LoFP / legitimate changes occur during role changes, temporary escalation for maintenance, or security policy adjustments. verify against change management. filter known admin accounts during maintenance windows.

Techniques

• T1078.003
• T1098

Sample rules

Cisco ASA - User Privilege Level Change

• source: splunk
• technicques:
  • T1078.003
  • T1098

Description

This analytic detects privilege level changes for user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may escalate account privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. Privilege levels on Cisco ASA range from 0 (lowest) to 15 (full administrative access), with level 15 providing complete device control. The detection monitors for ASA message ID 502103, which is generated whenever a user account’s privilege level is modified, capturing both the old and new privilege levels along with the username and administrator who made the change. Investigate unexpected privilege changes, especially escalations to level 15, substantial privilege increases (e.g., from level 1 to 15), changes performed outside business hours, changes by non-administrative users, or changes without corresponding change management tickets.

Detection logic

`cisco_asa`
message_id IN (502103)

| fillnull

| stats earliest(_time) as firstTime
        latest(_time) as lastTime
        values(action) as action
        values(message_id) as message_id
        values(old_privilege_level) as old_privilege_level
        values(new_privilege_level) as new_privilege_level
  by host user

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_asa___user_privilege_level_change_filter`