Detection: Cisco ASA - New Local User Account Created

Description

This analytic detects creation of new user accounts on Cisco ASA devices via CLI or ASDM. Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated. The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account. Investigate unexpected account creations, especially those with elevated privileges (level 15), accounts created outside business hours, accounts with suspicious or generic names, or accounts created by non-administrative users.

Search

 1`cisco_asa`
 2message_id IN (502101)
 3
 4| fillnull
 5
 6| stats count earliest(_time) as firstTime
 7        latest(_time) as lastTime
 8        values(action) as action
 9        values(message_id) as message_id
10        values(result) as result
11        values(privilege_level) as privilege_level
12  by host user
13
14| `security_content_ctime(firstTime)`
15
16| `security_content_ctime(lastTime)`
17
18| `cisco_asa___new_local_user_account_created_filter`

Data Source

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

This search requires Cisco ASA syslog data to be ingested into Splunk via the Cisco Security Cloud TA. To ensure this detection works effectively, configure your ASA and FTD devices to generate and forward message ID 502101. If your logging level is set to 'Notifications' or higher, these messages should already be included, else we recommend setting an event list that keeps the severity level you are using and adds message ID 502101. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html. You can also change the severity level of the above message id's to the syslog level you have currently enabled using the logging message syslog_id level severity_level command in global configuration mode. For more information, see Change the Severity Level of a Syslog Message : https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/general/asa-922-general-config/monitor-syslog.html#ID-2121-000006da

Known False Positives

Legitimate account creation occurs during employee onboarding, contractor provisioning, service account setup, or emergency access. Verify against HR records and change management tickets. Filter known admin accounts during business hours.

Associated Analytic Story

• Suspicious Cisco Adaptive Security Appliance Activity

Risk Based Analytics (RBA)

Risk Message:

New local user account $user$ with privilege level $privilege_level$ was created on Cisco ASA host $host$.

References

• https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog/syslog-messages-500000-to-520025.html#con_4773963

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1