Cisco ASA Logging Filters Configuration Tampering

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may target Cisco ASA devices to tamper with logging configurations. This involves reducing logging levels or disabling specific log categories to evade detection and hinder security monitoring systems. By successfully reducing logging verbosity, adversaries operate with diminished visibility, making it harder for security teams to detect malicious activities. This technique is valuable to attackers who have already gained some access and wish to persist undetected while pursuing further objectives within the compromised network. This activity is typically identified through specific syslog messages generated by the Cisco ASA device when logging filters are modified.

Attack Chain

Initial access is gained to the Cisco ASA device, potentially through compromised credentials or exploiting vulnerabilities.
The attacker authenticates to the ASA device via CLI or ASDM (Adaptive Security Device Manager).
The attacker executes commands to view the current logging configuration to identify targets for modification.
The attacker modifies the logging configuration using the “logging” command, focusing on parameters like “asdm”, “console”, “history”, “mail”, “monitor”, or “trap”.
The attacker reduces the verbosity of logging by setting destinations to levels higher than “notifications” (level 5), “informational” (level 6), or “debugging” (level 7).
The attacker commits the changes, applying the modified logging configuration to the ASA device.
The ASA device generates syslog messages with ID 111008 or 111010, reflecting the configuration change.
The attacker continues operations, now with reduced logging and a lower chance of detection.

Impact

Successful tampering with logging filters on Cisco ASA devices can severely impair network security monitoring capabilities. This can lead to delayed detection of malicious activities, increased dwell time for attackers, and potential data breaches or other network compromises. Organizations relying on ASA logs for security insights will be effectively blinded to attacker activity, increasing the risk of significant damage.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect unauthorized modifications to Cisco ASA logging filters, specifically looking for message IDs 111008 and 111010.
Configure your Cisco ASA devices to generate and forward syslog messages with IDs 111008 and 111010 to your SIEM. This is crucial for the detection to function correctly.
Investigate any detected instances of logging configuration changes, especially those performed by non-administrative accounts or during unusual hours. Compare against approved change control tickets.
Monitor for the “logging” command being used with destinations such as “asdm”, “console”, “history”, “mail”, “monitor”, and “trap” without setting severity levels to 5, 6, or 7.

Cisco ASA Logging Disabled via CLI

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This brief focuses on detecting the disabling of logging on Cisco ASA devices. Attackers, including malicious insiders, might disable logging to avoid detection and hide malicious activities within the network. This is achieved by using CLI commands to turn off or clear logging features. This detection is triggered by specific syslog message IDs (111010, 111008) linked to command executions, combined with suspicious commands, like ’no logging,’ ’logging disable,’ ‘clear logging,’ or ’no logging host’. The ability to disable logging on a firewall or security appliance represents a substantial attempt at defense evasion, enabling the attacker to operate without generating audit trails.

Attack Chain

Initial Access: The attacker gains access to the Cisco ASA device’s CLI, potentially through stolen credentials or a compromised administrative account.
Authentication: The attacker authenticates to the ASA device, using valid credentials to gain privileged access.
Command Execution: The attacker executes commands via the CLI to modify the logging configuration.
Disable Logging: The attacker uses commands such as no logging, logging disable, clear logging, or no logging host to disable logging functionality.
Evasion: With logging disabled, the attacker can perform malicious activities without generating audit logs that would typically be captured by security monitoring systems.
Lateral Movement/Privilege Escalation: The attacker may attempt to move laterally within the network or escalate privileges, taking advantage of the reduced visibility.
Data Exfiltration/System Compromise: The attacker carries out their objectives, such as data exfiltration, system compromise, or network disruption, without being easily detected.

Impact

If logging is disabled on a Cisco ASA firewall, network defenders lose critical visibility into network traffic and security events. This can lead to delayed detection of security breaches, data exfiltration, and internal reconnaissance activities. Successfully disabling logging allows attackers to operate undetected, significantly increasing the dwell time and potential damage caused by a breach.

Recommendation

Deploy the Sigma rule to detect the execution of commands disabling logging on Cisco ASA devices in your SIEM and tune for your environment.
Configure your Cisco ASA devices to forward syslog data, specifically message IDs 111008 and 111010, to your SIEM as outlined in the “how_to_implement” section.
Review historical logs for instances of logging being disabled to identify potential past compromises using the provided cisco_asa data source.

Asa — CraftedSignal Threat Feed

Cisco ASA Logging Filters Configuration Tampering

Attack Chain

Impact

Recommendation

Cisco ASA Logging Disabled via CLI

Attack Chain

Impact

Recommendation