Cisco Privileged Account Creation with HTTP Command Execution

This analytic correlates risk events between privileged account creation on Cisco IOS devices and HTTP requests to privileged execution paths such as `/level/15/exec/-/*`. APT actors have been observed creating privileged accounts and then running commands on routers via HTTP GET or POST requests that target privileged execution paths. These requests allow attackers to execute commands with the highest privilege level (15) on Cisco devices without requiring interactive SSH access. This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and "Privileged Command Execution via HTTP" Snort detections fire for the same network device. This behavior indicates an attacker leveraging the newly created account to execute commands remotely via HTTP.