EXPLORE DETECTIONS
Cisco NVM - Non-Network Binary Making Network Connection
This analytic detects network connections initiated by binaries that are not typically associated with network communication, such as 'notepad.exe', 'calc.exe' or 'write.exe'. It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information. These applications are normally used for locally and do not require outbound network access. When they do initiate such connections, it may indicate process hollowing, code injection, or proxy execution, where adversaries abuse a trusted process to mask malicious activity.
Cisco NVM - Outbound Connection to Suspicious Port
The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port. It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware. These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.
Cisco NVM - Rclone Execution With Network Activity
This detection identifies execution of the file synchronization utility "rclone". It leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions initiating network connections. While rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration. This analytic inspects process name and arguments for rclone and flags usage of suspicious flags. If matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`. This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or bypassing script execution policies and bypassing the usage of the "mshta.exe" binary. The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity along with process information such as command-line arguments If confirmed malicious, this activity may indicate initial access or payload download.
Cisco NVM - Susp Script From Archive Triggering Network Activity
This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using `explorer.exe`, `winrar.exe`, or `7zFM.exe`. When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers. It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection. This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
Cisco NVM - Suspicious Download From File Sharing Website
This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins) such as 'curl.exe', 'certutil.exe', 'msiexec.exe', 'powershell.exe', 'wmic.exe', and others. It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms such as GitHub, Discord CDN, Transfer.sh, or Pastebin. This detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.
Cisco NVM - Suspicious File Download via Headless Browser
This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the `--dump-dom` argument. This behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms. The detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow. Since it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.
Cisco NVM - Suspicious Network Connection From Process With No Args
This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments. It leverages Cisco Network Visibility Module (NVM) flow data and process arguments to identify outbound connections initiated by curl where TLS checks were explicitly disabled. Binaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution. When these processes are seen initiating a network connection with an empty or missing command line, it can indicate potential injection and communication with a command and control server.
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
This analytic identifies the use of `msxsl.exe` initiating a network connection to a non-private IP address. Although `msxsl.exe` is a legitimate Microsoft utility used to apply XSLT transformations, adversaries can abuse it to execute arbitrary code or load external resources in an evasive manner. This detection leverages Cisco NVM telemetry to identify potentially malicious use of `msxsl.exe` making network connections that may indicate command and control (C2) or data exfiltration activity.
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services, such as `ipinfo.io`, `icanhazip.com`, `ip-api.com`, and others. These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate network reconnaissance, virtual machine detection, or staging by malware. This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns. The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser processes to reduce noise.
Cisco NVM - Webserver Download From File Sharing Website
This analytic detects unexpected outbound network connections initiated by known webserver processes such as `httpd.exe`, `nginx.exe`, or `tomcat.exe` to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin. Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise, where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation. The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.
Cisco Privileged Account Creation with HTTP Command Execution
This analytic correlates risk events between privileged account creation on Cisco IOS devices and HTTP requests to privileged execution paths such as `/level/15/exec/-/*`. APT actors have been observed creating privileged accounts and then running commands on routers via HTTP GET or POST requests that target privileged execution paths. These requests allow attackers to execute commands with the highest privilege level (15) on Cisco devices without requiring interactive SSH access. This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and "Privileged Command Execution via HTTP" Snort detections fire for the same network device. This behavior indicates an attacker leveraging the newly created account to execute commands remotely via HTTP.
Cisco Privileged Account Creation with Suspicious SSH Activity
This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and SSH-related Snort detections ("SSH Connection to sshd_operns" or "SSH Connection to Non-Standard Port") fire for the same network device. This behavior is highly indicative of persistence establishment following initial compromise.
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
This analytic detects a exploitation activity attempts of targeting Cisco Catalyst SD-WAN Manager. It leverages the "serviceproxy_access.log" and identifies source-host combinations that perform all key stages of the exploitation as reported in public POCs in a short period: authentication/config collection (`.dca`), upload actions (`uploadAck`), and payload-style access (`.gz/*`). The behavior can indicate attempted exploitation activity associated with Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Information Disclosure).
Cisco SD-WAN - Low Frequency Rogue Peer
This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where "new-state:up". It extracts "peer-type" and "peer-system-ip", groups events by these two fields, and counts how often each combination appears within the selected time window. Combinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare. Analysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values. Rare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts. Findings might indicate the potential exploitation of CVE-2026-20127. Note that the threshold setting is set to "3", but its highly recommended that this should be adapted to the environment before deploying this search.
Cisco SD-WAN - Peering Activity
This analytic detects Cisco SD-WAN `control-connection-state-change` events where a control connection transitions. It extracts and highlights key triage fields including `peer-type`, `peer-system-ip`, `public-ip`, and `public-port`. Analysts should manually validate whether the `peer-system-ip` matches the expected SD-WAN addressing schema and device inventory, whether the event timing aligns with known operational activity (maintenance, failover, or planned changes), and whether the `public-ip` is an expected source for control peering in the environment. Treat `peer-type:vmanage` events with higher scrutiny, especially when peer or source IP values are previously unseen.
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
This hunting search is designed to surface source IP activity using uncommon HTTP user-agents across multiple URI paths in Cisco SD-WAN Manager serviceproxy access logs. It looks for source and user-agent combinations that access more than one distinct URI, then keeps only low-volume behavior (`requests<=50`) to reduce noise from normal high-volume traffic. Use this hunt to pivot on `http_user_agent` and `src` and identify possible automation, scripted reconnaissance, or exploitation attempts.
Cisco Secure Firewall - Binary File Type Download
The following analytic detects file downloads involving executable, archive, or scripting-related file types that are commonly used in malware delivery. These file types include formats like PE executables, shell scripts, autorun files, installers, and known testing samples such as EICAR. This detection leverages Cisco Secure Firewall Threat Defense logs and enriches the results using a filetype lookup to provide context. If confirmed malicious, these downloads could indicate the initial infection vector, malware staging, or scripting abuse.
Cisco Secure Firewall - Bits Network Activity
The following analytic detects the use of the Background Intelligent Transfer Service (BITS) client application in allowed outbound connections. It leverages logs from Cisco Secure Firewall Threat Defense devices and identifies instances where BITS is used to initiate downloads from non-standard or unexpected domains. While BITS is a legitimate Windows service used for downloading updates, it is also commonly abused by adversaries to stealthily retrieve payloads or tools. This analytic filters out known Microsoft Edge update URLs and focuses on connections that may indicate suspicious or unauthorized file transfers. If confirmed malicious, this could represent a command and control (C2) channel or a download of malware or tooling as part of an attack chain.
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
The following analytic detects the use of known suspicious SSL certificates in any observed event where the SSL_CertFingerprint field is present. It leverages Cisco Secure Firewall logs and compares the SSL certificate SHA1 fingerprint against a blacklist of certificates associated with malware distribution, command and control (C2) infrastructure, or phishing campaigns. This activity is significant as adversaries often reuse or self-sign certificates across malicious infrastructure, allowing defenders to track and detect encrypted sessions even when domains or IPs change. If confirmed malicious, this may indicate beaconing, malware download, or data exfiltration over TLS/SSL.
Cisco Secure Firewall - Blocked Connection
The following analytic detects a blocked connection event by identifying a "Block" value in the action field. It leverages logs from Cisco Secure Firewall Threat Defense devices. This activity is significant as it can identify attempts from users or applications initiating network connection to explicitly or implicitly blocked range or zones. If confirmed malicious, attackers could be attempting to perform a forbidden action on the network such as data exfiltration, lateral movement, or network disruption.
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
This analytic detects exploitation activity of CVE-2025-5777 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65118 (Citrix NetScaler memory overread attempt) is triggered If confirmed malicious, this behavior is highly indicative of a potential exploitation of CVE-2025-5777.
Cisco Secure Firewall - Communication Over Suspicious Ports
The following analytic detects potential reverse shell activity by identifying connections involving ports commonly associated with remote access tools, shell listeners, or tunneling utilities. It leverages Cisco Secure Firewall Threat Defense logs and monitors destination ports against a list of non-standard, high-risk port values often used in post-exploitation scenarios. Adversaries frequently configure tools like netcat, Meterpreter, or other backdoors to listen or connect over uncommon ports such as 4444, 2222, or 51820 to bypass standard monitoring and firewall rules. If confirmed malicious, this activity may represent command and control (C2) tunneling, lateral movement, or unauthorized remote access.
Cisco Secure Firewall - Connection to File Sharing Domain
The following analytic detects outbound connections to commonly abused file sharing and pastebin-style hosting domains. It leverages Cisco Secure Firewall Threat Defense logs and focuses on allowed connections (action=Allow) where the url field matches a list of known data hosting or temporary storage services. While many of these platforms serve legitimate purposes, they are frequently leveraged by adversaries for malware delivery, data exfiltration, command and control (C2) beacons, or staging of encoded payloads. This analytic is valuable for identifying potential abuse of legitimate infrastructure as part of an attacker's kill chain. If confirmed malicious, this activity may indicate tool staging, credential dumping, or outbound data leaks over HTTP(S).