Nasreddine Bencherchali
9d58e38bbc
remove: Space After Filename - Logic was incorrect and untested update: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Update selection update: JexBoss Command Sequence - Update the selection to use the |all modifier. chore: remove any usage of the fields field to prepare for deprecation in the spec.
31 lines
699 B
YAML
31 lines
699 B
YAML
title: Cisco Stage Data
|
|
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
|
|
status: test
|
|
description: Various protocols maybe used to put data on the device for exfil or infil
|
|
author: Austin Clark
|
|
date: 2019-08-12
|
|
modified: 2023-01-04
|
|
tags:
|
|
- attack.collection
|
|
- attack.lateral-movement
|
|
- attack.command-and-control
|
|
- attack.exfiltration
|
|
- attack.t1074
|
|
- attack.t1105
|
|
- attack.t1560.001
|
|
logsource:
|
|
product: cisco
|
|
service: aaa
|
|
detection:
|
|
keywords:
|
|
- 'tftp'
|
|
- 'rcp'
|
|
- 'puts'
|
|
- 'copy'
|
|
- 'configure replace'
|
|
- 'archive tar'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Generally used to copy configs or IOS images
|
|
level: low
|