{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/adaptive-security-appliance-asa-software/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Adaptive Security Appliance (ASA) Software"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","cisco","asa"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on detecting the disabling of logging on Cisco ASA devices. Attackers, including malicious insiders, might disable logging to avoid detection and hide malicious activities within the network. This is achieved by using CLI commands to turn off or clear logging features. This detection is triggered by specific syslog message IDs (111010, 111008) linked to command executions, combined with suspicious commands, like \u0026rsquo;no logging,\u0026rsquo; \u0026rsquo;logging disable,\u0026rsquo; \u0026lsquo;clear logging,\u0026rsquo; or \u0026rsquo;no logging host\u0026rsquo;. The ability to disable logging on a firewall or security appliance represents a substantial attempt at defense evasion, enabling the attacker to operate without generating audit trails.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains access to the Cisco ASA device\u0026rsquo;s CLI, potentially through stolen credentials or a compromised administrative account.\u003c/li\u003e\n\u003cli\u003eAuthentication: The attacker authenticates to the ASA device, using valid credentials to gain privileged access.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The attacker executes commands via the CLI to modify the logging configuration.\u003c/li\u003e\n\u003cli\u003eDisable Logging: The attacker uses commands such as \u003ccode\u003eno logging\u003c/code\u003e, \u003ccode\u003elogging disable\u003c/code\u003e, \u003ccode\u003eclear logging\u003c/code\u003e, or \u003ccode\u003eno logging host\u003c/code\u003e to disable logging functionality.\u003c/li\u003e\n\u003cli\u003eEvasion: With logging disabled, the attacker can perform malicious activities without generating audit logs that would typically be captured by security monitoring systems.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Privilege Escalation: The attacker may attempt to move laterally within the network or escalate privileges, taking advantage of the reduced visibility.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/System Compromise: The attacker carries out their objectives, such as data exfiltration, system compromise, or network disruption, without being easily detected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf logging is disabled on a Cisco ASA firewall, network defenders lose critical visibility into network traffic and security events. This can lead to delayed detection of security breaches, data exfiltration, and internal reconnaissance activities. Successfully disabling logging allows attackers to operate undetected, significantly increasing the dwell time and potential damage caused by a breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of commands disabling logging on Cisco ASA devices in your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eConfigure your Cisco ASA devices to forward syslog data, specifically message IDs 111008 and 111010, to your SIEM as outlined in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eReview historical logs for instances of logging being disabled to identify potential past compromises using the provided \u003ccode\u003ecisco_asa\u003c/code\u003e data source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-cisco-asa-logging-disabled/","summary":"Detection of disabled logging functionality on a Cisco ASA device via CLI commands, indicating potential defense evasion by adversaries.","title":"Cisco ASA Logging Disabled via CLI","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Adaptive Security Appliance (ASA) Software","version":"https://jsonfeed.org/version/1.1"}