<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Account_deletion - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/account_deletion/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/account_deletion/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco ASA User Account Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/</guid><description>Detection of user account deletion on Cisco ASA devices, potentially indicating adversary attempts to cover tracks, disrupt incident response, or deny administrator access.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of user account deletions on Cisco ASA devices, a tactic commonly employed by adversaries to obfuscate their activities within a compromised network. The deletion of user accounts, particularly those with elevated privileges (level 15), can serve to remove evidence of malicious actions, hinder incident response efforts, or deny legitimate administrators access to critical systems. This activity can also be a sign of hiding temporary account creation used during a compromise. This analytic relies on monitoring Cisco ASA logs for message ID 502102, which is triggered upon the deletion of a local user account. This event captures valuable information, including the username, privilege level, and the administrator responsible for the deletion. It is crucial to investigate unexpected or unauthorized account deletions, especially those occurring outside of normal business hours or involving privileged accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: Adversary gains initial access to a system with valid credentials or exploits a vulnerability.</li>
<li>Privilege Escalation: The attacker elevates privileges to gain administrative access to the Cisco ASA device.</li>
<li>Account Discovery: The attacker enumerates existing user accounts on the Cisco ASA device to identify potential targets for deletion.</li>
<li>Account Deletion: The adversary deletes a local user account on the Cisco ASA device, generating syslog message ID 502102.</li>
<li>Log Manipulation (Optional): Attempts to further cover tracks by disabling logging or manipulating the ASA's logging configuration.</li>
<li>Persistence (Obstructed): By deleting accounts, legitimate user's persistence is removed and access to the system is revoked.</li>
<li>Defense Evasion: The attacker attempts to evade detection by deleting accounts used during the compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of user accounts can disrupt incident response efforts by removing valuable forensic data and hindering the ability to track the attacker's activities. It can also lead to denial-of-service for legitimate users who rely on those accounts for access. Privileged account deletion can result in significant operational disruption and potential data breaches due to loss of control over critical systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and forward Cisco ASA syslog data, specifically message ID 502102, to your SIEM for analysis as detailed in the &quot;how_to_implement&quot; section.</li>
<li>Deploy the Sigma rule &quot;Cisco ASA - User Account Deletion Detected&quot; to your SIEM and tune the filter list to exclude known benign account deletions.</li>
<li>Investigate any instances of message ID 502102, cross-referencing with HR records and change management systems to identify unauthorized account deletions as described in the description.</li>
<li>Monitor ASA logging configurations for unauthorized changes that could indicate log manipulation attempts.</li>
<li>Review the &quot;references&quot; link to understand the context of ASA message ID 502102 within the overall ASA syslog architecture.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco_asa</category><category>account_deletion</category><category>defense_evasion</category></item></channel></rss>