← Back to Explore
sigmalowHunting
Cisco Collect Data
Collect pertinent data from the configuration files
Detection Query
keywords:
- show running-config
- show startup-config
- show archive config
- more
condition: keywords
Author
Austin Clark
Created
2019-08-11
Data Sources
ciscoaaa
Platforms
cisco
References
Tags
attack.discoveryattack.credential-accessattack.collectionattack.t1087.001attack.t1552.001attack.t1005
Raw Content
title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
- https://blog.router-switch.com/2013/11/show-running-config/
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.discovery
- attack.credential-access
- attack.collection
- attack.t1087.001
- attack.t1552.001
- attack.t1005
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
falsepositives:
- Commonly run by administrators
level: low