Tool
Hunt pack: Agrius
1,106 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Agrius - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,106Azure AD Service Principal Created
The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the "Add service principal" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.
Show query
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=*
| rename properties.* as *
| rename targetResources{}.displayName as displayName
| rename targetResources{}.type as type
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product displayName
result signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_created_filter`Azure AD Service Principal Enumeration
This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.
Show query
`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals)
| fillnull
| rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/"
| rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/"
| eval spn=coalesce(servicePrincipalb,servicePrincipalv1)
| fillnull
| stats count min(_time) as _time dc(spn) as spn_count values(user_id) as user_id
BY dest user src
vendor_account vendor_product signature
| where spn_count>9
| `azure_ad_service_principal_enumeration_filter`Azure AD Successful PowerShell Authentication
The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is "Microsoft Azure PowerShell." This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.
Show query
`azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell"
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_successful_powershell_authentication_filter`Azure AD Successful Single-Factor Authentication
The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.
Show query
`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_successful_single_factor_authentication_filter`Azure Automation Account Created
The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/write" status.value=Succeeded
| dedup object
| rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as signature
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product object
object_path signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_automation_account_created_filter`Azure Automation Runbook Created
The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/runbooks/write" object!=AzureAutomationTutorial* status.value=Succeeded
| dedup object
| rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as operationName
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product object
object_path
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_automation_runbook_created_filter`Azure Runbook Webhook Created
The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the "Create or Update an Azure Automation webhook" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/webhooks/write" status.value=Succeeded
| dedup object
| rename claims.ipaddr as src_ip
| rename caller as user
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest
BY object user, src_ip,
resourceGroupName, object_path
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_runbook_webhook_created_filter`CHCP Command Execution
The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=chcp.com
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `chcp_command_execution_filter`CMD Carry Out String Command Parameter
The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_cmd`
AND
Processes.process IN ("*/c*", "*/k*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmd_carry_out_string_command_parameter_filter`CMD Echo Pipe - Escalation
The following analytic identifies the use of named-pipe impersonation for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. It detects command-line executions where `cmd.exe` uses `echo` to write to a named pipe, such as `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential privilege escalation attempts. If confirmed malicious, attackers could gain elevated privileges, enabling further compromise and persistence within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_cmd`
OR
Processes.process=*%comspec%* (Processes.process=*echo*
AND
Processes.process=*pipe*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmd_echo_pipe___escalation_filter`CMLUA Or CMSTPLUA UAC Bypass
The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.
Show query
`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`CSC Net On The Fly Compilation
The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=csc.exe
OR
Processes.original_file_name=csc.exe
)
Processes.process = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `csc_net_on_the_fly_compilation_filter`CertUtil With Decode Argument
The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_certutil` Processes.process=*decode*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `certutil_with_decode_argument_filter`Check Elevated CMD using whoami
The following analytic identifies the execution of the "whoami" command with the "/group" flag, where the results are passed to the "find" command in order to look for a the string "12288". This string represents the SID of the group "Mandatory Label\High Mandatory Level" effectively checking if the current process is running as a "High" integrity process or with Administrator privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process = "*whoami*" Processes.process = "*/group*" Processes.process = "* find *" Processes.process = "*12288*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `check_elevated_cmd_using_whoami_filter`Child Processes of Spoolsv exe
The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.
Show query
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=spoolsv.exe
AND
Processes.process_name!=regsvr32.exe
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `child_processes_of_spoolsv_exe_filter`Cisco ASA - New Local User Account Created
This analytic detects creation of new user accounts on Cisco ASA devices via CLI or ASDM.
Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated.
The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account.
Investigate unexpected account creations, especially those with elevated privileges (level 15), accounts created outside business hours, accounts with suspicious or generic names, or accounts created by non-administrative users.
Show query
`cisco_asa`
message_id IN (502101)
| fillnull
| stats count earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(result) as result
values(privilege_level) as privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___new_local_user_account_created_filter`
Cisco ASA - User Privilege Level Change
This analytic detects privilege level changes for user accounts on Cisco ASA devices via CLI or ASDM.
Adversaries may escalate account privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. Privilege levels on Cisco ASA range from 0 (lowest) to 15 (full administrative access), with level 15 providing complete device control.
The detection monitors for ASA message ID 502103, which is generated whenever a user account's privilege level is modified, capturing both the old and new privilege levels along with the username and administrator who made the change.
Investigate unexpected privilege changes, especially escalations to level 15, substantial privilege increases (e.g., from level 1 to 15), changes performed outside business hours, changes by non-administrative users, or changes without corresponding change management tickets.
Show query
`cisco_asa`
message_id IN (502103)
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(old_privilege_level) as old_privilege_level
values(new_privilege_level) as new_privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___user_privilege_level_change_filter`
Cisco IOS XE Implant Access
The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface.
It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel.
This activity can be significant as it indicates potential access request to the implant
If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/webui/logoutconfirm.html?logon_hash=*"
Web.http_method=POST
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_implant_access_filter`Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal
This analytic detects Cisco IOS-XE command sequences where show logging, clear logging, and exit occur within a short period.
It also detects the pattern where a loopback interface is removed before clearing logs and exiting.
Show query
`cisco_ios`
facility IN ("AAA", "HA_EM", "PARSER")
mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG", "CFGLOG_LOGGEDCMD")
message_text IN ("*show logging*", "*clear logging*", "*exit*", "*no interface Loopback*")
| eval cmd=lower(coalesce(command, message_text))
| eval event_type=case(
like(cmd, "%show logging%"), "show_logging",
like(cmd, "%clear logging%"), "clear_logging",
like(cmd, "%exit%"), "exit",
like(cmd, "%no interface loopback%"), "remove_loopback"
)
| where isnotnull(event_type)
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=2m
| stats count min(_time) as firstTime
max(_time) as lastTime
values(event_type) as event_types
values(message_text) as message_text
values(cmd) as cmd
by _time dest
| where mvfind(event_types, "clear_logging") >= 0
AND
mvfind(event_types, "exit") >= 0
AND
(
mvfind(event_types, "show_logging") >= 0
OR
mvfind(event_types, "remove_loopback") >= 0
)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal_filter`Cisco Isovalent - Cron Job Creation
The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.
Show query
`cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab")
| search pod_name!=""
| stats count
min(_time) as firstTime
max(_time) as lastTime
values(process) as process
by cluster_name pod_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___cron_job_creation_filter`
Cisco Isovalent - Kprobe Spike
This analytic detects excessive kernel probe (kprobe) events in a Kubernetes cluster over a short period of time.
Kprobes are a Linux kernel debugging and instrumentation mechanism that allows dynamic monitoring and tracing of kernel functions and system calls.
In containerized or cloud-native environments, kprobes are occasionally used for legitimate low-level diagnostics; however, monitoring a spike in kprobe activity is important because malware or attackers may abuse this mechanism to gain insights into the kernel, attempt privilege escalation, or tamper with host processes.
More than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname).
Such abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat.
Show query
`cisco_isovalent` process_kprobe.action!=""
| bin _time span=5m | rename process_kprobe.parent.pod.name as pod_name
| stats count as kprobe_count
values(process_kprobe.function_name) as functions
values(process_kprobe.process.binary) as binaries
values(process_kprobe.args{}.string_arg) as args
by pod_name _time
| where kprobe_count > 10 | `cisco_isovalent___kprobe_spike_filter`
Cisco NVM - Installation of Typosquatted Python Package
This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered.
Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones.
This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the "install" or "add" flags, making outbound connections to package repository such as `pypi.org` with known or suspected typo package names.
Show query
`cisco_network_visibility_module_flowdata`
dest_hostname IN ("*.pythonhosted.org", "*pypi.org", "*python-poetry.org")
(
(process_arguments = "*pip*" process_arguments = "*install*")
OR
(process_arguments = "*poetry*" process_arguments = "*add*")
)
| rex field=process_arguments "(?i)(?:pip|poetry)[^|]*?\s+(?:install|add)\s+(?P<package_name>[^\s\"']+)$"
| lookup typo_squatted_python_packages
typosquatted_package_name as package_name
OUTPUTNEW comment package_official_url
| where isnotnull(comment)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport package_name comment package_official_url
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest_hostname dest dest_port transport package_name comment package_official_url
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
| `cisco_nvm___installation_of_typosquatted_python_package_filter`
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
This analytic detects suspicious use of 'mshta.exe' or 'rundll32.exe' invoking 'mshtml.dll'
or the 'RunHTMLApplication' export without including a direct HTTP/HTTPS URL in the command line.
This pattern could be associated with obfuscated script execution used by threat actors during
initial access or payload staging. The absence of a visible URL may indicate attempts to evade static
detections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders
like 'GetObject()'.
Show query
`cisco_network_visibility_module_flowdata`
(
(
process_name = "mshta.exe"
process_arguments IN ("*javascript*", "*vbscript*")
)
OR
( process_name = "rundll32.exe" AND
process_arguments = "*mshtml*" AND
process_arguments = "*RunHTMLApplication*"
)
)
NOT process_arguments IN ("*http://*", "*https://*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli_filter`
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`.
This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or
bypassing script execution policies and bypassing the usage of the "mshta.exe" binary.
The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity
along with process information such as command-line arguments
If confirmed malicious, this activity may indicate initial access or payload download.
Show query
`cisco_network_visibility_module_flowdata`
process_name = "rundll32.exe"
process_arguments = "*mshtml*"
process_arguments IN ("*135*", "*RunHTMLApplication*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download_filter`
Cisco NVM - Susp Script From Archive Triggering Network Activity
This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using
`explorer.exe`, `winrar.exe`, or `7zFM.exe`.
When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.
It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.
This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
Show query
`cisco_network_visibility_module_flowdata`
parent_process_name IN ("explorer.exe", "winrar.exe", "7zFM.exe")
process_name IN ("wscript.exe", "cscript.exe")
process_arguments = "*\\AppData\\Local\\Temp\\*"
process_arguments IN ("*\\rar*", "*\\7z*", "*.zip*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_name parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___susp_script_from_archive_triggering_network_activity_filter`
Cisco Privileged Account Creation with HTTP Command Execution
This analytic correlates risk events between privileged account creation on Cisco IOS devices and HTTP requests to privileged execution paths such as `/level/15/exec/-/*`.
APT actors have been observed creating privileged accounts and then running commands on routers via HTTP GET or POST requests that target privileged execution paths.
These requests allow attackers to execute commands with the highest privilege level (15) on Cisco devices without requiring interactive SSH access.
This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and "Privileged Command Execution via HTTP" Snort detections fire for the same network device.
This behavior indicates an attacker leveraging the newly created account to execute commands remotely via HTTP.
Show query
| tstats `security_content_summariesonly`
min(_time) as firstTime
max(_time) as lastTime
sum(All_Risk.calculated_risk_score) as risk_score
count(All_Risk.calculated_risk_score) as risk_event_count
values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
values(All_Risk.tag) as tag
values(source) as source
dc(source) as source_count
values(contributing_events_search)
values(All_Risk.threat_object)
from datamodel=Risk.All_Risk where
source IN (
"*Cisco IOS Suspicious Privileged Account Creation*",
"*Cisco Secure Firewall - Privileged Command Execution via HTTP*"
)
by All_Risk.normalized_risk_object
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 2
| `cisco_privileged_account_creation_with_http_command_execution_filter`
Cisco Privileged Account Creation with Suspicious SSH Activity
This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events
This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and SSH-related Snort detections ("SSH Connection to sshd_operns" or "SSH Connection to Non-Standard Port") fire for the same network device.
This behavior is highly indicative of persistence establishment following initial compromise.
Show query
| tstats `security_content_summariesonly`
min(_time) as firstTime
max(_time) as lastTime
sum(All_Risk.calculated_risk_score) as risk_score
count(All_Risk.calculated_risk_score) as risk_event_count
values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
values(All_Risk.tag) as tag
values(source) as source
dc(source) as source_count
values(contributing_events_search)
values(All_Risk.threat_object)
from datamodel=Risk.All_Risk where
source IN (
"*Cisco IOS Suspicious Privileged Account Creation*",
"*Cisco Secure Firewall - SSH Connection to sshd_operns*",
"*Cisco Secure Firewall - SSH Connection to Non-Standard Port*"
)
by All_Risk.normalized_risk_object
| `drop_dm_object_name(All_Risk)`
| eval has_account_creation=if(
match(source, "Cisco IOS Suspicious Privileged Account Creation"),
1, 0
)
| eval has_ssh_detection=if(
match(source, "SSH Connection to sshd_operns")
OR
match(source, "SSH Connection to Non-Standard Port"),
1, 0
)
| where has_account_creation=1
AND
has_ssh_detection=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_privileged_account_creation_with_suspicious_ssh_activity_filter`
Cisco SA - Access to Anonymizer Services
This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry.
Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection.
Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.
Show query
`cisco_secure_access_dns` action = "allowed" category= "*anonymizer*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime values(domain) as domain values(query) as query values(reply_code) as reply_code values(record_type) as record_type by src_ip src_external_ip user identity_type action category sourcetype | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_sa___access_to_anonymizer_services_filter`
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
This analytic detects a exploitation activity attempts of targeting Cisco Catalyst SD-WAN Manager.
It leverages the "serviceproxy_access.log" and identifies source-host combinations that perform all key stages of the exploitation as reported in public POCs in a short period: authentication/config collection (`.dca`), upload actions (`uploadAck`), and payload-style access (`.gz/*`).
The behavior can indicate attempted exploitation activity associated with Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Information Disclosure).
Show query
`cisco_sd_wan_service_proxy_access`
| rex field=_raw "^\[.*?\]\s+\"(?<http_method>\S+)\s+(?<uri>\S+)\s+(?<http_protocol>[^\"]+)\"\s+(?<http_response_code>\S+)\s+(?<response_flags>\S+)\s+(?<bytes_in>\S+)\s+(?<bytes_out>\S+)\s+(?<duration>\S+)\s+(?<upstream_service_time>\S+)\s+\"(?<src>[^\"]+)\"\s+\"(?<http_user_agent>[^\"]+)\"\s+\"(?<x_request_id>[^\"]+)\"\s+\"(?<dest>[^\"]+)\"\s+\"(?<upstream_host>[^\"]+)\""
| rex field=uri "(?<uri_path>[^\?]+)(?<uri_query>\?.*)?"
| eval
http_response_code = tonumber(http_response_code),
bytes_in = tonumber(bytes_in),
bytes_out = tonumber(bytes_out),
duration = tonumber(duration),
upstream_service_time = if(upstream_service_time="-", null(), tonumber(upstream_service_time)),
status = http_response_code,
bytes = bytes_in + bytes_out,
http_user_agent_length = len(http_user_agent)
| search (
( http_method="POST"
uri IN (
"*/dataservice/smartLicensing/uploadAck*"
)
)
OR (
http_method="GET"
uri="*/reports/data/opt/data/containers/config/data-collection-agent/.dca*"
)
OR (uri="*.gz/*")
)
| eval uri_sequence_steps = case(
match(uri, ".*/\.dca"), "auth",
match(uri, ".*/uploadAck"), "upload",
match(uri, ".*\.gz/.*"), "payload",
true(), "other"
)
| bin _time span=1m
| stats
dc(uri_sequence_steps) as unique_uri_sequence_steps
values(uri) as uri
values(http_method) as http_method
values(http_user_agent) as http_user_agent
min(_time) as firstTime
max(_time) as lastTime
by src dest _time
| where unique_uri_sequence_steps >= 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| sort 0 - firstTime
| `cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity_filter`Cisco SD-WAN - Low Frequency Rogue Peer
This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where "new-state:up".
It extracts "peer-type" and "peer-system-ip", groups events by these two fields, and counts how often each combination appears within the selected time window.
Combinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare.
Analysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values.
Rare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts.
Findings might indicate the potential exploitation of CVE-2026-20127.
Note that the threshold setting is set to "3", but its highly recommended that this should be adapted to the environment before deploying this search.
Show query
`cisco_sd_wan_syslog`
TERM("*control-connection-state-change*")
TERM("*new-state:up*")
TERM("*peer-system-ip:*")
TERM("*public-ip:*")
| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z|[+-][0-9]{2}:[0-9]{2})))\s*:?"
| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
| rex field=_raw "new-state:(?<new_state>\S+)"
| rex field=_raw "peer-type:(?<peer_type>\S+)"
| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
| rex field=_raw "public-ip:(?<public_ip>\S+)"
| rex field=_raw "public-port:(?<public_port>\d+)"
| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
| stats count
values(dest) as dest
values(public_ip) as public_ips
values(public_port) as public_ports
by peer_type peer_system_ip
| where count <= 3
| sort 0 count asc
| table dest peer_type peer_system_ip public_ips
public_ports count
| `cisco_sd_wan___low_frequency_rogue_peer_filter`
Cisco SD-WAN - Peering Activity
This analytic detects Cisco SD-WAN `control-connection-state-change` events where a control connection transitions.
It extracts and highlights key triage fields including `peer-type`, `peer-system-ip`, `public-ip`, and `public-port`.
Analysts should manually validate whether the `peer-system-ip` matches the expected SD-WAN addressing schema and
device inventory, whether the event timing aligns with known operational activity (maintenance, failover, or
planned changes), and whether the `public-ip` is an expected source for control peering in the environment.
Treat `peer-type:vmanage` events with higher scrutiny, especially when peer or source IP values are previously
unseen.
Show query
`cisco_sd_wan_syslog`
TERM("*control-connection-state-change*")
TERM("*peer-system-ip:*")
TERM("*public-ip:*")
TERM("*new-state:up*")
| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z|[+-][0-9]{2}:[0-9]{2})))\s*:?"
| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
| rex field=_raw "new-state:(?<new_state>\S+)"
| rex field=_raw "peer-type:(?<peer_type>\S+)"
| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
| rex field=_raw "public-ip:(?<public_ip>\S+)"
| rex field=_raw "public-port:(?<public_port>\d+)"
| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
| stats count max(event_timestamp) as event_time
values(public_ip) as public_ips
values(public_port) as public_ports
by peer_type peer_system_ip dest new_state
| table event_time dest peer_type peer_system_ip
public_ips public_ports count
| `cisco_sd_wan___peering_activity_filter`Cisco Secure Firewall - Connection to File Sharing Domain
The following analytic detects outbound connections to commonly abused file sharing and pastebin-style hosting domains. It leverages Cisco Secure Firewall Threat Defense logs and focuses on allowed connections (action=Allow) where the url field matches a list of known data hosting or temporary storage services. While many of these platforms serve legitimate purposes, they are frequently leveraged by adversaries for malware delivery, data exfiltration, command and control (C2) beacons, or staging of encoded payloads. This analytic is valuable for identifying potential abuse of legitimate infrastructure as part of an attacker's kill chain. If confirmed malicious, this activity may indicate tool staging, credential dumping, or outbound data leaks over HTTP(S).
Show query
`cisco_secure_firewall` action IN ("Trust", "Allow", "allowed") EventType=ConnectionEvent url IN ("*//objects.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*")
| stats count min(_time) as firstTime max(_time) as lastTime
Values(src_port) as src_port
Values(dest) as dest
Values(dest_port) as dest_port
Values(rule) as rule
Values(url) as url
Values(EVE_Process) as EVE_Process
by src, transport, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___connection_to_file_sharing_domain_filter`
Cisco Secure Firewall - Oracle E-Business Suite Correlation
This correlation rule identifies potential exploitation attempts of Oracle E-Business Suite vulnerabilities (CVE-2025-61882 and CVE-2025-61884) by correlating multiple intrusion signatures from Cisco Secure Firewall Threat Defense logs.
The detection looks for specific signatures that indicate attempts to exploit the TemplatePreview functionality and vulnerable SyncServlet endpoints as well as post compromise activity involving Cl0p.
By correlating these signatures, the analytic aims to identify coordinated exploitation attempts that may indicate an attacker is targeting Oracle E-Business Suite installations.
Security teams should investigate any instances of these correlated signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (65454, 65455, 65377, 65378, 65413, 65414, 65415, 65456)
| bin _time span=5m
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
sum(eval(signature_id==65454)) as sig_template_preview
sum(eval(signature_id==65455)) as sig_sync_servlet
sum(eval(signature_id IN (65377,65378,65413,65414,65415,65456))) as sig_exploit_activity
by src dest
| where (
(
sig_exploit_activity >= 1
AND
(
sig_template_preview >= 1
OR
sig_sync_servlet >= 1
)
)
OR
(
sig_template_preview >= 1
AND
sig_sync_servlet >= 1
)
OR
unique_signature_count >= 2
)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___oracle_e_business_suite_correlation_filter`
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
This analytic detects vulnerability exploitation and post-compromise activity associated with Oracle E-Business Suite web-application vulnerabilities, CVE-2025-61882 and CVE-2025-61884.
SIDs 65413-65415 detect detect Java.Backdoor.Cl0p variant payload downloads and Java.Backdoor.Cl0p outbound
command-and-control connection attempts.
SIDs 65456, 65377 and 65378 detect attempts to exploit these vulnerabilities.
Security teams should investigate any instances of these signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id IN (65377, 65378, 65413, 65414, 65415, 65456)
| fillnull
| stats values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___oracle_e_business_suite_exploitation_filter`
Cisco Secure Firewall - React Server Components RCE Attempt
This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered
If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id = 65554
| fillnull
| stats min(_time) as firstTime
max(_time) as lastTime
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___react_server_components_rce_attempt_filter`
Cisco Secure Firewall - Remote Access Software Usage Traffic
The following analytic detects network traffic associated with known remote access software applications
that are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.
It leverages Cisco Secure Firewall Threat Defense Connection Event.
This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments.
If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate
data, or deploy additional malware, posing a severe threat to the organization's security.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent
| stats min(_time) as firstTime max(_time) as lastTime
values(dest_port) as dest_port
values(dest) as dest
values(transport) as transport
values(url) as url
values(rule) as rule
count by src ClientApplication action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools appName AS ClientApplication OUTPUT category, appDescription as Description
| search category IN ("remote administration", "remote desktop control")
| `remote_access_software_usage_exceptions`
| `cisco_secure_firewall___remote_access_software_usage_traffic_filter`
Cisco Secure Firewall - SSH Connection to Non-Standard Port
This analytic detects inbound SSH connections to non-standard ports on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling SSH servers on high, non-default TCP ports to maintain encrypted remote access to compromised network infrastructure.
This detection leverages Snort signature 65369 to identify SSH protocol traffic on unusual ports, which may indicate persistence mechanisms or backdoor access established by threat actors.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65369
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_non_standard_port_filter`
Cisco Secure Firewall - SSH Connection to sshd_operns
This analytic detects inbound SSH connections to the sshd_operns service on network devices using Cisco Secure Firewall Intrusion Events.
APT actors have been observed enabling sshd_operns and opening it on non-standard ports to maintain encrypted remote access to compromised network infrastructure.
This detection leverages Snort signature 65368 to identify connections to this service, which when combined with other indicators may signal persistent access mechanisms established by threat actors.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65368
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_sshd_operns_filter`
Cisco Secure Firewall - Wget or Curl Download
The following analytic detects outbound connections initiated by command-line tools such as curl or wget. It leverages Cisco Secure Firewall Threat Defense logs and identifies allowed connections (action=Allow) where either the EVE_Process or ClientApplication fields indicate use of these utilities. While curl and wget are legitimate tools commonly used for software updates and scripting, adversaries often abuse them to download payloads, retrieve additional tools, or establish staging infrastructure from compromised systems. If confirmed malicious, this behavior may indicate the download phase of an attack chain or a command-and-control utility retrieval.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent action IN ("Trust", "Allow", "allowed") AND
( EVE_Process IN ("*curl*", "*wget*") OR ClientApplication IN ("cURL", "Wget") )
| stats count min(_time) as firstTime max(_time) as lastTime
Values(rule) as rule
Values(url) as url
Values(dest_port) as dest_port
Values(ClientApplicationVersion) as ClientApplicationVersion
Values(src_port) as src_port
by src, dest, transport, EVE_Process, ClientApplication, action
| table src src_port dest dest_port transport url EVE_Process ClientApplication ClientApplicationVersion rule firstTime lastTime
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___wget_or_curl_download_filter`
Cisco Smart Install Oversized Packet Detection
This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786
within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and
protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message
sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance
against Cisco devices exposing Smart Install.
Show query
| tstats `security_content_summariesonly`
avg(All_Traffic.packets) as avg_packets,
max(All_Traffic.bytes) as max_bytes
from datamodel=Network_Traffic
where All_Traffic.dest_port=4786 AND All_Traffic.transport=tcp
by All_Traffic.src_ip, All_Traffic.dest_ip, _time span=1h
| `drop_dm_object_name("All_Traffic")`
| where max_bytes > 500
| eval severity=case(max_bytes>1400, "critical", max_bytes>1000, "high", 1=1, "medium")
| `cisco_smart_install_oversized_packet_detection_filter`
Cisco Smart Install Port Discovery and Status
This analytic detects network traffic to TCP port 4786, which is used by the Cisco Smart Install protocol. Smart Install is a plug-and-play configuration and image-management feature that helps customers to deploy Cisco switches. This protocol has been exploited via CVE-2018-0171, a vulnerability that allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions. Recently, Cisco Talos reported that a Russian state-sponsored threat actor called "Static Tundra" has been actively exploiting this vulnerability to compromise unpatched and end-of-life network devices. Monitoring for traffic to this port can help identify potential exploitation attempts or unauthorized Smart Install activity.
Show query
| tstats `security_content_summariesonly` count values(All_Traffic.src_ip) as src_ip values(All_Traffic.src_port) as src_port values(All_Traffic.dest_ip) as dest_ip earliest(_time) as firstTime latest(_time) as lastTime FROM datamodel=Network_Traffic
WHERE All_Traffic.dest_port=4786
AND
All_Traffic.transport=tcp
BY All_Traffic.dest_ip All_Traffic.dest_port
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_smart_install_port_discovery_and_status_filter`Citrix ADC Exploitation CVE-2023-3519
The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel.
This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk.
If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.http_method=POST
Web.url IN (
"*/cgi/logout",
"*/saml/activelogin",
"*/saml/login",
"/cgi/samlart?samlart=*",
"/cgi/samlauth",
"/gwtest/formssso?event=start&target=*",
"/netscaler/ns_gui/vpn/*"
)
BY Web.http_user_agent, Web.status
Web.http_method Web.url Web.url_length
Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_adc_exploitation_cve_2023_3519_filter`Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
This detection identifies potential exploitation attempts of CVE-2025-5777 (CitrixBleed 2), a memory disclosure vulnerability in Citrix NetScaler ADC and Gateway.
The vulnerability is triggered by sending POST requests with incomplete form data to the /p/u/doAuthentication.do endpoint, causing the device to leak memory contents including session tokens and authentication materials.
This search looks for POST requests to the vulnerable endpoint that may indicate scanning or exploitation attempts.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where
Web.url IN ("*/p/u/doAuthentication.do*")
Web.http_method="POST"
Web.status=200
by Web.http_user_agent, Web.status, Web.http_method,
Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter`
Citrix ADC and Gateway Unauthorized Data Disclosure
The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200
BY Web.http_user_agent, Web.status Web.http_method,
Web.url, Web.url_length, Web.src,
Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`Citrix ShareFile Exploitation CVE-2023-24489
The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/documentum/upload.aspx?*"
Web.url IN (
"*parentid=*",
"*filename=*",
"*uploadId=*"
)
Web.url IN (
"*unzip=*",
"*raw=*"
)
Web.http_method=POST
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_sharefile_exploitation_cve_2023_24489_filter`Clear Unallocated Sector Using Cipher App
The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "cipher.exe" Processes.process = "*/w:*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `clear_unallocated_sector_using_cipher_app_filter`Cloud API Calls From Previously Unseen User Roles
The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.
Show query
| tstats earliest(_time) as firstTime, latest(_time) as lastTime FROM datamodel=Change
WHERE All_Changes.user_type=AssumedRole
AND
All_Changes.status=success
BY All_Changes.user, All_Changes.command All_Changes.object
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenUserApiCall=min(firstTimeSeen)
| where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h")
| table firstTime, user, object, command
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cloud_api_calls_from_previously_unseen_user_roles_filter`Cloud Compute Instance Created By Previously Unseen User
The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.
Show query
| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest FROM datamodel=Change
WHERE All_Changes.action=created
BY All_Changes.user All_Changes.vendor_region
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenUser=min(firstTimeSeen)
| where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count vendor_region
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_by_previously_unseen_user_filter`Cloud Instance Modified By Previously Unseen User
The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure.
Show query
| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command FROM datamodel=Change
WHERE All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success
BY All_Changes.user
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenUser=min(firstTimeSeen)
| where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h")
| table firstTime user command object_id count
| `security_content_ctime(firstTime)`
| `cloud_instance_modified_by_previously_unseen_user_filter`Cloud Provisioning Activity From Previously Unseen City
The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.
Show query
| tstats earliest(_time) as firstTime, latest(_time) as lastTime FROM datamodel=Change
WHERE (
All_Changes.action=started
OR
All_Changes.action=created
)
All_Changes.status=success
BY All_Changes.src, All_Changes.user, All_Changes.object,
All_Changes.command
| `drop_dm_object_name("All_Changes")`
| iplocation src
| where isnotnull(City)
| lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenCity=min(firstTimeSeen)
| where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`)
| `security_content_ctime(firstTime)`
| table firstTime, src, City, user, object, command
| `cloud_provisioning_activity_from_previously_unseen_city_filter`Showing 351-400 of 1,106