Splunk

Cisco ASA - Device File Copy to Remote Location

Last updated 2 days ago on 2026-07-17

About

This analytic detects file copy operations to remote locations on Cisco ASA devices via CLI or ASDM. Adversaries may exfiltrate device files including configurations, logs, packet captures, or system data to remote servers using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. While legitimate backups to centralized servers are common, copies to unexpected destinations may indicate data exfiltration to attacker-controlled infrastructure. The detection monitors for command execution events (message ID 111008 or 111010) containing copy commands with remote protocol indicators (tftp:, ftp:, http:, https:, smb:, scp:). Investigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows. We recommend adapting the detection filters to exclude known legitimate backup activities.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://community.cisco.com/t5/security-knowledge-base/asa-how-to-download-images-using-tftp-ftp-http-https-and-scp/ta-p/3109769(external, opens in a new tab or window)https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/(external, opens in a new tab or window)
False Positives
Legitimate configuration exports to remote locations may occur during normal administrative activities. Investigate these events to verify their legitimacy and apply necessary filters.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (111008, 111010) command = "copy *" command IN ( "*running-config*", "*startup-config*", "*/pcap capture:*", "* disk0:*", "* flash:*", "* system:*" ) command IN ( "*ftp:*", "*http:*", "*https:*", "*smb:*", "*scp:*" ) | eval remote_protocol = mvappend( if(match(command, "tftp:"), "TFTP", null()), if(match(command, "ftp:"), "FTP", null()), if(match(command, "http:"), "HTTP", null()), if(match(command, "https:"), "HTTPS", null()), if(match(command, "smb:"), "SMB", null()), if(match(command, "scp:"), "SCP", null()) ) | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime values(user) as user values(action) as action values(message_id) as message_id values(command) as command values(remote_protocol) as remote_protocol values(src_ip) as src_ip values(dest) as dest values(process_name) as process_name by host | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___device_file_copy_to_remote_location_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).