LoFP / not commonly run by administrators, especially if remote logging is configured

Techniques

• t1552
• t1552.003

Sample rules

Cisco Show Commands Input

• source: sigma
• technicques:
  • t1552
  • t1552.003

Description

See what commands are being input into the device by other people, full credentials can be in the history

Detection logic

condition: keywords
keywords:
- show history
- show history all
- show logging