← Back to Explore
splunk_escuAnomaly
Cisco NVM - Suspicious Download From File Sharing Website
This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins) such as 'curl.exe', 'certutil.exe', 'msiexec.exe', 'powershell.exe', 'wmic.exe', and others. It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms such as GitHub, Discord CDN, Transfer.sh, or Pastebin. This detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.
MITRE ATT&CK
Detection Query
`cisco_network_visibility_module_flowdata`
(
(process_name = "svchost.exe" process_arguments = "*-s BITS*")
OR
process_name IN (
"curl.exe", "wmic.exe", "wscript.exe", "cscript.exe", "certutil.exe",
"msiexec.exe", "hh.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe",
"installutil.exe", "certoc.exe", "bitsadmin.exe"
)
)
dest_hostname IN (
"*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
"*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
"*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
"*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
"*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
"*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
"*ufile.io*", "*w3spaces.com*", "*workers.dev*"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_download_from_file_sharing_website_filter`
Author
Nasreddine Bencherchali, Splunk
Created
2026-03-10
Data Sources
Cisco Network Visibility Module Flow Data
References
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
- https://www.virustotal.com/gui/domain/paste.ee/relations
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
Tags
APT37 Rustonotto and FadeStealerCisco Network Visibility Module AnalyticsBlankGrabber Stealer
Raw Content
name: Cisco NVM - Suspicious Download From File Sharing Website
id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7
version: 5
date: '2026-03-10'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: |
This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins)
such as 'curl.exe', 'certutil.exe', 'msiexec.exe', 'powershell.exe', 'wmic.exe', and others.
It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path,
and parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms
such as GitHub, Discord CDN, Transfer.sh, or Pastebin.
This detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.
data_source:
- Cisco Network Visibility Module Flow Data
search: |
`cisco_network_visibility_module_flowdata`
(
(process_name = "svchost.exe" process_arguments = "*-s BITS*")
OR
process_name IN (
"curl.exe", "wmic.exe", "wscript.exe", "cscript.exe", "certutil.exe",
"msiexec.exe", "hh.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe",
"installutil.exe", "certoc.exe", "bitsadmin.exe"
)
)
dest_hostname IN (
"*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
"*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
"*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
"*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
"*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
"*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
"*ufile.io*", "*w3spaces.com*", "*workers.dev*"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_download_from_file_sharing_website_filter`
how_to_implement: |
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named `cisco_network_visibility_module_flowdata`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
known_false_positives: |
Some system administrators or development teams may use tools like curl or PowerShell to download files from public services
for legitimate automation or scripting purposes. However, use of these binaries to contact domains commonly associated with file sharing or temporary hosting
should be carefully reviewed, as such services are frequently abused by threat actors for malware delivery and staging.
Tuning by domain allowlisting or internal usage policies is recommended.
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
- https://www.virustotal.com/gui/domain/paste.ee/relations
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
drilldown_searches:
- name: View the detection results for - "$src$"
search: '%original_detection_search% | search src = "$src$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: The host $src$ used $process_path$ to download content from the file-sharing domain $dest_hostname$ over port $dest_port$
risk_objects:
- field: src
type: system
score: 20
threat_objects:
- field: process_name
type: process_name
tags:
analytic_story:
- APT37 Rustonotto and FadeStealer
- Cisco Network Visibility Module Analytics
- BlankGrabber Stealer
asset_type: Endpoint
mitre_attack_id:
- T1197
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test - Cisco NVM
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
source: not_applicable
sourcetype: cisco:nvm:flowdata