LoFP LoFP / legitimate account creation occurs during employee onboarding, contractor provisioning, service account setup, or emergency access. verify against hr records and change management tickets. filter known admin accounts during business hours.

Techniques

Sample rules

Cisco ASA - New Local User Account Created

Description

This analytic detects creation of new user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated. The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account. Investigate unexpected account creations, especially those with elevated privileges (level 15), accounts created outside business hours, accounts with suspicious or generic names, or accounts created by non-administrative users.

Detection logic

`cisco_asa`
message_id IN (502101)

| fillnull

| stats count earliest(_time) as firstTime
        latest(_time) as lastTime
        values(action) as action
        values(message_id) as message_id
        values(result) as result
        values(privilege_level) as privilege_level
  by host user

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_asa___new_local_user_account_created_filter`