{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cisco-firepower-threat-defense/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA","Cisco Firepower Threat Defense"],"_cs_severities":["medium"],"_cs_tags":["cisco","asa","file_copy","reconnaissance","credential_access","exfiltration"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic detects file copy activity on Cisco ASA devices, potentially indicating malicious behavior. Attackers might copy device files, such as configurations (running-config, startup-config), logs, packet captures (pcap capture), or system files (disk0:, flash:, system:, capture:), via CLI or ASDM. This activity could be part of a reconnaissance phase, to extract credentials, or to exfiltrate sensitive data. While legitimate file operations do occur during backups and maintenance, unauthorized copies warrant investigation. This detection focuses on command execution events (message ID 111008 or 111010) containing copy commands. The activity may be associated with threat actors targeting perimeter network devices, such as those detailed in the Talos ArcaneDoor report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Cisco ASA device, possibly through compromised credentials or a vulnerability (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ASA device via CLI or ASDM using valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a \u003ccode\u003ecopy\u003c/code\u003e command to copy sensitive files. This includes commands targeting running-config, startup-config, packet capture files (\u003ccode\u003e/pcap capture:\u003c/code\u003e), or system files from disk0:, flash:, system:, or capture: locations.\u003c/li\u003e\n\u003cli\u003eThe ASA logs the command execution event with message ID 111008 or 111010.\u003c/li\u003e\n\u003cli\u003eThe copied files are stored on the ASA's local storage (disk0:, flash:, etc.).\u003c/li\u003e\n\u003cli\u003e(Hypothetical) The attacker uses another command (e.g., \u003ccode\u003etftp\u003c/code\u003e) to transfer the copied files off the ASA device to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003e(Hypothetical) The attacker extracts credentials from the configuration files or analyzes packet captures for sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted information for further lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to access sensitive information, including device configurations and potentially network traffic data. Configuration files often contain usernames, passwords, and other sensitive information that can be used for lateral movement within the network. Packet captures may contain sensitive data transmitted over the network. This can lead to a complete compromise of the network infrastructure. The references indicate that nation-state actors may target these devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA to collect the necessary logs.\u003c/li\u003e\n\u003cli\u003eConfigure your ASA and FTD devices to generate and forward message IDs 111008 and 111010 as outlined in the \u0026quot;how_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Cisco ASA Device File Copy Activity Detection\u0026quot; to identify suspicious file copy commands executed on Cisco ASA devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026quot;Cisco ASA Device File Copy Activity Detection,\u0026quot; especially those originating from non-administrative accounts or occurring during unusual hours.\u003c/li\u003e\n\u003cli\u003eMonitor command execution logs for unexpected use of the \u003ccode\u003ecopy\u003c/code\u003e command, specifically targeting sensitive files and directories (running-config, startup-config, /pcap capture:, disk0:, flash:, system:, capture:).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-cisco-asa-file-copy/","summary":"Adversaries may copy device files, including configurations and packet captures, from Cisco ASA devices via CLI or ASDM for reconnaissance, credential extraction, or data exfiltration, which can be detected via command execution logs.","title":"Cisco ASA Device File Copy Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-09-cisco-asa-file-copy/"}],"language":"en","title":"CraftedSignal Threat Feed - Cisco Firepower Threat Defense","version":"https://jsonfeed.org/version/1.1"}