| ID | Technique | Tactic |
|---|---|---|
| T1082 | System Information Discovery | Discovery |
| T1590.001 | Domain Properties | Reconnaissance |
| T1590.005 | IP Addresses | Reconnaissance |
Detection: Cisco ASA - Reconnaissance Command Activity
Description
This analytic detects potential reconnaissance activities on Cisco ASA devices by identifying execution of multiple information-gathering "show" commands within a short timeframe. Adversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths. This reconnaissance phase involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions. The detection monitors for command execution events (message ID 111009) containing reconnaissance-oriented "show" commands (such as show running-config, show version, show interface, show crypto, show conn, etc.) and triggers when 7 or more distinct reconnaissance commands are executed within a 5-minute window by the same user. Investigate reconnaissance bursts from non-administrative accounts, unusual source IP addresses, activity during off-hours, methodical command sequences suggesting automated enumeration, or reconnaissance activity correlated with other suspicious behaviors. We recommend adapting the detection filters to exclude known legitimate administrative activities.
Search
1`cisco_asa`
2message_id IN (111009)
3command IN (
4 "show access-list*",
5 "show capture*",
6 "show conn*",
7 "show cpu*",
8 "show crypto*",
9 "show eigrp*",
10 "show failover*",
11 "show flow*",
12 "show interface*",
13 "show inventory*",
14 "show ip*",
15 "show license*",
16 "show memory*",
17 "show nat*",
18 "show ospf*",
19 "show process*",
20 "show running-config*",
21 "show startup-config*",
22 "show version*",
23 "show vpn-sessiondb*",
24 "show xlate*"
25)
26
27| fillnull
Normalize command variations to base command types to count distinct reconnaissance categories. For example, "show running-config", "show running-config | include username", and "show running-config interface" all count as one command type. This prevents adversaries from evading detection by adding arguments or using multiple variations of the same command.
1
2
3| eval command_type=case(
4 match(command, "^show access-list"), "show access-list",
5 match(command, "^show conn"), "show conn",
6 match(command, "^show cpu"), "show cpu",
7 match(command, "^show crypto"), "show crypto",
8 match(command, "^show eigrp"), "show eigrp",
9 match(command, "^show failover"), "show failover",
10 match(command, "^show flow"), "show flow",
11 match(command, "^show interface"), "show interface",
12 match(command, "^show inventory"), "show inventory",
13 match(command, "^show ip"), "show ip",
14 match(command, "^show license"), "show license",
15 match(command, "^show memory"), "show memory",
16 match(command, "^show nat"), "show nat",
17 match(command, "^show ospf"), "show ospf",
18 match(command, "^show process"), "show process",
19 match(command, "^show running-config"), "show running-config",
20 match(command, "^show startup-config"), "show startup-config",
21 match(command, "^show version"), "show version",
22 match(command, "^show vpn-sessiondb"), "show vpn-sessiondb",
23 match(command, "^show xlate"), "show xlate",
24 true(), command)
25
26
27| bin _time span=5m
28
29
30| stats count
31 earliest(_time) as firstTime
32 latest(_time) as lastTime
33 dc(command_type) as unique_recon_commands
34 values(command_type) as command_types
35 values(command) as commands
36 values(src_ip) as src_ip
37 values(message_id) as message_id
38 values(action) as action
39 by _time host user
40
41
42| where unique_recon_commands >= 7
43
44| `security_content_ctime(firstTime)`
45
46| `security_content_ctime(lastTime)`
47
48| `cisco_asa___reconnaissance_command_activity_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco ASA Logs | Other | 'cisco:asa' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_asa | sourcetype=cisco:asa |
| cisco_asa___reconnaissance_command_activity_filter | search * |
cisco_asa___reconnaissance_command_activity_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Reconnaissance
DE.AE
CIS 13
APT19
APT3
APT32
APT37
APT38
APT41
APT42
Andariel
Aquatic Panda
BlackByte
Blue Mockingbird
CURIUM
Contagious Interview
Daggerfly
Darkhotel
FIN13
FIN7
FIN8
Gamaredon Group
HAFNIUM
HEXANE
Higaisa
Inception
Ke3chang
Kimsuky
Lazarus Group
Magic Hound
Malteiro
Medusa Group
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
OilRig
Patchwork
Play
RedCurl
Rocke
Sandworm Team
Scattered Spider
SideCopy
Sidewinder
Sowbug
Stealth Falcon
Storm-0501
TA2541
TeamTNT
Tropic Trooper
Turla
Windigo
Windshift
Winter Vivern
Wizard Spider
ZIRCONIUM
admin@338
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward message ID 111009. If your logging level is set to 'Debugging', these messages should already be included, else we recommend setting an event list that keeps the severity level you are using and adds message ID 111009. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html. You can also change the severity level of the above message id's to the syslog level you have currently enabled using the logging message syslog_id level severity_level command in global configuration mode. For more information, see Change the Severity Level of a Syslog Message : https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/general/asa-922-general-config/monitor-syslog.html#ID-2121-000006da
Known False Positives
Legitimate sequences occur during troubleshooting, health checks, upgrades, audits, or automation scripts. Verify against change management. Filter known admin accounts, trusted management stations, or adjust threshold based on baseline.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
User $user$ executed $unique_recon_commands$ distinct reconnaissance commands of type $command_types$ within a 5-minute window on Cisco ASA host $host$, indicating potential reconnaissance activity.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 40 | src_ip |
| host | system | 50 | src_ip |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:asa |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:asa |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1