LoFP / administrators may intentionally disable or modify logging during maintenance, troubleshooting, or device reconfiguration. these events should be verified against approved change management activities.

Techniques

• T1562

Sample rules

Cisco ASA - Logging Disabled via CLI

• source: splunk
• technicques:
  • T1562

Description

This analytic detects the disabling of logging functionality on a Cisco ASA device through CLI commands. Adversaries or malicious insiders may attempt to disable logging to evade detection and hide malicious activity. The detection looks for specific ASA syslog message IDs (111009, 111010, 111008) associated with command execution, combined with suspicious commands such as no logging, logging disable, clear logging, or no logging host. Disabling logging on a firewall or security device is a strong indicator of defense evasion.

Detection logic

`cisco_asa`

| rex "%ASA-[^-]+-\d+-(?<message_id>\d+):" 

| search message_id IN (111009,111010,111008) 

| rex field=_raw "executed (?:the command )?(?<asa_command>.+)$" 

| search asa_command IN ("*no logging*","*logging disable*","*clear logging*","*no logging host*","*no logging trap*") 

| stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(asa_command) as commands values(src_ip) as src_ip values(process_name) as process_name by host 

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`  

| `cisco_asa___logging_disabled_via_cli_filter`