blue-team-tools/rules/net_device/aaa/cisco_cli_collect_data.yml

title: Collect Data
status: experimental
description: Collect pertinent data from the configuration files
references:
    - https://attack.mitre.org/techniques/T1087/
    - https://attack.mitre.org/techniques/T1003/
    - https://attack.mitre.org/techniques/T1081/
    - https://attack.mitre.org/techniques/T1005/
author: Austin Clark
date: 2019/08/11
tags:
    - attack.discovery
    - attack.credential_access
    - attack.collection
    - attack.t1087
    - attack.t1003
    - attack.t1081
    - attack.t1005
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - src
    - CmdSet
    - User
    - Privilege_Level
    - Remote_Address
detection:
    keywords:
        - 'show running-config'
        - 'show startup-config'
        - 'show archive config'
        - 'more'
    condition: keywords
falsepositives:
    - Commonly run by administrators.
level: low