rules/network/cisco/aaa/cisco_cli_clear_logs.yml

title: Cisco Clear Logs
id: ceb407f6-8277-439b-951f-e4210e3ed956
status: experimental
description: Clear command history in network OS which is used for defense evasion
author: Austin Clark
date: 2019/08/12
modified: 2020/09/02
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
detection:
    keywords:
        - 'clear logging'
        - 'clear archive'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands
level: high
tags:
    - attack.defense_evasion
    - attack.t1146          # an old one
    - attack.t1070.003
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`title: Cisco Clear Logs`
			`id: ceb407f6-8277-439b-951f-e4210e3ed956`
			`status: experimental`
review network/cisco/aaa 2020-09-03 00:34:41 +02:00			`description: Clear command history in network OS which is used for defense evasion`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`author: Austin Clark`
			`date: 2019/08/12`
review network/cisco/aaa 2020-09-03 00:34:41 +02:00			`modified: 2020/09/02`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`logsource:`
			`product: cisco`
			`service: aaa`
			`category: accounting`
			`fields:`
			`- src`
			`- CmdSet`
			`- User`
			`- Privilege_Level`
			`- Remote_Address`
			`detection:`
			`keywords:`
			`- 'clear logging'`
			`- 'clear archive'`
			`condition: keywords`
			`falsepositives:`
review network/cisco/aaa 2020-09-03 00:34:41 +02:00			`- Legitimate administrators may run these commands`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`level: high`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1146 # an old one`
			`- attack.t1070.003`