Techniques
Sample rules
Cisco ASA - Packet Capture Activity
- source: splunk
- technicques:
- T1040
- T1557
Description
This analytic detects execution of packet capture commands on Cisco ASA devices via CLI or ASDM. Adversaries may abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data. The detection monitors for command execution events (message ID 111008 or 111010) containing “capture” commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device. Investigate unauthorized packet capture activities, especially captures targeting sensitive interfaces (internal network segments, DMZ), captures configured to capture large volumes of traffic, captures with suspicious filter criteria, captures initiated by non-administrative accounts, or captures during unusual hours.
Detection logic
`cisco_asa`
message_id IN (111008, 111010)
command IN ("capture *")
| fillnull
| stats count
earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___packet_capture_activity_filter`