blue-team-tools/rules/network/cisco/aaa/cisco_cli_collect_data.yml

title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
    - https://blog.router-switch.com/2013/11/show-running-config/
    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019/08/11
modified: 2023/01/04
tags:
    - attack.discovery
    - attack.credential_access
    - attack.collection
    - attack.t1087.001
    - attack.t1552.001
    - attack.t1005
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'show running-config'
        - 'show startup-config'
        - 'show archive config'
        - 'more'
    condition: keywords
falsepositives:
    - Commonly run by administrators
level: low