LoFP / when remote authentication is in place, this should not change often

Techniques

• t1098
• t1136
• t1136.001

Sample rules

Cisco Local Accounts

• source: sigma
• technicques:
  • t1098
  • t1136
  • t1136.001

Description

Find local accounts being created or modified as well as remote authentication configurations

Detection logic

condition: keywords
keywords:
- username
- aaa