Techniques
Sample rules
Cisco ASA - AAA Policy Tampering
- source: splunk
- technicques:
- T1556.004
Description
This analytic detects modifications to authentication and authorization (AAA) security policies on Cisco ASA devices via CLI or ASDM.
AAA policies control critical security mechanisms including authentication attempts, lockout thresholds, password policies, and access control settings that protect administrative access to network infrastructure.
Adversaries or malicious insiders may weaken authentication policies to facilitate brute force attacks, disable account lockouts to enable unlimited password attempts, reduce password complexity requirements, or modify authorization settings to elevate privileges and maintain persistent access.
The detection monitors for command execution events containing AAA-related commands such as aaa authentication, aaa authorization, or aaa local authentication, focusing on changes to authentication attempts, lockout policies, and access control configurations.
Investigate any unauthorized modifications to AAA policies, especially changes that weaken security posture (increasing max-fail attempts, disabling lockouts, reducing password requirements), and verify these changes against approved change management processes and security policies.
Detection logic
`cisco_asa`
message_id IN (111008, 111010)
command IN (
"aaa authentication*",
"aaa authorization*",
"aaa local authentication*",
"aaa-server*",
"no aaa*"
)
| fillnull
| stats count
earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___aaa_policy_tampering_filter`