Cisco ASA Logging Message Suppression

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

The “no logging message” command in Cisco ASA devices allows administrators to suppress specific syslog messages, identified by their message ID. Attackers may abuse this functionality to selectively disable logging of events that would otherwise reveal their malicious activity. By suppressing specific message IDs related to authentication failures, configuration changes, or suspicious network activity, attackers can evade detection while allowing normal logging operations to continue, avoiding suspicion that might arise from completely disabling logging. This activity is associated with actors such as LINE-VIPER. This detection focuses on identifying instances where message suppression is configured using message IDs 111008 and 111010.

Attack Chain

An attacker gains unauthorized access to a Cisco ASA device, potentially through stolen credentials or exploiting a vulnerability.
The attacker authenticates to the ASA device, gaining privileged EXEC mode access.
The attacker executes the “configure terminal” command to enter global configuration mode.
The attacker uses the “no logging message ” command, specifying message IDs related to security events such as authentication failures (e.g., 111008, 111010).
The ASA device stops logging events associated with the specified message IDs, preventing security alerts related to those events.
The attacker performs malicious activities that would normally trigger these security alerts, knowing that they will not be logged.
The attacker exits configuration mode and continues their malicious activity undetected.
The attacker maintains persistence to continue evading detection.

Impact

Successful exploitation allows attackers to operate within a network without triggering security alerts related to their actions on Cisco ASA devices. This can lead to prolonged periods of undetected lateral movement, data exfiltration, or other malicious activities. The suppression of logging messages hinders incident response efforts, making it difficult to investigate and remediate security breaches. The number of potential victims is large given the widespread deployment of Cisco ASA devices.

Recommendation

Deploy the Sigma rule “Cisco ASA Logging Message Suppression” to your SIEM and tune for your environment to detect unauthorized logging suppression.
Investigate any instances of logging message suppression, especially those involving security-critical message IDs (authentication, authorization, configuration changes).
Correlate detected suppression events with other security alerts to identify potentially compromised ASA devices.
Review and enforce strict access controls for Cisco ASA devices to prevent unauthorized configuration changes.
Configure Cisco ASA devices to generate and forward message ID 111008 and 111010 as per the documentation to ensure the effectiveness of the provided rule.
Establish a baseline of approved suppressed message IDs to identify anomalous configurations, addressing potential false positives as described in the KFP section.

Sysmon Driver Unload via fltMC.exe

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Attackers may attempt to disable or uninstall security tools like Sysmon to evade detection and hide malicious activities on a compromised system. This is achieved by unloading the Sysmon filter driver using fltMC.exe, a legitimate Windows utility. Once Sysmon is disabled, adversaries can execute further attacks without being logged, potentially leading to data breaches, privilege escalation, or persistent access within the environment. This technique is significant because it directly impacts the visibility and effectiveness of security monitoring.

Attack Chain

The attacker gains initial access to the system through various means (e.g., compromised credentials, exploiting vulnerabilities, or social engineering).
The attacker escalates privileges if necessary to gain administrative rights on the system.
The attacker uses fltMC.exe to unload the Sysmon filter driver (SysmonDrv). The command executed is typically fltMC.exe unload SysmonDrv.
The operating system processes the fltMC.exe command, removing the Sysmon filter driver from the system.
Sysmon ceases to collect event data as its driver is no longer active.
The attacker executes malicious commands, scripts, or binaries without being logged by Sysmon.
The attacker establishes persistence, moves laterally, exfiltrates data, or achieves other objectives without Sysmon alerting.

Impact

Successful unloading of the Sysmon driver allows attackers to operate without being detected by Sysmon. This can lead to a complete loss of visibility into attacker activities, enabling data breaches, privilege escalation, and persistent access. The impact is significant as it directly undermines the effectiveness of security monitoring and incident response capabilities.

Recommendation

Deploy the Sigma rule Sysmon Driver Unload via FltMC.exe to detect the execution of fltMC.exe with the unload and SysmonDrv parameters.
Enable Sysmon process creation logging (Event ID 1) to ensure the required data is available for detection.
Investigate any instances of fltMC.exe being used to unload drivers, especially if the parent process is suspicious.
Consider implementing host-based intrusion prevention system (HIPS) rules to prevent the execution of fltMC.exe or restrict its usage to authorized administrators.

Impair-Defenses — CraftedSignal Threat Feed

Cisco ASA Logging Message Suppression

Attack Chain

Impact

Recommendation

Sysmon Driver Unload via fltMC.exe

Attack Chain

Impact

Recommendation