title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: experimental
description: Detect a system being shutdown or put into different boot mode
references:
    - https://attack.mitre.org/techniques/T1499/
    - https://attack.mitre.org/techniques/T1495/
author: Austin Clark
date: 2019/08/15
tags:
    - attack.impact
    - attack.t1499
    - attack.t1495
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - CmdSet
detection:
    keywords:
        - 'shutdown'
        - 'config-register 0x2100'
        - 'config-register 0x2142'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands, though rarely.
level: medium