Cisco ASA - New Local User Account Creation
Detection of new user account creations on Cisco ASA devices, potentially indicating unauthorized access or persistence attempts by adversaries.
This analytic detects the creation of new user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated. The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account. The source material was published by Splunk on 2026-04-17, highlighting the continued relevance of this threat.
Attack Chain
- Initial access to the Cisco ASA device via compromised credentials or exploitation of a vulnerability.
- Attacker authenticates to the ASA device using the gained access.
- Attacker executes commands to create a new local user account using the CLI or ASDM interface.
- The ASA device generates syslog message ID 502101, indicating the new account creation, which includes the username, privilege level, and creating administrator.
- The attacker assigns a high privilege level (e.g., level 15) to the new account.
- Attacker uses the newly created account to maintain persistent access to the ASA device.
- Attacker leverages the persistent access to perform reconnaissance, modify configurations, or disrupt network operations.
- The attacker establishes a backdoor for future access, bypassing normal authentication mechanisms.
Impact
Successful exploitation can lead to unauthorized access to the network infrastructure, allowing attackers to modify configurations, intercept traffic, or disrupt services. This can result in data breaches, denial of service, and significant financial and reputational damage. While the specific number of victims or targeted sectors isn't available, the impact is significant for any organization relying on Cisco ASA devices for network security.
Recommendation
- Ensure Cisco ASA devices are configured to generate and forward syslog message ID 502101 to a SIEM for monitoring to enable the provided detections.
- Implement the provided Sigma rule
Cisco ASA - New Local User Account Createdto detect suspicious account creation activities. - Investigate any alerts generated by the Sigma rule, paying close attention to accounts with elevated privileges (level 15) and those created outside of normal business hours.
- Review existing user accounts on Cisco ASA devices regularly, looking for any unauthorized or suspicious accounts.
Detection coverage 2
Cisco ASA - New Local User Account Created
mediumDetects creation of new user accounts on Cisco ASA devices via syslog message ID 502101, which can indicate malicious activity.
Cisco ASA - High Privilege Account Creation
highDetects the creation of new accounts with high privilege (level 15) on Cisco ASA devices, a strong indicator of potential malicious activity.
Detection queries are available on the platform. Get full rules →