title: Cisco Denial of Service
id: d94a35f0-7a29-45f6-90a0-80df6159967c
status: test
description: Detect a system being shutdown or put into different boot mode
author: Austin Clark
date: 2019/08/15
modified: 2021/11/27
logsource:
  product: cisco
  service: aaa
  category: accounting
detection:
  keywords:
    - 'shutdown'
    - 'config-register 0x2100'
    - 'config-register 0x2142'
  condition: keywords
fields:
  - CmdSet
falsepositives:
  - Legitimate administrators may run these commands, though rarely.
level: medium
tags:
  - attack.impact
  - attack.t1495
  - attack.t1529
  - attack.t1565.001