title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: experimental
description: Collect pertinent data from the configuration files
author: Austin Clark
date: 2019/08/11
modified: 2020/09/02
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
detection:
    keywords:
        - 'show running-config'
        - 'show startup-config'
        - 'show archive config'
        - 'more'
    condition: keywords
falsepositives:
    - Commonly run by administrators
level: low
tags:
    - attack.discovery
    - attack.credential_access
    - attack.collection
    - attack.t1087           # an old one
    - attack.t1087.001
    - attack.t1003           # an old one
    - attack.t1081           # an old one
    - attack.t1552.001
    - attack.t1005