Cisco ASA Logging Filters Configuration Tampering

Attackers may target Cisco ASA devices to tamper with logging configurations. This involves reducing logging levels or disabling specific log categories to evade detection and hinder security monitoring systems. By successfully reducing logging verbosity, adversaries operate with diminished visibility, making it harder for security teams to detect malicious activities. This technique is valuable to attackers who have already gained some access and wish to persist undetected while pursuing further objectives within the compromised network. This activity is typically identified through specific syslog messages generated by the Cisco ASA device when logging filters are modified.

Attack Chain

1. Initial access is gained to the Cisco ASA device, potentially through compromised credentials or exploiting vulnerabilities.
2. The attacker authenticates to the ASA device via CLI or ASDM (Adaptive Security Device Manager).
3. The attacker executes commands to view the current logging configuration to identify targets for modification.
4. The attacker modifies the logging configuration using the “logging” command, focusing on parameters like “asdm”, “console”, “history”, “mail”, “monitor”, or “trap”.
5. The attacker reduces the verbosity of logging by setting destinations to levels higher than “notifications” (level 5), “informational” (level 6), or “debugging” (level 7).
6. The attacker commits the changes, applying the modified logging configuration to the ASA device.
7. The ASA device generates syslog messages with ID 111008 or 111010, reflecting the configuration change.
8. The attacker continues operations, now with reduced logging and a lower chance of detection.

Impact

Successful tampering with logging filters on Cisco ASA devices can severely impair network security monitoring capabilities. This can lead to delayed detection of malicious activities, increased dwell time for attackers, and potential data breaches or other network compromises. Organizations relying on ASA logs for security insights will be effectively blinded to attacker activity, increasing the risk of significant damage.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect unauthorized modifications to Cisco ASA logging filters, specifically looking for message IDs 111008 and 111010.
• Configure your Cisco ASA devices to generate and forward syslog messages with IDs 111008 and 111010 to your SIEM. This is crucial for the detection to function correctly.
• Investigate any detected instances of logging configuration changes, especially those performed by non-administrative accounts or during unusual hours. Compare against approved change control tickets.
• Monitor for the “logging” command being used with destinations such as “asdm”, “console”, “history”, “mail”, “monitor”, and “trap” without setting severity levels to 5, 6, or 7.