|
| 1 | +name: Cisco ASA - Logging Disabled via CLI |
| 2 | +id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201 |
| 3 | +version: 2 |
| 4 | +date: '2025-09-25' |
| 5 | +author: Bhavin Patel, Micheal Haag, Splunk |
| 6 | +status: production |
| 7 | +type: TTP |
| 8 | +description: | |
| 9 | + This analytic detects the disabling of logging functionality on a Cisco ASA device |
| 10 | + through CLI commands. Adversaries or malicious insiders may attempt to disable logging |
| 11 | + to evade detection and hide malicious activity. The detection looks for specific ASA |
| 12 | + syslog message IDs (111009, 111010, 111008) associated with command execution, |
| 13 | + combined with suspicious commands such as `no logging`, `logging disable`, |
| 14 | + `clear logging`, or `no logging host`. Disabling logging on a firewall or security device |
| 15 | + is a strong indicator of defense evasion. |
| 16 | +data_source: |
| 17 | + - Cisco ASA Logs |
| 18 | +search: | |
| 19 | + `cisco_asa` |
| 20 | + | rex "%ASA-[^-]+-\d+-(?<message_id>\d+):" |
| 21 | + | search message_id IN (111009,111010,111008) |
| 22 | + | rex field=_raw "executed (?:the command )?(?<asa_command>.+)$" |
| 23 | + | search asa_command IN ("*no logging*","*logging disable*","*clear logging*","*no logging host*","*no logging trap*") |
| 24 | + | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(asa_command) as commands values(src_ip) as src_ip values(process_name) as process_name by host |
| 25 | + | `security_content_ctime(firstTime)` |
| 26 | + | `security_content_ctime(lastTime)` |
| 27 | + | `cisco_asa___logging_disabled_via_cli_filter` |
| 28 | +how_to_implement: | |
| 29 | + This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. This analytic is designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880. |
| 30 | +known_false_positives: | |
| 31 | + Administrators may intentionally disable or modify logging during maintenance, |
| 32 | + troubleshooting, or device reconfiguration. These events should be verified |
| 33 | + against approved change management activities. |
| 34 | +references: |
| 35 | +- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ |
| 36 | +- https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks |
| 37 | +- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB |
| 38 | +- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O |
| 39 | +- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW |
| 40 | +- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O |
| 41 | +- https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices |
| 42 | +- https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices |
| 43 | +drilldown_searches: |
| 44 | +- name: View the detection results for $host$ |
| 45 | + search: '%original_detection_search% | search host = $host$' |
| 46 | + earliest_offset: $info_min_time$ |
| 47 | + latest_offset: $info_max_time$ |
| 48 | +- name: View risk events for the last 7 days for $host$ |
| 49 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 50 | + earliest_offset: $info_min_time$ |
| 51 | + latest_offset: $info_max_time$ |
| 52 | +rba: |
| 53 | + message: User $user$ from executed commands to disable logging on the Cisco ASA host $host$. |
| 54 | + risk_objects: |
| 55 | + - field: host |
| 56 | + type: system |
| 57 | + score: 80 |
| 58 | + threat_objects: |
| 59 | + - field: src_ip |
| 60 | + type: ip_address |
| 61 | +tags: |
| 62 | + analytic_story: |
| 63 | + - ArcaneDoor |
| 64 | + asset_type: Network |
| 65 | + mitre_attack_id: |
| 66 | + - T1562.002 |
| 67 | + product: |
| 68 | + - Splunk Enterprise |
| 69 | + - Splunk Enterprise Security |
| 70 | + security_domain: network |
| 71 | + cve: |
| 72 | + - CVE-2025-20333 |
| 73 | + - CVE-2025-20362 |
| 74 | +tests: |
| 75 | + - name: True Positive Test |
| 76 | + attack_data: |
| 77 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_asa/arcane_door/cisco_asa.log |
| 78 | + source: syslog |
| 79 | + sourcetype: cisco:asa |
0 commit comments