{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cisco_asa/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["medium"],"_cs_tags":["authentication","brute_force","password_spraying","cisco_asa"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on detecting account lockouts on Cisco ASA (Adaptive Security Appliance) devices. The increasing sophistication of cyberattacks means that organizations must monitor not just successful breaches, but also failed authentication attempts that may signal ongoing brute force attacks, password spraying campaigns, or credential stuffing attempts. The presence of these types of attacks indicate that credentials may have been compromised from external breaches and are being used to gain unauthorized access to network infrastructure. This analytic specifically leverages Cisco ASA message ID 113006, which signifies a user account lockout triggered by exceeding the permitted number of failed authentication attempts. This detection is crucial for defenders, as it enables timely response to potential unauthorized access attempts, protecting sensitive resources and maintaining network integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker attempts to authenticate to the Cisco ASA using compromised credentials or by guessing passwords.\u003c/li\u003e\n\u003cli\u003eThe authentication attempts fail.\u003c/li\u003e\n\u003cli\u003eThe Cisco ASA logs message ID 113006, indicating a failed authentication attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to attempt authentication, exceeding the configured lockout threshold.\u003c/li\u003e\n\u003cli\u003eThe Cisco ASA locks the user account, logging message ID 113006 with details of the account lockout and the failure threshold.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the 113006 event identifying the user account and originating host.\u003c/li\u003e\n\u003cli\u003eSecurity team investigates the lockout event, looking for associated malicious activity.\u003c/li\u003e\n\u003cli\u003eIf confirmed malicious, the security team takes action to block the attacker and remediate the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to the network, potentially leading to data breaches, service disruption, or further lateral movement within the network. While a single account lockout might seem minor, a series of lockouts, especially affecting privileged accounts, could indicate a coordinated attack. Organizations in all sectors are vulnerable, with financial services and healthcare being particularly attractive targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest Cisco ASA syslog data into Splunk via the Cisco Security Cloud TA to populate the \u003ccode\u003ecisco_asa\u003c/code\u003e macro.\u003c/li\u003e\n\u003cli\u003eConfigure Cisco ASA devices to generate and forward message ID 113006 for account lockout events to Splunk.\u003c/li\u003e\n\u003cli\u003eTune and deploy the Sigma rule \u0026quot;Cisco ASA - User Account Lockout Detected\u0026quot; to detect account lockouts.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts from the Sigma rule, focusing on privileged accounts, unusual source IP addresses, and multiple simultaneous lockouts.\u003c/li\u003e\n\u003cli\u003eReview and tune the lockout threshold on Cisco ASA devices based on your organization's security policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/","summary":"Detection of user account lockouts on Cisco ASA devices due to excessive failed authentication attempts, potentially indicating brute-force attacks, password spraying, or credential stuffing.","title":"Cisco ASA User Account Lockout Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["medium"],"_cs_tags":["cisco_asa","account_deletion","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on the detection of user account deletions on Cisco ASA devices, a tactic commonly employed by adversaries to obfuscate their activities within a compromised network. The deletion of user accounts, particularly those with elevated privileges (level 15), can serve to remove evidence of malicious actions, hinder incident response efforts, or deny legitimate administrators access to critical systems. This activity can also be a sign of hiding temporary account creation used during a compromise. This analytic relies on monitoring Cisco ASA logs for message ID 502102, which is triggered upon the deletion of a local user account. This event captures valuable information, including the username, privilege level, and the administrator responsible for the deletion. It is crucial to investigate unexpected or unauthorized account deletions, especially those occurring outside of normal business hours or involving privileged accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Adversary gains initial access to a system with valid credentials or exploits a vulnerability.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker elevates privileges to gain administrative access to the Cisco ASA device.\u003c/li\u003e\n\u003cli\u003eAccount Discovery: The attacker enumerates existing user accounts on the Cisco ASA device to identify potential targets for deletion.\u003c/li\u003e\n\u003cli\u003eAccount Deletion: The adversary deletes a local user account on the Cisco ASA device, generating syslog message ID 502102.\u003c/li\u003e\n\u003cli\u003eLog Manipulation (Optional): Attempts to further cover tracks by disabling logging or manipulating the ASA's logging configuration.\u003c/li\u003e\n\u003cli\u003ePersistence (Obstructed): By deleting accounts, legitimate user's persistence is removed and access to the system is revoked.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker attempts to evade detection by deleting accounts used during the compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of user accounts can disrupt incident response efforts by removing valuable forensic data and hindering the ability to track the attacker's activities. It can also lead to denial-of-service for legitimate users who rely on those accounts for access. Privileged account deletion can result in significant operational disruption and potential data breaches due to loss of control over critical systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and forward Cisco ASA syslog data, specifically message ID 502102, to your SIEM for analysis as detailed in the \u0026quot;how_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Cisco ASA - User Account Deletion Detected\u0026quot; to your SIEM and tune the filter list to exclude known benign account deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of message ID 502102, cross-referencing with HR records and change management systems to identify unauthorized account deletions as described in the description.\u003c/li\u003e\n\u003cli\u003eMonitor ASA logging configurations for unauthorized changes that could indicate log manipulation attempts.\u003c/li\u003e\n\u003cli\u003eReview the \u0026quot;references\u0026quot; link to understand the context of ASA message ID 502102 within the overall ASA syslog architecture.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/","summary":"Detection of user account deletion on Cisco ASA devices, potentially indicating adversary attempts to cover tracks, disrupt incident response, or deny administrator access.","title":"Cisco ASA User Account Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["high"],"_cs_tags":["cisco_asa","network_sniffing","credential_access"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic detects the execution of packet capture commands on Cisco ASA devices via CLI or ASDM. Adversaries might abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data. The detection focuses on command execution events (message ID 111008 or 111010) that include \u0026quot;capture\u0026quot; commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device. This activity is associated with threat actors like LINE VIPER, as documented by NCSC. Detecting unauthorized packet capture activities, especially those targeting sensitive interfaces or involving unusual configurations, is critical for identifying potential intrusions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Cisco ASA device via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ASA device using CLI or ASDM.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u0026quot;configure terminal\u0026quot; command to enter global configuration mode.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026quot;capture\u0026quot; command to define a packet capture session, specifying interfaces, traffic patterns, and filters. For example, \u003ccode\u003ecapture capin interface inside match ip any any\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe ASA device starts capturing network traffic based on the defined parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the captured traffic data for analysis, potentially exfiltrating the data to an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the captured data to identify sensitive information, such as usernames, passwords, session tokens, or confidential business data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials or data to further compromise the network or exfiltrate sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform extensive network reconnaissance and potentially steal sensitive credentials and data. This could lead to further compromise of internal systems, data breaches, and financial loss. While specific victim counts are unavailable, the impact is significant due to the potential for widespread data compromise and disruption of network operations. The references note association with advanced actors who use captured data to further their campaigns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA to ensure the \u003ccode\u003ecisco_asa\u003c/code\u003e macro is populated (How_to_implement).\u003c/li\u003e\n\u003cli\u003eConfigure Cisco ASA devices to generate and forward message IDs 111008 and 111010, adjusting syslog levels as needed based on the instructions in the \u0026quot;How_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Cisco ASA - Suspicious Packet Capture Configuration\u0026quot; to detect unusual packet capture configurations and tune the rule for your environment (rules).\u003c/li\u003e\n\u003cli\u003eReview and investigate any alerts generated by the Sigma rule, focusing on captures targeting sensitive interfaces, large traffic volumes, or unusual filter criteria.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/","summary":"Detection of packet capture commands on Cisco ASA devices indicates potential network sniffing for credential theft, sensitive data interception, or network traffic analysis by adversaries.","title":"Cisco ASA Packet Capture Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["high"],"_cs_tags":["cisco_asa","logging","defense_evasion","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic focuses on detecting the disabling of logging functionality on Cisco ASA devices, a common tactic employed by adversaries and malicious insiders to evade detection and obscure malicious activities. The activity is identified by monitoring Cisco ASA syslog messages associated with command execution. Specifically, the detection triggers on syslog message IDs 111008 and 111010, coupled with the execution of commands indicative of logging manipulation, such as \u003ccode\u003eno logging\u003c/code\u003e, \u003ccode\u003elogging disable\u003c/code\u003e, \u003ccode\u003eclear logging\u003c/code\u003e, or \u003ccode\u003eno logging host\u003c/code\u003e. This tactic is a strong indicator of defense evasion, as disabling logging on security appliances like firewalls significantly reduces the visibility of malicious actions. This is a common post-compromise technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the Cisco ASA device, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ASA's CLI, possibly using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to disable logging, such as \u003ccode\u003eno logging\u003c/code\u003e, \u003ccode\u003elogging disable\u003c/code\u003e, \u003ccode\u003eclear logging\u003c/code\u003e, or \u003ccode\u003eno logging host\u003c/code\u003e. This action is designed to prevent the recording of their subsequent activities.\u003c/li\u003e\n\u003cli\u003eThe Cisco ASA generates a syslog message with message ID 111008 or 111010, indicating that a command has been executed.\u003c/li\u003e\n\u003cli\u003eWith logging disabled, the attacker performs malicious activities, such as modifying firewall rules, establishing unauthorized VPN connections, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eBecause logging is disabled, these malicious activities are not recorded in the ASA's logs, making them difficult to detect.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks further by clearing any remaining logs or audit trails.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of logging can severely impair an organization's ability to detect and respond to security incidents. With logging disabled, malicious activities can go unnoticed, leading to data breaches, system compromise, and financial losses. The impact is magnified by the fact that Cisco ASA devices are often critical components of network security infrastructure. The number of victims can range from single organizations to multiple entities if the attacker is able to compromise multiple ASA devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco ASA Logging Disabled via CLI\u003c/code\u003e to your SIEM and tune for your environment to detect attempts to disable logging functionality.\u003c/li\u003e\n\u003cli\u003eEnable and forward Cisco ASA syslog data with message IDs 111008 and 111010 to your SIEM as described in the references and the \u003ccode\u003ehow_to_implement\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies for Cisco ASA devices to minimize the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor and alert on changes to logging configurations on Cisco ASA devices to identify suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-logging-disabled/","summary":"Detection of adversaries or malicious insiders disabling logging on a Cisco ASA device via CLI commands, hindering detection and hiding malicious activity.","title":"Cisco ASA Logging Disabled via CLI","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-logging-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed - Cisco_asa","version":"https://jsonfeed.org/version/1.1"}