Austin Clark
27 lines
694 B
YAML
27 lines
694 B
YAML
title: Denial of Service
|
|
status: experimental
|
|
description: Detect a system being shutdown or put into different boot mode.
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1499/
|
|
- https://attack.mitre.org/techniques/T1495/
|
|
author: Austin Clark
|
|
date: 2019/08/15
|
|
tags:
|
|
- attack.impact
|
|
- attack.t1499
|
|
- attack.t1495
|
|
logsource:
|
|
product: cisco
|
|
service: aaa
|
|
category: accounting
|
|
fields:
|
|
- CmdSet
|
|
detection:
|
|
keywords:
|
|
- 'shutdown'
|
|
- 'config-register 0x2100'
|
|
- 'config-register 0x2142'
|
|
condition: keywords
|
|
falsepositives:
|
|
- Legitimate administrators may run these commands, though rarely.
|
|
level: medium |