{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/asa/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ASA","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["cisco","asa","logging","evasion"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eAttackers may target Cisco ASA devices to tamper with logging configurations. This involves reducing logging levels or disabling specific log categories to evade detection and hinder security monitoring systems. By successfully reducing logging verbosity, adversaries operate with diminished visibility, making it harder for security teams to detect malicious activities. This technique is valuable to attackers who have already gained some access and wish to persist undetected while pursuing further objectives within the compromised network. This activity is typically identified through specific syslog messages generated by the Cisco ASA device when logging filters are modified.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained to the Cisco ASA device, potentially through compromised credentials or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ASA device via CLI or ASDM (Adaptive Security Device Manager).\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to view the current logging configuration to identify targets for modification.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the logging configuration using the \u0026ldquo;logging\u0026rdquo; command, focusing on parameters like \u0026ldquo;asdm\u0026rdquo;, \u0026ldquo;console\u0026rdquo;, \u0026ldquo;history\u0026rdquo;, \u0026ldquo;mail\u0026rdquo;, \u0026ldquo;monitor\u0026rdquo;, or \u0026ldquo;trap\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker reduces the verbosity of logging by setting destinations to levels higher than \u0026ldquo;notifications\u0026rdquo; (level 5), \u0026ldquo;informational\u0026rdquo; (level 6), or \u0026ldquo;debugging\u0026rdquo; (level 7).\u003c/li\u003e\n\u003cli\u003eThe attacker commits the changes, applying the modified logging configuration to the ASA device.\u003c/li\u003e\n\u003cli\u003eThe ASA device generates syslog messages with ID 111008 or 111010, reflecting the configuration change.\u003c/li\u003e\n\u003cli\u003eThe attacker continues operations, now with reduced logging and a lower chance of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with logging filters on Cisco ASA devices can severely impair network security monitoring capabilities. This can lead to delayed detection of malicious activities, increased dwell time for attackers, and potential data breaches or other network compromises. Organizations relying on ASA logs for security insights will be effectively blinded to attacker activity, increasing the risk of significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized modifications to Cisco ASA logging filters, specifically looking for message IDs 111008 and 111010.\u003c/li\u003e\n\u003cli\u003eConfigure your Cisco ASA devices to generate and forward syslog messages with IDs 111008 and 111010 to your SIEM. This is crucial for the detection to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of logging configuration changes, especially those performed by non-administrative accounts or during unusual hours. Compare against approved change control tickets.\u003c/li\u003e\n\u003cli\u003eMonitor for the \u0026ldquo;logging\u0026rdquo; command being used with destinations such as \u0026ldquo;asdm\u0026rdquo;, \u0026ldquo;console\u0026rdquo;, \u0026ldquo;history\u0026rdquo;, \u0026ldquo;mail\u0026rdquo;, \u0026ldquo;monitor\u0026rdquo;, and \u0026ldquo;trap\u0026rdquo; without setting severity levels to 5, 6, or 7.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-asa-logging-tampering/","summary":"Tampering with logging filter configurations on Cisco ASA devices can allow attackers to evade detection by reducing logging levels or disabling specific log categories.","title":"Cisco ASA Logging Filters Configuration Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-logging-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Adaptive Security Appliance (ASA) Software"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","cisco","asa"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on detecting the disabling of logging on Cisco ASA devices. Attackers, including malicious insiders, might disable logging to avoid detection and hide malicious activities within the network. This is achieved by using CLI commands to turn off or clear logging features. This detection is triggered by specific syslog message IDs (111010, 111008) linked to command executions, combined with suspicious commands, like \u0026rsquo;no logging,\u0026rsquo; \u0026rsquo;logging disable,\u0026rsquo; \u0026lsquo;clear logging,\u0026rsquo; or \u0026rsquo;no logging host\u0026rsquo;. The ability to disable logging on a firewall or security appliance represents a substantial attempt at defense evasion, enabling the attacker to operate without generating audit trails.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains access to the Cisco ASA device\u0026rsquo;s CLI, potentially through stolen credentials or a compromised administrative account.\u003c/li\u003e\n\u003cli\u003eAuthentication: The attacker authenticates to the ASA device, using valid credentials to gain privileged access.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The attacker executes commands via the CLI to modify the logging configuration.\u003c/li\u003e\n\u003cli\u003eDisable Logging: The attacker uses commands such as \u003ccode\u003eno logging\u003c/code\u003e, \u003ccode\u003elogging disable\u003c/code\u003e, \u003ccode\u003eclear logging\u003c/code\u003e, or \u003ccode\u003eno logging host\u003c/code\u003e to disable logging functionality.\u003c/li\u003e\n\u003cli\u003eEvasion: With logging disabled, the attacker can perform malicious activities without generating audit logs that would typically be captured by security monitoring systems.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Privilege Escalation: The attacker may attempt to move laterally within the network or escalate privileges, taking advantage of the reduced visibility.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/System Compromise: The attacker carries out their objectives, such as data exfiltration, system compromise, or network disruption, without being easily detected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf logging is disabled on a Cisco ASA firewall, network defenders lose critical visibility into network traffic and security events. This can lead to delayed detection of security breaches, data exfiltration, and internal reconnaissance activities. Successfully disabling logging allows attackers to operate undetected, significantly increasing the dwell time and potential damage caused by a breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of commands disabling logging on Cisco ASA devices in your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eConfigure your Cisco ASA devices to forward syslog data, specifically message IDs 111008 and 111010, to your SIEM as outlined in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eReview historical logs for instances of logging being disabled to identify potential past compromises using the provided \u003ccode\u003ecisco_asa\u003c/code\u003e data source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-cisco-asa-logging-disabled/","summary":"Detection of disabled logging functionality on a Cisco ASA device via CLI commands, indicating potential defense evasion by adversaries.","title":"Cisco ASA Logging Disabled via CLI","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-logging-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Asa","version":"https://jsonfeed.org/version/1.1"}