account Manipulation
Austin ClarkMon Aug 12network
Detectionmediumtest

Cisco Modify Configuration

Modifications to a config that will serve an adversary's impacts or persistence

Ciscoaaa
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceTA0040 · Impact+4
Austin ClarkMon Aug 12network
Detectionlowtest

Cisco Stage Data

Various protocols maybe used to put data on the device for exfil or infil

Ciscoaaa
TA0009 · CollectionTA0008 · Lateral MovementTA0011 · Command and ControlTA0010 · Exfiltration+3
Austin ClarkMon Aug 12network
Detectionmediumtest

Cisco Sniffing

Show when a monitor or a span/rspan is setup or modified

Ciscoaaa
TA0006 · Credential AccessTA0007 · DiscoveryT1040 · Network Sniffing
Austin ClarkSun Aug 11network
Detectionlowtest

Cisco BGP Authentication Failures

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Ciscobgp
TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense Evasion+5
Tim BrownMon Jan 09network
Detectionlowtest

Cisco LDP Authentication Failures

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Ciscoldp
TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense Evasion+5
Tim BrownMon Jan 09network
Emerging Threathightest

Exploitation Indicators Of CVE-2023-20198

Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.

Ciscosyslog
TA0004 · Privilege EscalationTA0001 · Initial Accessdetection.emerging-threats
Lars B. P. Frydenskov (Trifork Security)Fri Oct 202023