security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
blue-team-tools/rules/network/cisco/aaa/cisco_cli_input_capture.yml
T
Nasreddine Bencherchali 9d58e38bbc Merge PR #5769 from @nasbench - fix keywords rule and remove the fields field 
remove: Space After Filename - Logic was incorrect and untested
update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection
update: JexBoss Command Sequence - Update the selection to use the |all modifier.
chore: remove any usage of the fields field to prepare for deprecation in the spec.
2025-11-24 09:54:29 +01:00

23 lines
615 B
YAML
Raw Permalink Blame History

title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: test
description: See what commands are being input into the device by other people, full credentials can be in the history
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.credential-access
- attack.t1552.003
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'show history'
- 'show history all'
- 'show logging'
condition: keywords
falsepositives:
- Not commonly run by administrators, especially if remote logging is configured
level: medium
Reference in New Issue View Git Blame Copy Permalink