Techniques
Sample rules
Cisco Modify Configuration
- source: sigma
- technicques:
- t1053
- t1490
- t1505
- t1565
- t1565.002
Description
Modifications to a config that will serve an adversary’s impacts or persistence
Detection logic
condition: keywords
keywords:
- ip http server
- ip https server
- kron policy-list
- kron occurrence
- policy-list
- access-list
- ip access-group
- archive maximum
Cisco Clear Logs
- source: sigma
- technicques:
- t1070
- t1070.003
Description
Clear command history in network OS which is used for defense evasion
Detection logic
condition: keywords
keywords:
- clear logging
- clear archive