Cisco ASA Logging Disabled via CLI
Detection of adversaries or malicious insiders disabling logging on a Cisco ASA device via CLI commands, hindering detection and hiding malicious activity.
This analytic focuses on detecting the disabling of logging functionality on Cisco ASA devices, a common tactic employed by adversaries and malicious insiders to evade detection and obscure malicious activities. The activity is identified by monitoring Cisco ASA syslog messages associated with command execution. Specifically, the detection triggers on syslog message IDs 111008 and 111010, coupled with the execution of commands indicative of logging manipulation, such as no logging, logging disable, clear logging, or no logging host. This tactic is a strong indicator of defense evasion, as disabling logging on security appliances like firewalls significantly reduces the visibility of malicious actions. This is a common post-compromise technique.
Attack Chain
- The attacker gains unauthorized access to the Cisco ASA device, potentially through compromised credentials or exploiting a vulnerability.
- The attacker authenticates to the ASA's CLI, possibly using stolen credentials.
- The attacker executes a command to disable logging, such as
no logging,logging disable,clear logging, orno logging host. This action is designed to prevent the recording of their subsequent activities. - The Cisco ASA generates a syslog message with message ID 111008 or 111010, indicating that a command has been executed.
- With logging disabled, the attacker performs malicious activities, such as modifying firewall rules, establishing unauthorized VPN connections, or exfiltrating sensitive data.
- Because logging is disabled, these malicious activities are not recorded in the ASA's logs, making them difficult to detect.
- The attacker attempts to cover their tracks further by clearing any remaining logs or audit trails.
Impact
Successful disabling of logging can severely impair an organization's ability to detect and respond to security incidents. With logging disabled, malicious activities can go unnoticed, leading to data breaches, system compromise, and financial losses. The impact is magnified by the fact that Cisco ASA devices are often critical components of network security infrastructure. The number of victims can range from single organizations to multiple entities if the attacker is able to compromise multiple ASA devices.
Recommendation
- Deploy the Sigma rule
Cisco ASA Logging Disabled via CLIto your SIEM and tune for your environment to detect attempts to disable logging functionality. - Enable and forward Cisco ASA syslog data with message IDs 111008 and 111010 to your SIEM as described in the references and the
how_to_implementsection. - Review and enforce strict access control policies for Cisco ASA devices to minimize the risk of unauthorized access.
- Monitor and alert on changes to logging configurations on Cisco ASA devices to identify suspicious activity.
Detection coverage 2
Cisco ASA Logging Disabled via CLI
highDetects the disabling of logging on a Cisco ASA device via CLI commands.
Cisco ASA - Clear Logging Buffer
mediumDetects attempts to clear the logging buffer on a Cisco ASA device, potentially to hide malicious activity.
Detection queries are available on the platform. Get full rules →