EXPLORE

EXPLORE DETECTIONS

🔍
2,129 detections found

Cisco IOS XE WebUI Login From IOSd Local Port

This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111. This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path.

Splunk

Cisco IOS XE WebUI Programmatic Configuration

This analytic detects Cisco IOS-XE configuration changes performed by the WebUI WSMA process.

Splunk

Cisco Isovalent - Access To Cloud Metadata Service

The following analytic detects workloads accessing the cloud instance metadata service at 169.254.169.254. This IP is used by AWS, GCP and Azure metadata endpoints and is frequently abused in SSRF or lateral movement scenarios to obtain credentials and sensitive environment details. Monitor unexpected access to this service from application pods or namespaces where such behavior is atypical.

Splunk

Cisco Isovalent - Cron Job Creation

The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.

Splunk

Cisco Isovalent - Curl Execution With Insecure Flags

The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information.

Splunk

Cisco Isovalent - Kprobe Spike

This analytic detects excessive kernel probe (kprobe) events in a Kubernetes cluster over a short period of time. Kprobes are a Linux kernel debugging and instrumentation mechanism that allows dynamic monitoring and tracing of kernel functions and system calls. In containerized or cloud-native environments, kprobes are occasionally used for legitimate low-level diagnostics; however, monitoring a spike in kprobe activity is important because malware or attackers may abuse this mechanism to gain insights into the kernel, attempt privilege escalation, or tamper with host processes. More than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname). Such abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat.

Splunk

Cisco Isovalent - Late Process Execution

Detects process executions that occur well after a container has initialized, which can indicate suspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling). The analytic compares the process start time to the container start time and flags processes launched more than 5 minutes (300 seconds) after initialization.

Splunk

Cisco Isovalent - Non Allowlisted Image Use

The following analytic detects use of container images that fall outside an approved allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and workload identity). Adversaries commonly introduce untrusted or newly published images to deploy tooling, establish persistence, or abuse supply‑chain trust. This behavior may indicate image pulls from unauthorized registries, execution of unvetted software, or a drift from established deployment baselines. Extra scrutiny is warranted for namespaces and workloads that normally source images from restricted registries, and for pods that suddenly begin running images outside expected prefixes. Maintain an environment‑specific allowlist via the macro `cisco_isovalent_allowed_images` (for example, allow trusted registries/prefixes such as ImageName="gcr.io/org/*", "registry.local/*", or "myco/*") and keep it updated as new baseline images are introduced. This analytic alerts on images NOT matching the allowlist.

Splunk

Cisco Isovalent - Nsenter Usage in Kubernetes Pod

This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host's init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage. The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges.

Splunk

Cisco Isovalent - Pods Running Offensive Tools

The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity.

Splunk

Cisco Isovalent - Potential Escape to Host

This analytic detects potential container escape or reconnaissance attempts by monitoring for the rapid execution of multiple suspicious Linux commands (nsenter, mount, ps aux, and ls) within a short time window. The search aggregates process execution logs into 5-minute buckets and identifies when two or more distinct commands occur in quick succession. This behavior is noteworthy because attackers often chain these commands together to pivot from a container into the host, enumerate processes, or browse filesystems. For a SOC, catching these clustered command executions is important because it highlights possible adversary activity attempting to break isolation and escalate privileges inside a Kubernetes environment.

Splunk

Cisco Isovalent - Shell Execution

The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.

Splunk

Cisco Network Interface Modifications

This analytic detects the creation or modification of network interfaces on Cisco devices, which could indicate an attacker establishing persistence or preparing for lateral movement. After gaining initial access to network devices, threat actors like Static Tundra often create new interfaces (particularly loopback interfaces) to establish covert communication channels or maintain persistence. This detection specifically looks for the configuration of new interfaces, interface state changes, and the assignment of IP addresses to interfaces. These activities are particularly concerning when they involve unusual interface names or descriptions containing suspicious terms.

Splunk

Cisco NVM - Curl Execution With Insecure Flags

This analytic detects the use of `curl.exe` with insecure flags such as `-k`, `--insecure`, `--proxy-insecure`, or `--doh-insecure` which disable TLS certificate validation. It leverages Cisco Network Visibility Module (NVM) flow data and process arguments to identify outbound connections initiated by curl where TLS checks were explicitly disabled. This behavior may indicate an attempt to bypass certificate validation to connect to potentially untrusted or malicious endpoints, a common tactic in red team operations, malware staging, or data exfiltration over HTTPS.

Splunk

Cisco NVM - Installation of Typosquatted Python Package

This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered. Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones. This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the "install" or "add" flags, making outbound connections to package repository such as `pypi.org` with known or suspected typo package names.

Splunk

Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI

This analytic detects suspicious use of 'mshta.exe' or 'rundll32.exe' invoking 'mshtml.dll' or the 'RunHTMLApplication' export without including a direct HTTP/HTTPS URL in the command line. This pattern could be associated with obfuscated script execution used by threat actors during initial access or payload staging. The absence of a visible URL may indicate attempts to evade static detections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders like 'GetObject()'.

Splunk

Cisco NVM - Non-Network Binary Making Network Connection

This analytic detects network connections initiated by binaries that are not typically associated with network communication, such as 'notepad.exe', 'calc.exe' or 'write.exe'. It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information. These applications are normally used for locally and do not require outbound network access. When they do initiate such connections, it may indicate process hollowing, code injection, or proxy execution, where adversaries abuse a trusted process to mask malicious activity.

Splunk

Cisco NVM - Outbound Connection to Suspicious Port

The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port. It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware. These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.

Splunk

Cisco NVM - Rclone Execution With Network Activity

This detection identifies execution of the file synchronization utility "rclone". It leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions initiating network connections. While rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration. This analytic inspects process name and arguments for rclone and flags usage of suspicious flags. If matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.

Splunk

Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download

This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`. This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or bypassing script execution policies and bypassing the usage of the "mshta.exe" binary. The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity along with process information such as command-line arguments If confirmed malicious, this activity may indicate initial access or payload download.

Splunk

Cisco NVM - Susp Script From Archive Triggering Network Activity

This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using `explorer.exe`, `winrar.exe`, or `7zFM.exe`. When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers. It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection. This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.

Splunk

Cisco NVM - Suspicious Download From File Sharing Website

This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins) such as 'curl.exe', 'certutil.exe', 'msiexec.exe', 'powershell.exe', 'wmic.exe', and others. It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms such as GitHub, Discord CDN, Transfer.sh, or Pastebin. This detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.

Splunk

Cisco NVM - Suspicious File Download via Headless Browser

This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the `--dump-dom` argument. This behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms. The detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow. Since it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.

Splunk

Cisco NVM - Suspicious Network Connection From Process With No Args

This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments. It leverages Cisco Network Visibility Module (NVM) flow data and process arguments to identify outbound connections initiated by curl where TLS checks were explicitly disabled. Binaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution. When these processes are seen initiating a network connection with an empty or missing command line, it can indicate potential injection and communication with a command and control server.

Splunk
PreviousPage 10 of 89Next