Splunk

Cisco ASA - Device File Copy Activity

Last updated 2 days ago on 2026-07-17

About

This analytic detects file copy activity on Cisco ASA devices via CLI or ASDM. Adversaries may copy device files including configurations, logs, packet captures, or system files for reconnaissance, credential extraction, or data exfiltration. While legitimate file operations occur during backups and maintenance, unauthorized copies may indicate malicious activity. The detection monitors for command execution events (message ID 111008 or 111010) containing copy commands targeting running-config, startup-config, packet capture files, or other system files from disk0:, flash:, system:, or capture: locations. Investigate unexpected file copies, especially from non-administrative accounts, during unusual hours, or when combined with other suspicious activities.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/(external, opens in a new tab or window)
False Positives
Legitimate configuration exports may occur during normal administrative activities. These events should be verified and investigated.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (111008, 111010) command = "copy *" command IN ( "*running-config*", "*startup-config*", "*/pcap capture:*", "* disk0:*", "* flash:*", "* system:*" ) | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(message_id) as message_id values(command) as command values(src_ip) as src_ip values(process_name) as process_name by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___device_file_copy_activity_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).