<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cisco_asa - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cisco_asa/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cisco_asa/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco ASA User Account Lockout Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/</guid><description>Detection of user account lockouts on Cisco ASA devices due to excessive failed authentication attempts, potentially indicating brute-force attacks, password spraying, or credential stuffing.</description><content:encoded><![CDATA[<p>This brief focuses on detecting account lockouts on Cisco ASA (Adaptive Security Appliance) devices. The increasing sophistication of cyberattacks means that organizations must monitor not just successful breaches, but also failed authentication attempts that may signal ongoing brute force attacks, password spraying campaigns, or credential stuffing attempts. The presence of these types of attacks indicate that credentials may have been compromised from external breaches and are being used to gain unauthorized access to network infrastructure. This analytic specifically leverages Cisco ASA message ID 113006, which signifies a user account lockout triggered by exceeding the permitted number of failed authentication attempts. This detection is crucial for defenders, as it enables timely response to potential unauthorized access attempts, protecting sensitive resources and maintaining network integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker attempts to authenticate to the Cisco ASA using compromised credentials or by guessing passwords.</li>
<li>The authentication attempts fail.</li>
<li>The Cisco ASA logs message ID 113006, indicating a failed authentication attempt.</li>
<li>The attacker continues to attempt authentication, exceeding the configured lockout threshold.</li>
<li>The Cisco ASA locks the user account, logging message ID 113006 with details of the account lockout and the failure threshold.</li>
<li>The detection rule triggers based on the 113006 event identifying the user account and originating host.</li>
<li>Security team investigates the lockout event, looking for associated malicious activity.</li>
<li>If confirmed malicious, the security team takes action to block the attacker and remediate the compromised account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation could lead to unauthorized access to the network, potentially leading to data breaches, service disruption, or further lateral movement within the network. While a single account lockout might seem minor, a series of lockouts, especially affecting privileged accounts, could indicate a coordinated attack. Organizations in all sectors are vulnerable, with financial services and healthcare being particularly attractive targets.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ingest Cisco ASA syslog data into Splunk via the Cisco Security Cloud TA to populate the <code>cisco_asa</code> macro.</li>
<li>Configure Cisco ASA devices to generate and forward message ID 113006 for account lockout events to Splunk.</li>
<li>Tune and deploy the Sigma rule &quot;Cisco ASA - User Account Lockout Detected&quot; to detect account lockouts.</li>
<li>Investigate alerts from the Sigma rule, focusing on privileged accounts, unusual source IP addresses, and multiple simultaneous lockouts.</li>
<li>Review and tune the lockout threshold on Cisco ASA devices based on your organization's security policies.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>authentication</category><category>brute_force</category><category>password_spraying</category><category>cisco_asa</category></item><item><title>Cisco ASA User Account Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-asa-account-deletion/</guid><description>Detection of user account deletion on Cisco ASA devices, potentially indicating adversary attempts to cover tracks, disrupt incident response, or deny administrator access.</description><content:encoded><![CDATA[<p>This brief focuses on the detection of user account deletions on Cisco ASA devices, a tactic commonly employed by adversaries to obfuscate their activities within a compromised network. The deletion of user accounts, particularly those with elevated privileges (level 15), can serve to remove evidence of malicious actions, hinder incident response efforts, or deny legitimate administrators access to critical systems. This activity can also be a sign of hiding temporary account creation used during a compromise. This analytic relies on monitoring Cisco ASA logs for message ID 502102, which is triggered upon the deletion of a local user account. This event captures valuable information, including the username, privilege level, and the administrator responsible for the deletion. It is crucial to investigate unexpected or unauthorized account deletions, especially those occurring outside of normal business hours or involving privileged accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: Adversary gains initial access to a system with valid credentials or exploits a vulnerability.</li>
<li>Privilege Escalation: The attacker elevates privileges to gain administrative access to the Cisco ASA device.</li>
<li>Account Discovery: The attacker enumerates existing user accounts on the Cisco ASA device to identify potential targets for deletion.</li>
<li>Account Deletion: The adversary deletes a local user account on the Cisco ASA device, generating syslog message ID 502102.</li>
<li>Log Manipulation (Optional): Attempts to further cover tracks by disabling logging or manipulating the ASA's logging configuration.</li>
<li>Persistence (Obstructed): By deleting accounts, legitimate user's persistence is removed and access to the system is revoked.</li>
<li>Defense Evasion: The attacker attempts to evade detection by deleting accounts used during the compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of user accounts can disrupt incident response efforts by removing valuable forensic data and hindering the ability to track the attacker's activities. It can also lead to denial-of-service for legitimate users who rely on those accounts for access. Privileged account deletion can result in significant operational disruption and potential data breaches due to loss of control over critical systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and forward Cisco ASA syslog data, specifically message ID 502102, to your SIEM for analysis as detailed in the &quot;how_to_implement&quot; section.</li>
<li>Deploy the Sigma rule &quot;Cisco ASA - User Account Deletion Detected&quot; to your SIEM and tune the filter list to exclude known benign account deletions.</li>
<li>Investigate any instances of message ID 502102, cross-referencing with HR records and change management systems to identify unauthorized account deletions as described in the description.</li>
<li>Monitor ASA logging configurations for unauthorized changes that could indicate log manipulation attempts.</li>
<li>Review the &quot;references&quot; link to understand the context of ASA message ID 502102 within the overall ASA syslog architecture.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco_asa</category><category>account_deletion</category><category>defense_evasion</category></item><item><title>Cisco ASA Packet Capture Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/</guid><description>Detection of packet capture commands on Cisco ASA devices indicates potential network sniffing for credential theft, sensitive data interception, or network traffic analysis by adversaries.</description><content:encoded><![CDATA[<p>This analytic detects the execution of packet capture commands on Cisco ASA devices via CLI or ASDM. Adversaries might abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data. The detection focuses on command execution events (message ID 111008 or 111010) that include &quot;capture&quot; commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device. This activity is associated with threat actors like LINE VIPER, as documented by NCSC. Detecting unauthorized packet capture activities, especially those targeting sensitive interfaces or involving unusual configurations, is critical for identifying potential intrusions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a Cisco ASA device via compromised credentials or exploiting a vulnerability.</li>
<li>The attacker authenticates to the ASA device using CLI or ASDM.</li>
<li>The attacker executes the &quot;configure terminal&quot; command to enter global configuration mode.</li>
<li>The attacker uses the &quot;capture&quot; command to define a packet capture session, specifying interfaces, traffic patterns, and filters. For example, <code>capture capin interface inside match ip any any</code>.</li>
<li>The ASA device starts capturing network traffic based on the defined parameters.</li>
<li>The attacker retrieves the captured traffic data for analysis, potentially exfiltrating the data to an external server.</li>
<li>The attacker analyzes the captured data to identify sensitive information, such as usernames, passwords, session tokens, or confidential business data.</li>
<li>The attacker uses the stolen credentials or data to further compromise the network or exfiltrate sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to perform extensive network reconnaissance and potentially steal sensitive credentials and data. This could lead to further compromise of internal systems, data breaches, and financial loss. While specific victim counts are unavailable, the impact is significant due to the potential for widespread data compromise and disruption of network operations. The references note association with advanced actors who use captured data to further their campaigns.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA to ensure the <code>cisco_asa</code> macro is populated (How_to_implement).</li>
<li>Configure Cisco ASA devices to generate and forward message IDs 111008 and 111010, adjusting syslog levels as needed based on the instructions in the &quot;How_to_implement&quot; section.</li>
<li>Deploy the provided Sigma rule &quot;Cisco ASA - Suspicious Packet Capture Configuration&quot; to detect unusual packet capture configurations and tune the rule for your environment (rules).</li>
<li>Review and investigate any alerts generated by the Sigma rule, focusing on captures targeting sensitive interfaces, large traffic volumes, or unusual filter criteria.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco_asa</category><category>network_sniffing</category><category>credential_access</category></item><item><title>Cisco ASA Logging Disabled via CLI</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-logging-disabled/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-logging-disabled/</guid><description>Detection of adversaries or malicious insiders disabling logging on a Cisco ASA device via CLI commands, hindering detection and hiding malicious activity.</description><content:encoded><![CDATA[<p>This analytic focuses on detecting the disabling of logging functionality on Cisco ASA devices, a common tactic employed by adversaries and malicious insiders to evade detection and obscure malicious activities. The activity is identified by monitoring Cisco ASA syslog messages associated with command execution. Specifically, the detection triggers on syslog message IDs 111008 and 111010, coupled with the execution of commands indicative of logging manipulation, such as <code>no logging</code>, <code>logging disable</code>, <code>clear logging</code>, or <code>no logging host</code>. This tactic is a strong indicator of defense evasion, as disabling logging on security appliances like firewalls significantly reduces the visibility of malicious actions. This is a common post-compromise technique.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to the Cisco ASA device, potentially through compromised credentials or exploiting a vulnerability.</li>
<li>The attacker authenticates to the ASA's CLI, possibly using stolen credentials.</li>
<li>The attacker executes a command to disable logging, such as <code>no logging</code>, <code>logging disable</code>, <code>clear logging</code>, or <code>no logging host</code>. This action is designed to prevent the recording of their subsequent activities.</li>
<li>The Cisco ASA generates a syslog message with message ID 111008 or 111010, indicating that a command has been executed.</li>
<li>With logging disabled, the attacker performs malicious activities, such as modifying firewall rules, establishing unauthorized VPN connections, or exfiltrating sensitive data.</li>
<li>Because logging is disabled, these malicious activities are not recorded in the ASA's logs, making them difficult to detect.</li>
<li>The attacker attempts to cover their tracks further by clearing any remaining logs or audit trails.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful disabling of logging can severely impair an organization's ability to detect and respond to security incidents. With logging disabled, malicious activities can go unnoticed, leading to data breaches, system compromise, and financial losses. The impact is magnified by the fact that Cisco ASA devices are often critical components of network security infrastructure. The number of victims can range from single organizations to multiple entities if the attacker is able to compromise multiple ASA devices.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco ASA Logging Disabled via CLI</code> to your SIEM and tune for your environment to detect attempts to disable logging functionality.</li>
<li>Enable and forward Cisco ASA syslog data with message IDs 111008 and 111010 to your SIEM as described in the references and the <code>how_to_implement</code> section.</li>
<li>Review and enforce strict access control policies for Cisco ASA devices to minimize the risk of unauthorized access.</li>
<li>Monitor and alert on changes to logging configurations on Cisco ASA devices to identify suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco_asa</category><category>logging</category><category>defense_evasion</category><category>network</category></item></channel></rss>