new: 7 Sigma rules — ArcaneDoor / UAT-4356 Cisco ASA campaign (LINE DANCER, LINE RUNNER, LINE VIPER, FIRESTARTER)

[CrunchyJohnHaven]

What

Adds 7 Sigma rules covering the ArcaneDoor / UAT-4356 / Storm-1849 campaign against Cisco ASA / Firepower devices, spanning both publicly disclosed implant lineages:

2024 family (LINE DANCER + LINE RUNNER):

• cisco_asa_line_dancer_split_lina_memory.yml — detects the split-lina memory anomaly from show memory region | include lina
• cisco_asa_line_runner_persistence_zip_lua.yml — detects client_bundle*.zip and the Lua artifact filenames Talos disclosed
• cisco_asa_line_viper_line_runner_webcontent_artifact.yml — detects the specific webcontent hash file 1515480F4B538B669648B17C02337098

2025-26 family (RayInitiator + LINE VIPER + FIRESTARTER):

• cisco_asa_line_viper_lina_cs_process.yml — detects the malicious lina_cs process name
• cisco_asa_line_viper_reboot_no_core_dump.yml — flags the anti-forensic copy system:/te* admin command (which triggers immediate reboot without core dump on a compromised device)
• cisco_asa_line_viper_suppressed_syslog_ids.yml — correlates active VPN session indicators with absence of expected 302013/302014/609002/710005 syslog IDs (LINE VIPER's syslog suppression hook)
• cisco_asa_line_viper_webvpn_anomalous_device_id.yml — detects the 32-byte hex victim token at the start of the device-type XML attribute in WebVPN config-auth POSTs

Why

NCSC, CISA, Cisco Talos, and Eclypsium have all published detailed IOCs and YARA rules for disk-image / coredump analysis of this campaign. There is no public Sigma rule coverage. These rules close that gap for SIEM-based defenders.

Campaign is actively exploited and China-nexus attributed. CISA AR26-113A (Apr 2026) reaffirms active deployment.

Provenance

All rules derived from publicly disclosed indicators in:

• NCSC Malware Analysis Report — RayInitiator & LINE VIPER (v1.1, Oct 2025)
• Cisco Talos — UAT-4356 / FIRESTARTER (Apr 2026)
• Cisco Talos — ArcaneDoor (Apr 2024)
• Cisco PSIRT — cisco-sa-asaftd-persist-CISAED25-03

Sources cited per-rule. License: CC0 (public domain).

Honest caveats

• Status: experimental. Rules encode publicly disclosed signatures only; they are not lab-validated against a compromised ASA. I do not have access to one.
• Drafted with AI assistance (Claude) from the published primary sources. I take responsibility for the submission; please flag anything that looks off.
• The _suppressed_syslog_ids rule uses a correlation pattern (condition: ... and not ...) that may need adjustment for the SigmaHQ backend / pySigma. Open to format guidance.
• The _webvpn_anomalous_device_id rule has logsource.category: webserver since WebVPN body capture typically happens upstream of the ASA at a reverse-proxy / WAF. If SigmaHQ has a more specific logsource for AnyConnect body capture, happy to retarget.

Companion content

The same author has published companion Suricata rules, Splunk SPL, a Bash live-host check, and a 2024 ↔ 2025-26 cross-walk doc as a public gist: https://gist.github.com/CrunchyJohnHaven/bb027f41a8a68bda2ccb01f1eac69534 (also CC0). Happy to land any subset of that here if useful.

Welcoming review, format normalization, FP testing, anything else.

[github-actions]

Welcome 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

[nasbench]

Most of (if not all) will never match. I worked on detection for this and what is described in the reports are from memory /disk dumps not actual logs of the ASA.

Hence I will be closing this PR.

If you like you could transfer some of the rules here https://research.splunk.com/stories/arcanedoor/ to sigma, we have logs and some of them are simple log matching that can be used in sigma.