Ivan Kirillov
36 lines
917 B
YAML
36 lines
917 B
YAML
title: Cisco Crypto Commands
|
|
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
|
|
status: experimental
|
|
description: Show when private keys are being exported from the device, or when new certificates are installed.
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1145/
|
|
- https://attack.mitre.org/techniques/T1130/
|
|
author: Austin Clark
|
|
date: 2019/08/12
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.defense_evasion
|
|
- attack.t1130
|
|
- attack.t1145
|
|
- attack.t1553.004
|
|
- attack.t1552.004
|
|
logsource:
|
|
product: cisco
|
|
service: aaa
|
|
category: accounting
|
|
fields:
|
|
- src
|
|
- CmdSet
|
|
- User
|
|
- Privilege_Level
|
|
- Remote_Address
|
|
detection:
|
|
keywords:
|
|
- 'crypto pki export'
|
|
- 'crypto pki import'
|
|
- 'crypto pki trustpoint'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Not commonly run by administrators. Also whitelist your known good certificates.
|
|
level: high
|