diff --git a/rules/net_device/aaa/cisco_cli_clear_logs.yml b/rules/net_device/aaa/cisco_cli_clear_logs.yml new file mode 100644 index 000000000..efd2692e1 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_clear_logs.yml @@ -0,0 +1,30 @@ +title: Clear Logs +status: experimental +description: Clear command history in network OS which is used for defense evasion. +references: + - https://attack.mitre.org/techniques/T1146/ + - https://attack.mitre.org/techniques/T1070/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.defense_evasion + - attack.t1146 + - attack.t1070 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'clear logging' + - 'clear archive' + condition: keywords +falsepositives: + - Legitimate administrators may run these commands. +level: high \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_collect_data.yml b/rules/net_device/aaa/cisco_cli_collect_data.yml new file mode 100644 index 000000000..0b210c93c --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_collect_data.yml @@ -0,0 +1,38 @@ +title: Collect Data +status: experimental +description: Collect pertinent data from the configuration files +references: + - https://attack.mitre.org/techniques/T1087/ + - https://attack.mitre.org/techniques/T1003/ + - https://attack.mitre.org/techniques/T1081/ + - https://attack.mitre.org/techniques/T1005/ +author: Austin Clark +date: 2019/08/11 +tags: + - attack.discovery + - attack.credential_access + - attack.collection + - attack.t1087 + - attack.t1003 + - attack.t1081 + - attack.t1005 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'show running-config' + - 'show startup-config' + - 'show archive config' + - 'more' + condition: keywords +falsepositives: + - Commonly run by administrators. +level: low \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_crypto_actions.yml b/rules/net_device/aaa/cisco_cli_crypto_actions.yml new file mode 100644 index 000000000..1d28750c1 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_crypto_actions.yml @@ -0,0 +1,32 @@ +title: Crypto Commands +status: experimental +description: Show when private keys are being exported from the device, or when new certificates are installed. +references: + - https://attack.mitre.org/techniques/T1145/ + - https://attack.mitre.org/techniques/T1130/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.t1130 + - attack.t1145 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'crypto pki export' + - 'crypto pki import' + - 'crypto pki trustpoint' + condition: keywords +falsepositives: + - Not commonly run by administrators. Also whitelist your known good certificates. +level: high \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_disable_logging.yml b/rules/net_device/aaa/cisco_cli_disable_logging.yml new file mode 100644 index 000000000..ea4c13218 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_disable_logging.yml @@ -0,0 +1,28 @@ +title: Disabling Logging +status: experimental +description: Turn off logging locally or remote +references: + - https://attack.mitre.org/techniques/T1089 +author: Austin Clark +date: 2019/08/11 +tags: + - attack.defense_evasion + - attack.t1089 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'no logging' + - 'no aaa new-model' + condition: keywords +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_discovery.yml b/rules/net_device/aaa/cisco_cli_discovery.yml new file mode 100644 index 000000000..9a39c37e5 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_discovery.yml @@ -0,0 +1,45 @@ +title: Discovery +status: experimental +description: Find information about network devices that are not stored in config files. +references: + - https://attack.mitre.org/tactics/TA0007/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.discovery + - attack.t1083 + - attack.t1201 + - attack.t1057 + - attack.t1018 + - attack.t1082 + - attack.t1016 + - attack.t1049 + - attack.t1033 + - attack.t1124 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - src + - CmdSet + - User + - Privilege_Level + - Remote_Address +detection: + keywords: + - 'dir' + - 'show processes' + - 'show arp' + - 'show cdp' + - 'show version' + - 'show ip route' + - 'show ip interface' + - 'show ip sockets' + - 'show users' + - 'show ssh' + - 'show clock' + condition: keywords +falsepositives: + - Commonly used by administrators for troubleshooting +level: low \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_dos.yml b/rules/net_device/aaa/cisco_cli_dos.yml new file mode 100644 index 000000000..aca4693c2 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_dos.yml @@ -0,0 +1,27 @@ +title: Denial of Service +status: experimental +description: Detect a system being shutdown or put into different boot mode. +references: + - https://attack.mitre.org/techniques/T1499/ + - https://attack.mitre.org/techniques/T1495/ +author: Austin Clark +date: 2019/08/15 +tags: + - attack.impact + - attack.t1499 + - attack.t1495 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'shutdown' + - 'config-register 0x2100' + - 'config-register 0x2142' + condition: keywords +falsepositives: + - Legitimate administrators may run these commands, though rarely. +level: medium \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_file_deletion.yml b/rules/net_device/aaa/cisco_cli_file_deletion.yml new file mode 100644 index 000000000..5137126c8 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_file_deletion.yml @@ -0,0 +1,30 @@ +title: Show Commands Input +status: experimental +description: See what files are being deleted from flash file systems +references: + - https://attack.mitre.org/techniques/T1107/ + - https://attack.mitre.org/techniques/T1488/ + - https://attack.mitre.org/techniques/T1487/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.defense_evasion + - attack.impact + - attack.t1107 + - attack.t1488 + - attack.t1487 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'erase' + - 'delete' + - 'format' + condition: keywords +falsepositives: + - Will be used sometimes by admins to clean up local flash space. +level: medium \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_input_capture.yml b/rules/net_device/aaa/cisco_cli_input_capture.yml new file mode 100644 index 000000000..ca06964b4 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_input_capture.yml @@ -0,0 +1,28 @@ +title: Show Commands Input +status: experimental +description: See what commands are being input into the device by other people, full credentials can be in the history +references: + - https://attack.mitre.org/techniques/T1056/ + - https://attack.mitre.org/techniques/T1139/ +author: Austin Clark +date: 2019/08/11 +tags: + - attack.collection + - attack.credential_access + - attack.t1139 + - attack.t1056 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'show history' + - 'show history all' + - 'show logging' + condition: keywords +falsepositives: + - Not commonly run by administrators, especially if remote logging is configured. +level: medium \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_local_accounts.yml b/rules/net_device/aaa/cisco_cli_local_accounts.yml new file mode 100644 index 000000000..071a024cb --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_local_accounts.yml @@ -0,0 +1,26 @@ +title: Local Accounts +status: experimental +description: Find local accounts being created or modified as well as remote authentication configurations +references: + - https://attack.mitre.org/techniques/T1098/ + - https://attack.mitre.org/techniques/T1136/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.persistence + - attack.t1136 + - attack.t1098 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'username' + - 'aaa' + condition: keywords +falsepositives: + - When remote authentication is in place, this should not change often. +level: high \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_modify_config.yml b/rules/net_device/aaa/cisco_cli_modify_config.yml new file mode 100644 index 000000000..865c44113 --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_modify_config.yml @@ -0,0 +1,37 @@ +title: Modify Configuration +status: experimental +description: Modifications to a config that will serve an adversary's impacts or persistence +references: + - https://attack.mitre.org/techniques/T1100/ + - https://attack.mitre.org/techniques/T1168/ + - https://attack.mitre.org/techniques/T1493/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.impact + - attack.t1493 + - attack.t1100 + - attack.t1168 + - attack.t1490 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'ip http server' + - 'ip https server' + - 'kron policy-list' + - 'kron occurrence' + - 'policy-list' + - 'access-list' + - 'ip access-group' + - 'archive maximum' + condition: keywords +falsepositives: + - Legitimate administrators may run these commands. +level: medium \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_moving_data.yml b/rules/net_device/aaa/cisco_cli_moving_data.yml new file mode 100644 index 000000000..278f6053b --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_moving_data.yml @@ -0,0 +1,38 @@ +title: Stage Data on device +status: experimental +description: Various protocols maybe used to put data on the device for exfil or infil +references: + - https://attack.mitre.org/techniques/T1074/ + - https://attack.mitre.org/techniques/T1105/ + - https://attack.mitre.org/techniques/T1498/ + - https://attack.mitre.org/techniques/T1002/ +author: Austin Clark +date: 2019/08/12 +tags: + - attack.collection + - attack.lateral_movement + - attack.command_and_control + - attack.exfiltration + - attack.impact + - attack.t1074 + - attack.t1105 + - attack.t1492 + - attack.t1002 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'tftp' + - 'rcp' + - 'puts' + - 'copy' + - 'configure replace' + - 'archive tar' + condition: keywords +falsepositives: + - Generally used to copy configs or IOS images. +level: low \ No newline at end of file diff --git a/rules/net_device/aaa/cisco_cli_net_sniff.yml b/rules/net_device/aaa/cisco_cli_net_sniff.yml new file mode 100644 index 000000000..2f41a147e --- /dev/null +++ b/rules/net_device/aaa/cisco_cli_net_sniff.yml @@ -0,0 +1,26 @@ +title: Sniffing on a Network Device +status: experimental +description: Show when a monitor or a span/rspan is setup or modified +references: + - https://attack.mitre.org/techniques/T1040 +author: Austin Clark +date: 2019/08/11 +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 +logsource: + product: cisco + service: aaa + category: accounting +fields: + - CmdSet +detection: + keywords: + - 'monitor capture point' + - 'set span' + - 'set rspan' + condition: keywords +falsepositives: + - Admins may setup new or modify old spans, or use a monitor for troubleshooting. +level: medium \ No newline at end of file