Cisco ASA Logging Disabled via CLI

This brief focuses on detecting the disabling of logging on Cisco ASA devices. Attackers, including malicious insiders, might disable logging to avoid detection and hide malicious activities within the network. This is achieved by using CLI commands to turn off or clear logging features. This detection is triggered by specific syslog message IDs (111010, 111008) linked to command executions, combined with suspicious commands, like ’no logging,’ ’logging disable,’ ‘clear logging,’ or ’no logging host’. The ability to disable logging on a firewall or security appliance represents a substantial attempt at defense evasion, enabling the attacker to operate without generating audit trails.

Attack Chain

1. Initial Access: The attacker gains access to the Cisco ASA device’s CLI, potentially through stolen credentials or a compromised administrative account.
2. Authentication: The attacker authenticates to the ASA device, using valid credentials to gain privileged access.
3. Command Execution: The attacker executes commands via the CLI to modify the logging configuration.
4. Disable Logging: The attacker uses commands such as no logging, logging disable, clear logging, or no logging host to disable logging functionality.
5. Evasion: With logging disabled, the attacker can perform malicious activities without generating audit logs that would typically be captured by security monitoring systems.
6. Lateral Movement/Privilege Escalation: The attacker may attempt to move laterally within the network or escalate privileges, taking advantage of the reduced visibility.
7. Data Exfiltration/System Compromise: The attacker carries out their objectives, such as data exfiltration, system compromise, or network disruption, without being easily detected.

Impact

If logging is disabled on a Cisco ASA firewall, network defenders lose critical visibility into network traffic and security events. This can lead to delayed detection of security breaches, data exfiltration, and internal reconnaissance activities. Successfully disabling logging allows attackers to operate undetected, significantly increasing the dwell time and potential damage caused by a breach.

Recommendation

• Deploy the Sigma rule to detect the execution of commands disabling logging on Cisco ASA devices in your SIEM and tune for your environment.
• Configure your Cisco ASA devices to forward syslog data, specifically message IDs 111008 and 111010, to your SIEM as outlined in the “how_to_implement” section.
• Review historical logs for instances of logging being disabled to identify potential past compromises using the provided cisco_asa data source.