LoFP / legitimate deletions occur during employee offboarding, contractor removal, account cleanup, or service account decommissioning. verify against hr records and change management tickets. filter known admin accounts during business hours.

Techniques

• T1070.008
• T1531

Sample rules

Cisco ASA - User Account Deleted From Local Database

• source: splunk
• technicques:
  • T1531
  • T1070.008

Description

This analytic detects deletion of user accounts from Cisco ASA devices via CLI or ASDM. Adversaries may delete local accounts to cover their tracks, remove evidence of their activities, disrupt incident response efforts, or deny legitimate administrator access during an attack. Account deletion can also indicate an attempt to hide the creation of temporary accounts used during compromise. The detection monitors for ASA message ID 502102, which is generated whenever a local user account is deleted from the device, capturing details including the deleted username, privilege level, and the administrator who performed the deletion. Investigate unexpected account deletions, especially those involving privileged accounts (level 15), deletions performed outside business hours, deletions by non-administrative users, or deletions that coincide with other suspicious activities.

Detection logic

`cisco_asa`
message_id IN (502102)

| fillnull

| stats count earliest(_time) as firstTime
        latest(_time) as lastTime
        values(action) as action
        values(message_id) as message_id
        values(result) as result
        values(privilege_level) as privilege_level
  by host user

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_asa___user_account_deleted_from_local_database_filter`