Skip to content
Threat Feed
high advisory

Cisco ASA User Privilege Level Change Detection

Detection of unauthorized privilege level changes on Cisco ASA devices, potentially indicating privilege escalation or persistence attempts by threat actors.

This threat brief focuses on the detection of unauthorized privilege level modifications on Cisco ASA (Adaptive Security Appliance) devices. Threat actors may attempt to escalate privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. This is achieved by modifying user account privilege levels, which range from 0 (lowest) to 15 (full administrative access). The detection strategy leverages Cisco ASA message ID 502103, triggered when a user account's privilege level is modified. This event captures crucial information, including the username, the administrator responsible for the change, and both the original and the new privilege levels. Defenders should investigate unexpected privilege changes, with particular attention to escalations to level 15, substantial privilege increases, modifications performed outside of established business hours, changes initiated by non-administrative users, or changes lacking proper change management documentation.

Attack Chain

  1. Initial Access: An attacker gains initial access to a low-privilege user account on the Cisco ASA, possibly through compromised credentials or social engineering.
  2. Reconnaissance: The attacker uses the compromised account to enumerate existing user accounts and their current privilege levels using CLI commands like show user.
  3. Privilege Escalation Attempt: The attacker attempts to modify the privilege level of a target account (potentially their own) using commands like username <user> privilege <level> via CLI or ASDM.
  4. Authentication: The ASA requires authentication for the privilege escalation attempt, often requiring administrator credentials. The attacker might attempt to brute-force or bypass this authentication.
  5. Privilege Level Change: If successful, the attacker elevates the target account's privilege level. Message ID 502103 is generated, logging the change.
  6. Command Execution: With elevated privileges, the attacker can now execute privileged commands, modify network configurations, and potentially compromise the entire ASA device.
  7. Persistence: The attacker may create new high-privilege accounts or modify existing ones to ensure continued access, even if the initial compromised account is discovered and disabled.
  8. Lateral Movement: The attacker uses the compromised ASA as a pivot point to gain access to other systems on the network.

Impact

Compromised Cisco ASA devices can lead to significant damage, including unauthorized network access, data breaches, and disruption of network services. A successful privilege escalation can grant attackers complete control over the network infrastructure. The NCSC's analysis of RayInitiator/LINE-VIPER malware highlights the potential for attackers to leverage compromised network devices for lateral movement and data exfiltration. The scope of impact depends on the organization's size and the criticality of the network services provided by the ASA.

Recommendation

  • Enable and forward Cisco ASA syslog data, including message ID 502103, to your SIEM using the Cisco Security Cloud TA, as required by the detection rules below.
  • Deploy the provided Sigma rule Cisco ASA User Privilege Level Change Detected to detect privilege level changes and tune it for your environment.
  • Investigate any alerts generated by the Sigma rule, paying close attention to escalations to privilege level 15, substantial increases in privilege levels, and changes made outside of normal business hours.
  • Correlate privilege level change events (message ID 502103) with other security events, such as failed login attempts or suspicious network activity, to identify potential compromise.
  • Regularly review user accounts and their privilege levels on Cisco ASA devices.
  • Implement strong password policies and multi-factor authentication for all ASA administrator accounts.
  • Refer to the Cisco documentation linked in the references to configure and monitor ASA logging effectively.

Detection coverage 2

Cisco ASA User Privilege Level Change Detected

high

Detects changes in user privilege levels on Cisco ASA devices, which can be indicative of malicious activity.

sigma tactics: persistence, privilege_escalation techniques: T1078.003, T1098 sources: firewall, cisco

Cisco ASA User Privilege Level Escalation to Admin (Level 15)

critical

Detects user privilege escalation to the highest level (15) on Cisco ASA devices, indicating a potential compromise.

sigma tactics: privilege_escalation techniques: T1078.003, T1098 sources: firewall, cisco

Detection queries are available on the platform. Get full rules →