rules/network/cisco/aaa/cisco_cli_modify_config.yml

title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: test
description: Modifications to a config that will serve an adversary's impacts or persistence
author: Austin Clark
date: 2019/08/12
modified: 2021/11/27
logsource:
  product: cisco
  service: aaa
  category: accounting
detection:
  keywords:
    - 'ip http server'
    - 'ip https server'
    - 'kron policy-list'
    - 'kron occurrence'
    - 'policy-list'
    - 'access-list'
    - 'ip access-group'
    - 'archive maximum'
  condition: keywords
fields:
  - CmdSet
falsepositives:
  - Legitimate administrators may run these commands
level: medium
tags:
  - attack.persistence
  - attack.impact
  - attack.t1490
  - attack.t1505
  - attack.t1565.002
  - attack.t1053
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`title: Cisco Modify Configuration`
			`id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`description: Modifications to a config that will serve an adversary's impacts or persistence`
			`author: Austin Clark`
			`date: 2019/08/12`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`product: cisco`
			`service: aaa`
			`category: accounting`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`keywords:`
			`- 'ip http server'`
			`- 'ip https server'`
			`- 'kron policy-list'`
			`- 'kron occurrence'`
			`- 'policy-list'`
			`- 'access-list'`
			`- 'ip access-group'`
			`- 'archive maximum'`
			`condition: keywords`
			`fields:`
			`- CmdSet`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Legitimate administrators may run these commands`
fix: converted CRLF line break to LF 2020-03-25 14:36:34 +01:00			`level: medium`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- attack.persistence`
			`- attack.impact`
			`- attack.t1490`
			`- attack.t1505`
			`- attack.t1565.002`
			`- attack.t1053`