splunk_escuAnomaly

Cisco NVM - Susp Script From Archive Triggering Network Activity

This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using `explorer.exe`, `winrar.exe`, or `7zFM.exe`. When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers. It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection. This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.

MITRE ATT&CK

T1059.005 T1204.002

execution

Detection Query

`cisco_network_visibility_module_flowdata`
parent_process_name IN ("explorer.exe", "winrar.exe", "7zFM.exe")
process_name IN ("wscript.exe", "cscript.exe")
process_arguments = "*\\AppData\\Local\\Temp\\*"
process_arguments IN ("*\\rar*", "*\\7z*", "*.zip*")
| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
  parent_process_integrity_level parent_process_name parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___susp_script_from_archive_triggering_network_activity_filter`

Author

Nasreddine Bencherchali, Splunk

Created

2026-03-10

Data Sources

Cisco Network Visibility Module Flow Data

References

https://redcanary.com/threat-detection-report/threats/scarlet-goldfinch/

Tags

Cisco Network Visibility Module Analytics

Raw Content

name: Cisco NVM - Susp Script From Archive Triggering Network Activity
id: 8b07c2c9-0cde-4c44-9fa6-59dcf2b25777
version: 4
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: |
    This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using
    `explorer.exe`, `winrar.exe`, or `7zFM.exe`.
    When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.
    It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.
    This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
data_source:
    - Cisco Network Visibility Module Flow Data
search: |
    `cisco_network_visibility_module_flowdata`
    parent_process_name IN ("explorer.exe", "winrar.exe", "7zFM.exe")
    process_name IN ("wscript.exe", "cscript.exe")
    process_arguments = "*\\AppData\\Local\\Temp\\*"
    process_arguments IN ("*\\rar*", "*\\7z*", "*.zip*")
    | stats count min(_time) as firstTime max(_time) as lastTime
            values(parent_process_arguments) as parent_process_arguments
            values(process_arguments) as process_arguments
            values(parent_process_hash) as parent_process_hash
            values(process_hash) as process_hash
            values(module_name_list) as module_name_list
            values(module_hash_list) as module_hash_list
            values(dest_port) as dest_port
            values(aliul) as additional_logged_in_users_list
            values(dest_hostname) as dest_hostname
            by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table
      parent_process_integrity_level parent_process_name parent_process_path parent_process_arguments parent_process_hash
      process_integrity_level process_path process_name process_arguments process_hash process_id
      additional_logged_in_users_list module_name_list module_hash_list
      src dest_hostname dest dest_port transport firstTime lastTime
    | `cisco_nvm___susp_script_from_archive_triggering_network_activity_filter`
how_to_implement: |
    This search requires Network Visibility Module logs, which includes the flow data sourcetype.
    This search uses an input macro named `cisco_network_visibility_module_flowdata`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
    Replace the macro definition with configurations for your Splunk environment.
    The search also uses a post-filter macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
known_false_positives: |
    Some software installers or automation scripts may extract and run scripts from archive files in temporary directories.
    However, it is uncommon for such scripts to initiate outbound network connections immediately upon extraction.
    This behavior should be considered suspicious and investigated, especially in environments where such scripting is not typical.
references:
    - https://redcanary.com/threat-detection-report/threats/scarlet-goldfinch/
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $process_path$ running from $parent_process_name$ with archive-related execution in Temp was observed from host $src$ performing network a connection towards $dest$ / $dest_hostname$ over port $dest_port$.
    risk_objects:
        - field: src
          type: system
          score: 20
    threat_objects:
        - field: process_name
          type: process_name
tags:
    analytic_story:
        - Cisco Network Visibility Module Analytics
    asset_type: Endpoint
    mitre_attack_id:
        - T1059.005
        - T1204.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test - Cisco NVM
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
          source: not_applicable
          sourcetype: cisco:nvm:flowdata