Techniques
Sample rules
Cisco ASA - Device File Copy to Remote Location
- source: splunk
- technicques:
- T1005
- T1041
- T1048.003
Description
This analytic detects file copy operations to remote locations on Cisco ASA devices via CLI or ASDM. Adversaries may exfiltrate device files including configurations, logs, packet captures, or system data to remote servers using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. While legitimate backups to centralized servers are common, copies to unexpected destinations may indicate data exfiltration to attacker-controlled infrastructure. The detection monitors for command execution events (message ID 111008 or 111010) containing copy commands with remote protocol indicators (tftp:, ftp:, http:, https:, smb:, scp:). Investigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows. We recommend adapting the detection filters to exclude known legitimate backup activities.
Detection logic
`cisco_asa`
message_id IN (111008, 111010)
command = "copy *"
command IN (
"*running-config*",
"*startup-config*",
"*/pcap capture:*",
"* disk0:*",
"* flash:*",
"* system:*"
)
command IN (
"*ftp:*",
"*http:*",
"*https:*",
"*smb:*",
"*scp:*"
)
| eval remote_protocol = mvappend(
if(match(command, "tftp:"), "TFTP", null()),
if(match(command, "ftp:"), "FTP", null()),
if(match(command, "http:"), "HTTP", null()),
if(match(command, "https:"), "HTTPS", null()),
if(match(command, "smb:"), "SMB", null()),
if(match(command, "scp:"), "SCP", null())
)
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(remote_protocol) as remote_protocol
values(src_ip) as src_ip
values(dest) as dest
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___device_file_copy_to_remote_location_filter`