EXPLORE DETECTIONS
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
This analytic identifies the use of `msxsl.exe` initiating a network connection to a non-private IP address. Although `msxsl.exe` is a legitimate Microsoft utility used to apply XSLT transformations, adversaries can abuse it to execute arbitrary code or load external resources in an evasive manner. This detection leverages Cisco NVM telemetry to identify potentially malicious use of `msxsl.exe` making network connections that may indicate command and control (C2) or data exfiltration activity.
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services, such as `ipinfo.io`, `icanhazip.com`, `ip-api.com`, and others. These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate network reconnaissance, virtual machine detection, or staging by malware. This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns. The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser processes to reduce noise.
Cisco NVM - Webserver Download From File Sharing Website
This analytic detects unexpected outbound network connections initiated by known webserver processes such as `httpd.exe`, `nginx.exe`, or `tomcat.exe` to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin. Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise, where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation. The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.
Cisco Privileged Account Creation with HTTP Command Execution
This analytic correlates risk events between privileged account creation on Cisco IOS devices and HTTP requests to privileged execution paths such as `/level/15/exec/-/*`. APT actors have been observed creating privileged accounts and then running commands on routers via HTTP GET or POST requests that target privileged execution paths. These requests allow attackers to execute commands with the highest privilege level (15) on Cisco devices without requiring interactive SSH access. This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and "Privileged Command Execution via HTTP" Snort detections fire for the same network device. This behavior indicates an attacker leveraging the newly created account to execute commands remotely via HTTP.
Cisco Privileged Account Creation with Suspicious SSH Activity
This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and SSH-related Snort detections ("SSH Connection to sshd_operns" or "SSH Connection to Non-Standard Port") fire for the same network device. This behavior is highly indicative of persistence establishment following initial compromise.
Cisco SA - Access to Anonymizer Services
This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry. Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection. Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors
This analytic detects probable automated web reconnaissance using Cisco Secure Access proxy telemetry. A high volume of HTTP client errors (401/403/404/etc) across many unique URLs in a short window is consistent with directory/file enumeration behavior generated by tools such as Gobuster, DirBuster, ffuf, or Burp Intruder. Detecting this pattern helps identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to find hidden administrative paths, APIs, backups, and exposed application files.
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
This analytic detects a exploitation activity attempts of targeting Cisco Catalyst SD-WAN Manager. It leverages the "serviceproxy_access.log" and identifies source-host combinations that perform all key stages of the exploitation as reported in public POCs in a short period: authentication/config collection (`.dca`), upload actions (`uploadAck`), and payload-style access (`.gz/*`). The behavior can indicate attempted exploitation activity associated with Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Information Disclosure).
Cisco SD-WAN - Low Frequency Rogue Peer
This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where "new-state:up". It extracts "peer-type" and "peer-system-ip", groups events by these two fields, and counts how often each combination appears within the selected time window. Combinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare. Analysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values. Rare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts. Findings might indicate the potential exploitation of CVE-2026-20127. Note that the threshold setting is set to "3", but its highly recommended that this should be adapted to the environment before deploying this search.
Cisco SD-WAN - Peering Activity
This analytic detects Cisco SD-WAN `control-connection-state-change` events where a control connection transitions. It extracts and highlights key triage fields including `peer-type`, `peer-system-ip`, `public-ip`, and `public-port`. Analysts should manually validate whether the `peer-system-ip` matches the expected SD-WAN addressing schema and device inventory, whether the event timing aligns with known operational activity (maintenance, failover, or planned changes), and whether the `public-ip` is an expected source for control peering in the environment. Treat `peer-type:vmanage` events with higher scrutiny, especially when peer or source IP values are previously unseen.
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
This hunting search is designed to surface source IP activity using uncommon HTTP user-agents across multiple URI paths in Cisco SD-WAN Manager serviceproxy access logs. It looks for source and user-agent combinations that access more than one distinct URI, then keeps only low-volume behavior (`requests<=50`) to reduce noise from normal high-volume traffic. Use this hunt to pivot on `http_user_agent` and `src` and identify possible automation, scripted reconnaissance, or exploitation attempts.
Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication
This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs. Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources.
Cisco SD-WAN Multiple SSH key Authentication from Same Source
This hunting analytic identifies multiple distinct SSH publickey fingerprints used to authenticate the same user from the same source IP against a Cisco Catalyst SD-WAN control component. After legitimate vManage key rotation or reboot, a new key may appear but the old key should no longer be used; continued use of more than one key from the same source may indicate unauthorized key injection or persistence related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). Validate flagged keys and source IPs against known System IPs in SD-WAN Manager and investigate unexpected combinations.
Cisco Secure Firewall - Binary File Type Download
The following analytic detects file downloads involving executable, archive, or scripting-related file types that are commonly used in malware delivery. These file types include formats like PE executables, shell scripts, autorun files, installers, and known testing samples such as EICAR. This detection leverages Cisco Secure Firewall Threat Defense logs and enriches the results using a filetype lookup to provide context. If confirmed malicious, these downloads could indicate the initial infection vector, malware staging, or scripting abuse.
Cisco Secure Firewall - Bits Network Activity
The following analytic detects the use of the Background Intelligent Transfer Service (BITS) client application in allowed outbound connections. It leverages logs from Cisco Secure Firewall Threat Defense devices and identifies instances where BITS is used to initiate downloads from non-standard or unexpected domains. While BITS is a legitimate Windows service used for downloading updates, it is also commonly abused by adversaries to stealthily retrieve payloads or tools. This analytic filters out known Microsoft Edge update URLs and focuses on connections that may indicate suspicious or unauthorized file transfers. If confirmed malicious, this could represent a command and control (C2) channel or a download of malware or tooling as part of an attack chain.
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
The following analytic detects the use of known suspicious SSL certificates in any observed event where the SSL_CertFingerprint field is present. It leverages Cisco Secure Firewall logs and compares the SSL certificate SHA1 fingerprint against a blacklist of certificates associated with malware distribution, command and control (C2) infrastructure, or phishing campaigns. This activity is significant as adversaries often reuse or self-sign certificates across malicious infrastructure, allowing defenders to track and detect encrypted sessions even when domains or IPs change. If confirmed malicious, this may indicate beaconing, malware download, or data exfiltration over TLS/SSL.
Cisco Secure Firewall - Blocked Connection
The following analytic detects a blocked connection event by identifying a "Block" value in the action field. It leverages logs from Cisco Secure Firewall Threat Defense devices. This activity is significant as it can identify attempts from users or applications initiating network connection to explicitly or implicitly blocked range or zones. If confirmed malicious, attackers could be attempting to perform a forbidden action on the network such as data exfiltration, lateral movement, or network disruption.
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
This analytic detects exploitation activity of CVE-2025-5777 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65118 (Citrix NetScaler memory overread attempt) is triggered If confirmed malicious, this behavior is highly indicative of a potential exploitation of CVE-2025-5777.
Cisco Secure Firewall - Communication Over Suspicious Ports
The following analytic detects potential reverse shell activity by identifying connections involving ports commonly associated with remote access tools, shell listeners, or tunneling utilities. It leverages Cisco Secure Firewall Threat Defense logs and monitors destination ports against a list of non-standard, high-risk port values often used in post-exploitation scenarios. Adversaries frequently configure tools like netcat, Meterpreter, or other backdoors to listen or connect over uncommon ports such as 4444, 2222, or 51820 to bypass standard monitoring and firewall rules. If confirmed malicious, this activity may represent command and control (C2) tunneling, lateral movement, or unauthorized remote access.
Cisco Secure Firewall - Connection to File Sharing Domain
The following analytic detects outbound connections to commonly abused file sharing and pastebin-style hosting domains. It leverages Cisco Secure Firewall Threat Defense logs and focuses on allowed connections (action=Allow) where the url field matches a list of known data hosting or temporary storage services. While many of these platforms serve legitimate purposes, they are frequently leveraged by adversaries for malware delivery, data exfiltration, command and control (C2) beacons, or staging of encoded payloads. This analytic is valuable for identifying potential abuse of legitimate infrastructure as part of an attacker's kill chain. If confirmed malicious, this activity may indicate tool staging, credential dumping, or outbound data leaks over HTTP(S).
Cisco Secure Firewall - File Download Over Uncommon Port
The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.
Cisco Secure Firewall - High EVE Threat Confidence
The following analytic detects connections with a high Encrypted Visibility Engine (EVE) threat confidence score, indicating potentially malicious behavior within encrypted traffic. It leverages Cisco Secure Firewall Threat Defense logs and evaluates the EVE_ThreatConfidencePct field, which reflects the system's confidence in classifying encrypted sessions as threats based on machine learning models and behavioral analysis. A score equal to or greater than 80 suggests the connection is highly likely to be associated with malware command and control (C2), remote access tools, or suspicious tunneling behavior. If confirmed malicious, this may indicate covert communication over TLS from compromised hosts.
Cisco Secure Firewall - High Priority Intrusion Classification
This analytic identifies high-severity intrusion events based on the classification assigned to Snort rules within Cisco Secure Firewall logs. It leverages Cisco Secure Firewall Threat Defense logs and focuses on events classified as: - A Network Trojan was Detected - Successful Administrator Privilege Gain - Successful User Privilege Gain - Attempt to Login By a Default Username and Password - Known malware command and control traffic - Known malicious file or file based exploit - Known client side exploit attempt - Large Scale Information Leak" These classifications typically represent significant threats such as remote code execution, credential theft, lateral movement, or malware communication. Detection of these classifications should be prioritized for immediate investigation.
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
The following analytic detects internal systems that generate an unusually high volume of intrusion detections within a 30-minute window. It leverages Cisco Secure Firewall Threat Defense logs, specifically focusing on the IntrusionEvent event type, to identify hosts that trigger more than 15 Snort-based signatures during that time. A sudden spike in intrusion alerts originating from a single host may indicate suspicious or malicious activity such as malware execution, command-and-control communication, vulnerability scanning, or lateral movement. In some cases, this behavior may also be caused by misconfigured or outdated software repeatedly tripping detection rules. Systems exhibiting this pattern should be triaged promptly, as repeated Snort rule matches from a single source are often early indicators of compromise, persistence, or active exploitation attempts.