title: Cisco Modify Configuration
id: 671ffc77-50a7-464f-9e3d-9ea2b493b26b
status: experimental
description: Modifications to a config that will serve an adversary's impacts or persistence
references:
    - https://attack.mitre.org/techniques/T1100/
    - https://attack.mitre.org/techniques/T1168/
    - https://attack.mitre.org/techniques/T1493/
author: Austin Clark
date: 2019/08/12
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.impact
    - attack.t1493
    - attack.t1100
    - attack.t1168
    - attack.t1490
    - attack.t1565.002
    - attack.t1505
    - attack.t1053
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - CmdSet
detection:
    keywords:
        - 'ip http server'
        - 'ip https server'
        - 'kron policy-list'
        - 'kron occurrence'
        - 'policy-list'
        - 'access-list'
        - 'ip access-group'
        - 'archive maximum'
    condition: keywords
falsepositives:
    - Legitimate administrators may run these commands.
level: medium