<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Network_sniffing - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/network_sniffing/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/network_sniffing/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco ASA Packet Capture Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-asa-packet-capture/</guid><description>Detection of packet capture commands on Cisco ASA devices indicates potential network sniffing for credential theft, sensitive data interception, or network traffic analysis by adversaries.</description><content:encoded><![CDATA[<p>This analytic detects the execution of packet capture commands on Cisco ASA devices via CLI or ASDM. Adversaries might abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data. The detection focuses on command execution events (message ID 111008 or 111010) that include &quot;capture&quot; commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device. This activity is associated with threat actors like LINE VIPER, as documented by NCSC. Detecting unauthorized packet capture activities, especially those targeting sensitive interfaces or involving unusual configurations, is critical for identifying potential intrusions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a Cisco ASA device via compromised credentials or exploiting a vulnerability.</li>
<li>The attacker authenticates to the ASA device using CLI or ASDM.</li>
<li>The attacker executes the &quot;configure terminal&quot; command to enter global configuration mode.</li>
<li>The attacker uses the &quot;capture&quot; command to define a packet capture session, specifying interfaces, traffic patterns, and filters. For example, <code>capture capin interface inside match ip any any</code>.</li>
<li>The ASA device starts capturing network traffic based on the defined parameters.</li>
<li>The attacker retrieves the captured traffic data for analysis, potentially exfiltrating the data to an external server.</li>
<li>The attacker analyzes the captured data to identify sensitive information, such as usernames, passwords, session tokens, or confidential business data.</li>
<li>The attacker uses the stolen credentials or data to further compromise the network or exfiltrate sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to perform extensive network reconnaissance and potentially steal sensitive credentials and data. This could lead to further compromise of internal systems, data breaches, and financial loss. While specific victim counts are unavailable, the impact is significant due to the potential for widespread data compromise and disruption of network operations. The references note association with advanced actors who use captured data to further their campaigns.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA to ensure the <code>cisco_asa</code> macro is populated (How_to_implement).</li>
<li>Configure Cisco ASA devices to generate and forward message IDs 111008 and 111010, adjusting syslog levels as needed based on the instructions in the &quot;How_to_implement&quot; section.</li>
<li>Deploy the provided Sigma rule &quot;Cisco ASA - Suspicious Packet Capture Configuration&quot; to detect unusual packet capture configurations and tune the rule for your environment (rules).</li>
<li>Review and investigate any alerts generated by the Sigma rule, focusing on captures targeting sensitive interfaces, large traffic volumes, or unusual filter criteria.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco_asa</category><category>network_sniffing</category><category>credential_access</category></item></channel></rss>