Merge branch 'develop' into GhostRedirector

Author: patel-bhavin

contentctl.yml

@@ -249,8 +249,8 @@ apps:
 - uid: 1467
   title: Cisco Networks Add-on
   appid: TA-cisco_ios
-  version: 2.7.8
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/add-on-for-cisco-network-data_278.tgz
+  version: 2.7.9
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/add-on-for-cisco-network-data_279.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
 test_data_caches:
 - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/

data_sources/cisco_asa_logs.yml

@@ -0,0 +1,131 @@
+name: Cisco ASA Logs
+id: 3f2a9b6d-1c8e-4f7b-a2d3-8b7f1c2a9d4e
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Splunk
+description: >
+  Data source object for Cisco ASA system logs. Cisco ASA logs provide firewall
+  operational and security telemetry (connection events, ACL denies, VPN events,
+  NAT translations, and device health). Deploy the Splunk Add-on for Cisco ASA
+  (TA-cisco_asa) on indexers/heavy forwarders and the Cisco ASA App on search
+  heads for best parsing, CIM mapping, and dashboards. This data is ingested via SYSLOG. You must be ingesting Cisco ASA syslog data into your Splunk environment. To ensure all detections work, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. A few analytics are designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. 
+source: cisco:asa
+sourcetype: cisco:asa 
+separator: null
+supported_TA:
+  - name: Cisco Security Cloud
+    url: https://splunkbase.splunk.com/app/7404
+    version: 3.4.1
+fields:
+- Cisco_ASA_action
+- Cisco_ASA_message_id
+- Cisco_ASA_user
+- Cisco_ASA_vendor_action
+- IP
+- Username
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+- acl
+- action
+- app
+- assigned_ip
+- bytes
+- category
+- command
+- communication_protocol
+- connections_in_use
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_host
+- dest_interface
+- dest_ip
+- dest_nt_domain
+- dest_port
+- dest_public_port
+- dest_translated_host
+- dest_translated_ip
+- dest_translated_port
+- dest_user
+- dest_zone
+- direction
+- duration
+- duration_day
+- duration_hour
+- duration_minute
+- duration_second
+- dvc
+- eventtype
+- group
+- host
+- ids_type
+- index
+- laction
+- linecount
+- most_used_connections
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_version
+- punct
+- reason
+- result
+- rule
+- rule_name
+- session_id
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_host
+- src_interface
+- src_ip
+- src_nt_domain
+- src_port
+- src_public_port
+- src_translated_host
+- src_translated_ip
+- src_translated_port
+- src_user
+- src_zone
+- ssl_is_valid
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- teardown_initiator
+- timeendpos
+- timestartpos
+- transport
+- type
+- user
+- vendor
+- vendor_action
+- vendor_product
+- vendor_severity
+- zone
+example_log: >
+  Sep 23 19:27:50 18.144.133.67 :2025-09-23T19:27:49Z: %ASA-session-7-609002: Teardown local-host management:54.245.234.201 duration 0:02:01
+  Sep 23 18:07:00 18.144.133.67 :2025-09-23T18:07:00Z: %ASA-session-7-710005: TCP request discarded from 198.27.166.158/55508 to management:172.31.12.229/443

data_sources/cisco_ios_logs.yml

@@ -3,14 +3,22 @@ id: 9e4c8d7b-6f5e-4a3d-b2c1-0a9b8c7d6e5f
 version: 1
 date: '2025-08-21'
 author: Michael Haag, Splunk
-description: Data source object for Cisco IOS system logs. Cisco IOS logs provide operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes these events by setting proper sourcetypes and extracting fields for switches, routers, controllers, and access points; deploy the TA on indexers/HFs and search heads, and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This data is ingested via SYSLOG.
+description: Data source object for Cisco IOS system logs. Cisco IOS logs provide
+  operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS
+  XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes
+  these events by setting proper sourcetypes and extracting fields for switches, routers,
+  controllers, and access points; deploy the TA on indexers/HFs and search heads,
+  and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include
+  Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent
+  investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This
+  data is ingested via SYSLOG.
 source: cisco:ios
 sourcetype: cisco:ios
 separator: null
 supported_TA:
 - name: Cisco Networks Add-on
   url: https://splunkbase.splunk.com/app/1467
-  version: 2.7.8
+  version: 2.7.9
 fields:
 - _time
 - aci_message_text
@@ -81,7 +89,8 @@ fields:
 output_fields:
 - user
 - dest
-example_log: 'Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured
-  Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15
-  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:username attacker privilege 15 secret *
-  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED'
+example_log: 'Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username:
+  attacker configured Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username:
+  attacker privilege updated with priv-15 Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD:
+  User:ec2-user logged command:username attacker privilege 15 secret * Aug 20 17:10:21.665:
+  %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED'

detections/application/cisco_asa___core_syslog_message_volume_drop.yml

@@ -0,0 +1,60 @@
+name: Cisco ASA - Core Syslog Message Volume Drop
+id: 4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4
+version: 2
+date: '2025-09-25'
+author: Bhavin Patel, Micheal Haag, Splunk
+status: production
+type: Hunting
+description: |
+  Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.
+data_source:
+  - Cisco ASA Logs
+search: |
+  `cisco_asa`
+  | rex "%ASA-[^-]+-\d+-(?<message_id>\d+):"
+  | search message_id IN (302013,302014,609002,710005)
+  | eval msg_desc=case(
+    message_id="302013","Built inbound TCP connection",
+    message_id="302014","Teardown TCP connection",
+    message_id="609002","Teardown local-host management",
+    message_id="710005","TCP request discarded"
+  )
+  | bin _time span=15m
+  | stats count values(msg_desc) as message_description values(host) as host by _time message_id
+  | xyseries _time message_id count
+  | `cisco_asa___core_syslog_message_volume_drop_filter`
+how_to_implement: |
+  This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. This analytic is designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. The search produces a time-series suitable for dashboards to visualize drops across message IDs 302013, 302014, 609002, and 710005.
+known_false_positives: |
+  Planned maintenance, network outages, routing changes, or benign configuration
+  updates may reduce log volume temporarily. Validate against change management
+  records and corroborate with device health metrics.
+references:
+- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/  
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks 
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
+- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
+- https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
+- https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
+tags:
+  analytic_story:
+    - ArcaneDoor
+  asset_type: Network
+  mitre_attack_id:
+    - T1562
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: network
+  cve:
+    - CVE-2025-20333
+    - CVE-2025-20362
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_asa/arcane_door/cisco_asa.log
+        source: syslog
+        sourcetype: cisco:asa

detections/application/cisco_asa___logging_disabled_via_cli.yml

@@ -0,0 +1,70 @@
+name: Cisco ASA - Logging Disabled via CLI
+id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
+version: 2
+date: '2025-09-25'
+author: Bhavin Patel, Micheal Haag, Splunk
+status: production
+type: TTP
+description: |
+  This analytic detects the disabling of logging functionality on a Cisco ASA device
+  through CLI commands. Adversaries or malicious insiders may attempt to disable logging
+  to evade detection and hide malicious activity. The detection looks for specific ASA
+  syslog message IDs (111009, 111010, 111008) associated with command execution,
+  combined with suspicious commands such as `no logging`, `logging disable`,
+  `clear logging`, or `no logging host`. Disabling logging on a firewall or security device
+  is a strong indicator of defense evasion.
+data_source:
+  - Cisco ASA Logs
+search: |
+  `cisco_asa`
+  | rex "%ASA-[^-]+-\d+-(?<message_id>\d+):" 
+  | search message_id IN (111009,111010,111008) 
+  | rex field=_raw "executed (?:the command )?(?<asa_command>.+)$" 
+  | search asa_command IN ("*no logging*","*logging disable*","*clear logging*","*no logging host*","*no logging trap*") 
+  | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(asa_command) as commands values(src_ip) as src_ip values(process_name) as process_name by host 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`  
+  | `cisco_asa___logging_disabled_via_cli_filter`
+how_to_implement: |
+    This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. This analytic is designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. 
+known_false_positives: |
+  Administrators may intentionally disable or modify logging during maintenance,
+  troubleshooting, or device reconfiguration. These events should be verified
+  against approved change management activities.
+references:
+- https://www.cisco.com/site/us/en/products/security/firewalls/adaptive-security-appliance-asa-software/index.html
+- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
+drilldown_searches:
+- name: View the detection results for $host$
+  search: '%original_detection_search% | search  host = $host$'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for $host$
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: User $user$ from executed commands to disable logging on the Cisco ASA host $host$.
+  risk_objects:
+    - field: host
+      type: system
+      score: 80
+  threat_objects:
+    - field: src_ip
+      type: ip_address
+tags:
+  analytic_story:
+    - Suspicious Cisco Adaptive Security Appliance Activity
+  asset_type: Network
+  mitre_attack_id:
+    - T1562
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+  security_domain: network
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_asa/arcane_door/cisco_asa.log
+        source: syslog
+        sourcetype: cisco:asa

detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco Secure Firewall - Intrusion Events by Threat Activity
 id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
-version: 3  
-date: '2025-08-21'
+version: 4  
+date: '2025-09-25'
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -16,6 +16,7 @@ description: |
   events that occur in close temporal proximity.
 
   Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup:
+  * ArcaneDoor
   * Static Tundra
   * AgentTesla
   * Amadey
@@ -81,6 +82,7 @@ rba:
 tags:
   analytic_story: 
     - Cisco Secure Firewall Threat Defense Analytics
+    - ArcaneDoor
   asset_type: Network
   security_domain: network
   mitre_attack_id:

lookups/cisco_snort_ids_to_threat_mapping.csv

@@ -1,4 +1,6 @@
 threat,signature_id,category,message
+ArcaneDoor,46897,SERVER-WEBAPP,Cisco Adaptive Security Appliance directory traversal attempt
+ArcaneDoor,65340,SERVER-WEBAPP,TRUFFLEHUNTER SFVRT-1055 attack attempt
 AgentTesla,40238,MALWARE-CNC,Win.Keylogger.AgentTesla variant outbound connection
 AgentTesla,52246,INDICATOR-COMPROMISE,AgentTesla variant outbound connection attempt
 AgentTesla,52612,MALWARE-CNC,Win.Trojan.AgentTesla variant outbound connection detected

lookups/cisco_snort_ids_to_threat_mapping.yml

@@ -1,6 +1,6 @@
 name: cisco_snort_ids_to_threat_mapping
-date: 2025-08-21
-version: 2
+date: 2025-09-24
+version: 3
 id: f08ae6ce-d7a8-423e-a778-be7178a719f9
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk Threat Research Team
 lookup_type: csv

lookups/threat_snort_count.csv

@@ -1,4 +1,5 @@
 threat,description,distinct_count_snort_ids
+ArcaneDoor,"ArcaneDoor is a state-sponsored cyberespionage campaign targeting perimeter network devices from multiple vendors, with a particular focus on Cisco Secure Firewall ASA/FTD appliances.",2
 AgentTesla,"AgentTesla is a widely used .NET-based infostealer that exfiltrates credentials, clipboard data, and keystrokes. It often spreads via phishing emails with malicious attachments.",2
 Amadey,"Amadey is a lightweight malware primarily used as a loader for deploying additional payloads. It collects system information and often works alongside other malware like SmokeLoader.",1
 AsyncRAT,"AsyncRAT is an open-source Remote Access Trojan (RAT) used for remote control, keylogging, and credential theft. It's commonly used by both amateurs and cybercriminals due to its ease of deployment.",1

lookups/threat_snort_count.yml

@@ -1,6 +1,6 @@
 name: threat_snort_count
-date: 2025-08-21
-version: 2
+date: 2025-09-24
+version: 3
 id: 48a35e07-ed5f-42f9-a5da-b7f2ab892e3c
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk
 lookup_type: csv