EXPLORE DETECTIONS
Cisco BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco Clear Logs
Clear command history in network OS which is used for defense evasion
Cisco Collect Data
Collect pertinent data from the configuration files
Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
Cisco Denial of Service
Detect a system being shutdown or put into different boot mode
Cisco Disabling Logging
Turn off logging locally or remote
Cisco Discovery
Find information about network devices that is not stored in config files
Cisco Duo Successful MFA Authentication Via Bypass Code
Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
Cisco File Deletion
See what files are being deleted from flash file systems
Cisco LDP Authentication Failures
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Cisco Local Accounts
Find local accounts being created or modified as well as remote authentication configurations
Cisco Modify Configuration
Modifications to a config that will serve an adversary's impacts or persistence
Cisco Show Commands Input
See what commands are being input into the device by other people, full credentials can be in the history
Cisco Sniffing
Show when a monitor or a span/rspan is setup or modified
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Clear Linux Logs
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR), (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
Clear PowerShell History - PowerShell
Detects keywords that could indicate clearing PowerShell history
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Cleartext Protocol Usage
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.