Skip to content
Threat Feed
medium advisory

Cisco ASA Reconnaissance Command Activity

This analytic detects potential reconnaissance on Cisco ASA devices by identifying execution of multiple information-gathering 'show' commands within a short timeframe, indicating potential enumeration by an attacker.

This detection identifies potential reconnaissance activities targeting Cisco ASA devices. Threat actors often perform reconnaissance against network infrastructure to understand device configurations, network topology, security policies, and potential attack paths. This involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions. This activity is often a precursor to further malicious actions, such as lateral movement or data exfiltration. The detection specifically monitors for command execution events (message ID 111009) and triggers when 7 or more distinct reconnaissance commands are executed within a 5-minute window by the same user. This allows for detection of anomalous behavior within a network.

Attack Chain

  1. Attacker gains initial access to a network, potentially through compromised credentials or exploiting a vulnerability in an external-facing system.
  2. The attacker leverages their access to connect to a Cisco ASA device.
  3. The attacker executes a series of "show" commands via the ASA's command-line interface (CLI). These commands include "show running-config", "show version", "show interface", "show crypto", "show conn", and others to gather information about the ASA's configuration and network environment.
  4. The ASA logs these command executions with message ID 111009.
  5. The attacker analyzes the output of the "show" commands to map the network topology, identify potential vulnerabilities, and discover sensitive information such as usernames, passwords, and VPN configurations.
  6. Using the gathered information, the attacker identifies potential targets for lateral movement within the network.
  7. The attacker pivots to other systems within the network, potentially using stolen credentials or exploiting identified vulnerabilities.
  8. The attacker achieves their final objective, such as data exfiltration, system compromise, or denial-of-service.

Impact

Successful reconnaissance can provide attackers with critical information needed to compromise network infrastructure, bypass security controls, and achieve their objectives. While the reconnaissance itself does not cause direct damage, it significantly increases the likelihood of a successful attack. A compromised ASA device can lead to network outages, data breaches, and unauthorized access to sensitive resources. The number of affected users/systems depends on the scope of the attacker's objective and the network's architecture.

Recommendation

  • Ensure Cisco ASA devices are configured to log command execution events with message ID 111009, following the guidance in the "how_to_implement" section.
  • Deploy the provided Sigma rule to your SIEM to detect reconnaissance activity based on multiple "show" command executions. Tune the threshold (unique_recon_commands >= 7) based on your environment's baseline activity.
  • Investigate alerts generated by the Sigma rule, focusing on unusual source IP addresses, non-administrative accounts, and off-hours activity. Correlate reconnaissance activity with other suspicious events.
  • Adapt the detection filters to exclude known legitimate administrative activities, as mentioned in the "known_false_positives" section.
  • Regularly review and update ASA configurations to minimize the exposure of sensitive information through "show" commands, referring to the Cisco documentation provided in the references section.

Detection coverage 2

Cisco ASA - Reconnaissance Command Activity

medium

Detects potential reconnaissance activities on Cisco ASA devices by identifying execution of multiple information-gathering 'show' commands within a short timeframe.

sigma tactics: reconnaissance techniques: T1590.001, T1590.005 sources: firewall, cisco

Cisco ASA - Single Reconnaissance Command Variations

info

Detects variations of similar commands such as 'show running-config | include username' as single reconnaissance command types.

sigma tactics: reconnaissance techniques: T1590.001, T1590.005 sources: firewall, cisco

Detection queries are available on the platform. Get full rules →