2020-03-25 14:36:34 +01:00
|
|
|
title: Cisco Crypto Commands
|
|
|
|
|
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
|
|
|
|
|
status: experimental
|
2020-09-03 00:34:41 +02:00
|
|
|
description: Show when private keys are being exported from the device, or when new certificates are installed
|
2020-03-25 14:36:34 +01:00
|
|
|
author: Austin Clark
|
|
|
|
|
date: 2019/08/12
|
|
|
|
|
logsource:
|
|
|
|
|
product: cisco
|
|
|
|
|
service: aaa
|
|
|
|
|
category: accounting
|
|
|
|
|
fields:
|
|
|
|
|
- src
|
|
|
|
|
- CmdSet
|
|
|
|
|
- User
|
|
|
|
|
- Privilege_Level
|
|
|
|
|
- Remote_Address
|
|
|
|
|
detection:
|
|
|
|
|
keywords:
|
|
|
|
|
- 'crypto pki export'
|
|
|
|
|
- 'crypto pki import'
|
|
|
|
|
- 'crypto pki trustpoint'
|
|
|
|
|
condition: keywords
|
|
|
|
|
falsepositives:
|
2020-09-03 00:34:41 +02:00
|
|
|
- Not commonly run by administrators. Also whitelist your known good certificates
|
2020-03-25 14:36:34 +01:00
|
|
|
level: high
|
2020-09-15 07:02:30 -06:00
|
|
|
tags:
|
|
|
|
|
- attack.credential_access
|
|
|
|
|
- attack.defense_evasion
|
|
|
|
|
- attack.t1130 # an old one
|
|
|
|
|
- attack.t1553.004
|
|
|
|
|
- attack.t1145 # an old one
|
|
|
|
|
- attack.t1552.004
|
