Product
Cisco ASA Device File Copy Activity
2 rules 2 TTPsAdversaries may copy device files, including configurations and packet captures, from Cisco ASA devices via CLI or ASDM for reconnaissance, credential extraction, or data exfiltration, which can be detected via command execution logs.
Cisco ASA - New Local User Account Creation
2 rules 2 TTPsDetection of new user account creations on Cisco ASA devices, potentially indicating unauthorized access or persistence attempts by adversaries.
Cisco ASA User Account Lockout Detection
2 rules 2 TTPsDetection of user account lockouts on Cisco ASA devices due to excessive failed authentication attempts, potentially indicating brute-force attacks, password spraying, or credential stuffing.
Cisco ASA Reconnaissance Command Activity
2 rules 3 TTPsThis analytic detects potential reconnaissance on Cisco ASA devices by identifying execution of multiple information-gathering 'show' commands within a short timeframe, indicating potential enumeration by an attacker.
Cisco ASA Logging Message Suppression
2 rules 2 TTPsAdversaries may suppress specific log message IDs on Cisco ASA devices using the 'no logging message' command to selectively disable logging of security-critical events and evade detection.
Cisco ASA User Privilege Level Change Detection
2 rules 2 TTPsDetection of unauthorized privilege level changes on Cisco ASA devices, potentially indicating privilege escalation or persistence attempts by threat actors.
Cisco ASA User Account Deletion
2 rules 2 TTPsDetection of user account deletion on Cisco ASA devices, potentially indicating adversary attempts to cover tracks, disrupt incident response, or deny administrator access.
Cisco ASA Device File Copy to Remote Location
2 rules 3 TTPsThe analytic detects file copy operations from Cisco ASA devices to remote locations using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP, potentially indicating data exfiltration by threat actors targeting network devices.
Cisco ASA Packet Capture Activity
2 rules 2 TTPsDetection of packet capture commands on Cisco ASA devices indicates potential network sniffing for credential theft, sensitive data interception, or network traffic analysis by adversaries.
Cisco ASA Logging Disabled via CLI
2 rules 1 TTPDetection of adversaries or malicious insiders disabling logging on a Cisco ASA device via CLI commands, hindering detection and hiding malicious activity.