title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: experimental
description: See what commands are being input into the device by other people, full credentials can be in the history
references:
    - https://attack.mitre.org/techniques/T1056/
    - https://attack.mitre.org/techniques/T1139/
author: Austin Clark
date: 2019/08/11
tags:
    - attack.collection
    - attack.credential_access
    - attack.t1139
    - attack.t1056
    - attack.t1552.003
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - CmdSet
detection:
    keywords:
        - 'show history'
        - 'show history all'
        - 'show logging'
    condition: keywords
falsepositives:
    - Not commonly run by administrators, especially if remote logging is configured.
level: medium