{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/impair-defenses/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ASA","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","impair-defenses","network"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThe \u0026ldquo;no logging message\u0026rdquo; command in Cisco ASA devices allows administrators to suppress specific syslog messages, identified by their message ID. Attackers may abuse this functionality to selectively disable logging of events that would otherwise reveal their malicious activity. By suppressing specific message IDs related to authentication failures, configuration changes, or suspicious network activity, attackers can evade detection while allowing normal logging operations to continue, avoiding suspicion that might arise from completely disabling logging. This activity is associated with actors such as LINE-VIPER. This detection focuses on identifying instances where message suppression is configured using message IDs 111008 and 111010.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Cisco ASA device, potentially through stolen credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ASA device, gaining privileged EXEC mode access.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u0026ldquo;configure terminal\u0026rdquo; command to enter global configuration mode.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u0026ldquo;no logging message \u0026lt;message_id\u0026gt;\u0026rdquo; command, specifying message IDs related to security events such as authentication failures (e.g., 111008, 111010).\u003c/li\u003e\n\u003cli\u003eThe ASA device stops logging events associated with the specified message IDs, preventing security alerts related to those events.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities that would normally trigger these security alerts, knowing that they will not be logged.\u003c/li\u003e\n\u003cli\u003eThe attacker exits configuration mode and continues their malicious activity undetected.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence to continue evading detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to operate within a network without triggering security alerts related to their actions on Cisco ASA devices. This can lead to prolonged periods of undetected lateral movement, data exfiltration, or other malicious activities. The suppression of logging messages hinders incident response efforts, making it difficult to investigate and remediate security breaches. The number of potential victims is large given the widespread deployment of Cisco ASA devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Cisco ASA Logging Message Suppression\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized logging suppression.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of logging message suppression, especially those involving security-critical message IDs (authentication, authorization, configuration changes).\u003c/li\u003e\n\u003cli\u003eCorrelate detected suppression events with other security alerts to identify potentially compromised ASA devices.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access controls for Cisco ASA devices to prevent unauthorized configuration changes.\u003c/li\u003e\n\u003cli\u003eConfigure Cisco ASA devices to generate and forward message ID 111008 and 111010 as per the documentation to ensure the effectiveness of the provided rule.\u003c/li\u003e\n\u003cli\u003eEstablish a baseline of approved suppressed message IDs to identify anomalous configurations, addressing potential false positives as described in the KFP section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-cisco-asa-logging-suppression/","summary":"Detection of 'no logging message' command usage on Cisco ASA devices, potentially indicating an adversary suppressing security-critical log events to evade detection.","title":"Cisco ASA Logging Message Suppression","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-logging-suppression/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","impair-defenses","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to disable or uninstall security tools like Sysmon to evade detection and hide malicious activities on a compromised system. This is achieved by unloading the Sysmon filter driver using \u003ccode\u003efltMC.exe\u003c/code\u003e, a legitimate Windows utility. Once Sysmon is disabled, adversaries can execute further attacks without being logged, potentially leading to data breaches, privilege escalation, or persistent access within the environment. This technique is significant because it directly impacts the visibility and effectiveness of security monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., compromised credentials, exploiting vulnerabilities, or social engineering).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges if necessary to gain administrative rights on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003efltMC.exe\u003c/code\u003e to unload the Sysmon filter driver (\u003ccode\u003eSysmonDrv\u003c/code\u003e). The command executed is typically \u003ccode\u003efltMC.exe unload SysmonDrv\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe operating system processes the \u003ccode\u003efltMC.exe\u003c/code\u003e command, removing the Sysmon filter driver from the system.\u003c/li\u003e\n\u003cli\u003eSysmon ceases to collect event data as its driver is no longer active.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands, scripts, or binaries without being logged by Sysmon.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence, moves laterally, exfiltrates data, or achieves other objectives without Sysmon alerting.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful unloading of the Sysmon driver allows attackers to operate without being detected by Sysmon. This can lead to a complete loss of visibility into attacker activities, enabling data breaches, privilege escalation, and persistent access. The impact is significant as it directly undermines the effectiveness of security monitoring and incident response capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSysmon Driver Unload via FltMC.exe\u003c/code\u003e to detect the execution of \u003ccode\u003efltMC.exe\u003c/code\u003e with the \u003ccode\u003eunload\u003c/code\u003e and \u003ccode\u003eSysmonDrv\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the required data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003efltMC.exe\u003c/code\u003e being used to unload drivers, especially if the parent process is suspicious.\u003c/li\u003e\n\u003cli\u003eConsider implementing host-based intrusion prevention system (HIPS) rules to prevent the execution of \u003ccode\u003efltMC.exe\u003c/code\u003e or restrict its usage to authorized administrators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-sysmon-driver-unload/","summary":"Detection of the Sysmon filter driver being unloaded via `fltMC.exe`, which can blind security monitoring and allow malicious actions to go undetected.","title":"Sysmon Driver Unload via fltMC.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-sysmon-driver-unload/"}],"language":"en","title":"CraftedSignal Threat Feed — Impair-Defenses","version":"https://jsonfeed.org/version/1.1"}