new: 7 Sigma rules — ArcaneDoor / UAT-4356 Cisco ASA campaign (LINE DANCER, LINE RUNNER, LINE VIPER, FIRESTARTER)

rules/network/cisco/aaa/cisco_asa_line_dancer_split_lina_memory.yml

@@ -0,0 +1,32 @@
+title: Cisco ASA LINE DANCER Split lina Memory Anomaly
+id: 1a6b2b5e-5ee5-8fb5-e7fa-rayv1pr0005
+status: experimental
+description: |
+    Detects the LINE DANCER (2024 ArcaneDoor) in-memory implant via the
+    "split lina" memory anomaly. The implant modifies small sections of LINA
+    process memory, creating multiple executable (r-xp) regions, notably one
+    of exactly 0x1000 bytes (one page). Observable via
+    'show memory region | include lina'. LINE VIPER (2025-26) fixed this
+    telltale by modifying the entire .text region starting at cs:0 — this
+    rule covers the LEGACY 2024 implant only.
+references:
+    - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
+author: defender-pack-arcanedoor (CC0)
+date: 2026-05-19
+tags:
+    - attack.persistence
+    - attack.defense-evasion
+    - attack.t1014
+logsource:
+    product: cisco
+    service: aaa
+detection:
+    keywords:
+        - 'r-xp 0x1000'
+    selection:
+        - 'lina'
+    condition: keywords and selection
+falsepositives:
+    - Multi-region lina memory layout in some ASA versions during specific runtime states. Investigate any hit.
+level: high

rules/network/cisco/aaa/cisco_asa_line_runner_persistence_zip_lua.yml

@@ -0,0 +1,35 @@
+title: Cisco ASA LINE RUNNER Persistence ZIP and Lua Artifacts
+id: 2b7c3c6f-6ff6-9fc6-f8ab-rayv1pr0006
+status: experimental
+description: |
+    Detects LINE RUNNER (2024 ArcaneDoor) persistence files on Cisco ASA.
+    LINE RUNNER persists by dropping a ZIP onto disk0: matching
+    ^client_bundle[A-Za-z0-9_-]*\.zip$ that gets auto-extracted at boot via
+    legacy VPN-plugin pre-loading (CVE-2024-20359). The ZIP contains
+    csco_config.lua, csco_config2.lua, hash.txt, index.txt, laecsnw.txt,
+    stgvdr.txt, umtfc.txt. Presence of these filenames or appearance of
+    client_bundle*.zip after a clean reload is high-confidence compromise
+    indicator. Aligned with Cisco's April 2024 detection guidance.
+references:
+    - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
+author: defender-pack-arcanedoor (CC0)
+date: 2026-05-19
+tags:
+    - attack.persistence
+    - attack.t1542.003
+logsource:
+    product: cisco
+    service: aaa
+detection:
+    keywords:
+        - 'client_bundle'
+        - 'csco_config.lua'
+        - 'csco_config2.lua'
+        - 'laecsnw.txt'
+        - 'stgvdr.txt'
+        - 'umtfc.txt'
+        - 'disk0:/csco_config/97/webcontent/'
+    condition: keywords
+falsepositives:
+    - None known. These filenames do not correspond to legitimate ASA artifacts.
+level: critical

rules/network/cisco/aaa/cisco_asa_line_viper_lina_cs_process.yml

@@ -0,0 +1,31 @@
+title: Cisco ASA Malicious lina_cs Process Indicating LINE VIPER FIRESTARTER Persistence
+id: 7c2e8e1a-1aa1-4e91-a3b6-rayv1pr0001
+status: experimental
+description: |
+    Detects the malicious lina_cs process name that indicates LINE VIPER or
+    FIRESTARTER user-mode persistence on Cisco ASA / Firepower devices.
+    Observable via 'show kernel process | include lina_cs'. The implant may
+    change the process name, so this is a high-precision but not high-recall
+    rule. Maps to NCSC MAR (Oct 2025) and Cisco PSIRT advisory
+    cisco-sa-asaftd-persist-CISAED25-03 (Apr 2026).
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
+    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03
+    - https://blog.talosintelligence.com/uat-4356-firestarter/
+author: defender-pack-arcanedoor (CC0)
+date: 2026-05-19
+tags:
+    - attack.persistence
+    - attack.t1542.003
+    - attack.defense-evasion
+    - attack.t1014
+logsource:
+    product: cisco
+    service: aaa
+detection:
+    keywords:
+        - 'lina_cs'
+    condition: keywords
+falsepositives:
+    - None known. The substring lina_cs should not appear in legitimate ASA process output. The legitimate process name is lina.
+level: critical

rules/network/cisco/aaa/cisco_asa_line_viper_line_runner_webcontent_artifact.yml

@@ -0,0 +1,25 @@
+title: Cisco ASA LINE RUNNER webcontent Hash File 1515480F4B538B669648B17C02337098
+id: 3c8d4d70-7007-afd7-09bc-rayv1pr0007
+status: experimental
+description: |
+    Detects the LINE RUNNER (2024 ArcaneDoor) specific webcontent filename
+    1515480F4B538B669648B17C02337098 disclosed by Cisco Talos. Located at
+    disk0:/csco_config/97/webcontent/ on compromised ASA devices. Unique
+    artifact that should never appear on a clean device.
+references:
+    - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
+author: defender-pack-arcanedoor (CC0)
+date: 2026-05-19
+tags:
+    - attack.persistence
+    - attack.t1542.003
+logsource:
+    product: cisco
+    service: aaa
+detection:
+    keywords:
+        - '1515480F4B538B669648B17C02337098'
+    condition: keywords
+falsepositives:
+    - None. Unique artifact filename.
+level: critical

rules/network/cisco/aaa/cisco_asa_line_viper_reboot_no_core_dump.yml

@@ -0,0 +1,31 @@
+title: Cisco ASA Immediate Reboot Without Core Dump LINE VIPER Anti Forensic Hook
+id: 0f5a1a4d-4dd4-7fa4-d6e9-rayv1pr0004
+status: experimental
+description: |
+    Detects the LINE VIPER (2025-26 ArcaneDoor) anti-forensic reboot hook.
+    LINE VIPER hooks the 'copy' command to immediately reboot the device if
+    its argument contains 'system:/text' (with autocompletion tolerance:
+    'tex', 'tex...'). It also modifies the core-dump signal handler so
+    emergency reboot occurs WITHOUT writing a core. An ASA that reboots
+    immediately after admin entry of 'copy system:/...' and produces no
+    core file is highly suspect. Requires correlation across admin CLI
+    commands, device-up/down events, and core file creation.
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
+author: defender-pack-arcanedoor (CC0)
+date: 2026-05-19
+tags:
+    - attack.defense-evasion
+    - attack.t1562
+    - attack.impact
+    - attack.t1529
+logsource:
+    product: cisco
+    service: aaa
+detection:
+    keywords:
+        - 'copy system:/te'
+    condition: keywords
+falsepositives:
+    - Legitimate admin attempts to copy from system: namespace during routine forensic checks. Investigate any hit by correlating with subsequent reboot events and core-dump presence.
+level: high

rules/network/cisco/aaa/cisco_asa_line_viper_suppressed_syslog_ids.yml

@@ -0,0 +1,36 @@
+title: Cisco ASA Suppressed Syslog IDs Indicating LINE VIPER Hook
+id: 8d3f9f2b-2bb2-5fa2-b4c7-rayv1pr0002
+status: experimental
+description: |
+    Detects the LINE VIPER (2025-26 ArcaneDoor) syslog suppression hook by
+    correlating active VPN session indicators with absence of expected
+    connection-built/teardown syslog IDs. LINE VIPER suppresses message IDs
+    302013, 302014, 609002, and 710005. On a healthy ASA with active VPN
+    tunnels these should appear regularly. Sustained absence during
+    observable VPN activity is a strong correlation signal. Tune timeframe
+    and ratio per environment baseline.
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
+author: defender-pack-arcanedoor (CC0)
+date: 2026-05-19
+tags:
+    - attack.defense-evasion
+    - attack.t1562
+logsource:
+    product: cisco
+    service: aaa
+detection:
+    vpn_session:
+        keywords:
+            - 'AnyConnect parent session'
+            - 'WebVPN session'
+    connection_logs:
+        keywords:
+            - 'ASA-6-302013'
+            - 'ASA-6-302014'
+            - 'ASA-6-609002'
+            - 'ASA-7-710005'
+    condition: vpn_session and not connection_logs | count() < 1
+falsepositives:
+    - ASA with VPN-only traffic patterns and aggressive ACL drops may legitimately show low 302013/302014 volume. Tune baseline per device.
+level: medium

rules/network/cisco/aaa/cisco_asa_line_viper_webvpn_anomalous_device_id.yml

@@ -0,0 +1,30 @@
+title: Cisco ASA WebVPN config-auth POST Anomalous device-id 32-byte Token
+id: 9e4f0f3c-3cc3-6f93-c5d8-rayv1pr0003
+status: experimental
+description: |
+    Detects LINE VIPER (2025-26 ArcaneDoor) WebVPN tasking via the 32-byte
+    hex victim token at the start of the device-id 'device-type' XML
+    attribute (NCSC MAR Figure 6). Legitimate AnyConnect device-type values
+    are short ASCII identifiers ('win', 'mac-intel', 'linux-64'). A
+    device-id element whose device-type attribute begins with 64 hex
+    characters is a strong LINE VIPER fingerprint. Requires WebVPN body
+    logging or a WAF / reverse-proxy in front of the ASA.
+references:
+    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
+author: defender-pack-arcanedoor (CC0)
+date: 2026-05-19
+tags:
+    - attack.command-and-control
+    - attack.t1071.001
+    - attack.defense-evasion
+    - attack.t1480.001
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-uri-stem|endswith: '/+CSCOE+/logon.html'
+        request_body|re: 'device-type="[0-9a-fA-F]{64}'
+    condition: selection
+falsepositives:
+    - Legitimate AnyConnect clients do not place hex tokens in device-type. Confirm body-logging integrity before treating low-volume hits as benign.
+level: high