EXPLORE

EXPLORE DETECTIONS

🔍
2,129 detections found

Cisco Secure Firewall - Intrusion Events by Threat Activity

This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a lookup table (cisco_snort_ids_to_threat_mapping) to map Snort signature IDs to known threat actors and their techniques. When multiple signatures associated with the same threat actor are triggered within the time window, and the count of unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated. This helps identify potential coordinated threat activity in your network environment by correlating related intrusion events that occur in close temporal proximity. Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup: * AgentTesla * Amadey * ArcaneDoor * AsyncRAT * CastleRAT * Chafer * DCRAT * LokiBot * Lumma Stealer * Nobelium * Quasar * Remcos * Snake * Static Tundra * Xworm To add or update threat actors, update the cisco_snort_ids_to_threat_mapping.csv lookup file with new or modified threat names and associated Snort signature IDs.

Splunk

Cisco Secure Firewall - Lumma Stealer Activity

This analytic detects Lumma Stealer activity using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host. If confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer.

Splunk

Cisco Secure Firewall - Lumma Stealer Download Attempt

This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.

Splunk

Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt

This analytic detects Lumma Stealer outbound connection attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.

Splunk

Cisco Secure Firewall - Malware File Downloaded

The following analytic detects file downloads that were classified as malware by Cisco Secure Firewall Threat Defense. It relies on the `SHA_Disposition` field with a value of "Malware" and includes metadata such as file name, file_hash hash, and threat classification. This analytic is critical for surfacing file-based threats that are identified via Cisco's AMP or Threat Grid integrations. If confirmed malicious, this could indicate delivery of malware.

Splunk

Cisco Secure Firewall - Oracle E-Business Suite Correlation

This correlation rule identifies potential exploitation attempts of Oracle E-Business Suite vulnerabilities (CVE-2025-61882 and CVE-2025-61884) by correlating multiple intrusion signatures from Cisco Secure Firewall Threat Defense logs. The detection looks for specific signatures that indicate attempts to exploit the TemplatePreview functionality and vulnerable SyncServlet endpoints as well as post compromise activity involving Cl0p. By correlating these signatures, the analytic aims to identify coordinated exploitation attempts that may indicate an attacker is targeting Oracle E-Business Suite installations. Security teams should investigate any instances of these correlated signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.

Splunk

Cisco Secure Firewall - Oracle E-Business Suite Exploitation

This analytic detects vulnerability exploitation and post-compromise activity associated with Oracle E-Business Suite web-application vulnerabilities, CVE-2025-61882 and CVE-2025-61884. SIDs 65413-65415 detect detect Java.Backdoor.Cl0p variant payload downloads and Java.Backdoor.Cl0p outbound command-and-control connection attempts. SIDs 65456, 65377 and 65378 detect attempts to exploit these vulnerabilities. Security teams should investigate any instances of these signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.

Splunk

Cisco Secure Firewall - Possibly Compromised Host

The following analytic highlights high-impact intrusion events assigned by Cisco Secure Firewall. This detection leverages Cisco Secure Firewall Threat Defense logs and specifically the IntrusionEvent event type and `Impact` field assigned by Cisco Secure Firewall looking for an impact score of 1 or 2. If confirmed malicious this may indicate a potential compromised host.

Splunk

Cisco Secure Firewall - Potential Data Exfiltration

The following analytic detects potentially suspicious large volumes of data sent by the connection initiator on flows from internal to external networks. It leverages Cisco Secure Firewall Threat Defense ConnectionEvent logs and thresholds on InitiatorBytes (bytes transmitted by the initiator), which for typical inside-initiated client sessions approximates upload or outbound payload from the internal host and avoids flagging large downloads where most bytes appear in ResponderBytes. Connections where the initiator sent at least 100 MB are flagged, as these may indicate unauthorized data exfiltration, especially if associated with unusual users, hosts, or processes. This analytic is scoped to inside-to-outside flows using a macro (cisco_secure_firewall_inside_to_outside) to abstract environment-specific zone definitions. If confirmed malicious, this behavior may reflect data staging and exfiltration over an encrypted or stealthy transport.

Splunk

Cisco Secure Firewall - Privileged Command Execution via HTTP

This analytic detects HTTP requests to privileged execution paths on Cisco routers, specifically targeting the `/level/15/exec/-/*` endpoint using Cisco Secure Firewall Intrusion Events. This detection leverages Snort signature 65370 to identify requests to these sensitive endpoints, which when combined with other indicators may signal active exploitation or post-compromise activity.

Splunk

Cisco Secure Firewall - Rare Snort Rule Triggered

This analytic identifies Snort signatures that have triggered only once in the past 7 days across all Cisco Secure Firewall IntrusionEvent logs. While these rules typically do not trigger in day-to-day network activity, their sudden appearance may indicate early-stage compromise, previously unseen malware, or reconnaissance activity against less commonly exposed services. Investigating these outliers can provide valuable insight into new or low-noise adversary behaviors.

Splunk

Cisco Secure Firewall - React Server Components RCE Attempt

This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.

Splunk

Cisco Secure Firewall - Remote Access Software Usage Traffic

The following analytic detects network traffic associated with known remote access software applications that are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Cisco Secure Firewall Threat Defense Connection Event. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.

Splunk

Cisco Secure Firewall - Repeated Blocked Connections

The following analytic detects repeated blocked connection attempts from the same initiator to the same responder within a short time window. It leverages Cisco Secure Firewall Threat Defense logs and identifies connections where the action is set to Block, and the number of occurrences reaches or exceeds a threshold of ten within a one-minute span. This pattern may indicate a misconfigured application, unauthorized access attempts, or early stages of a brute-force or scanning operation. If confirmed malicious, this behavior may represent an attacker probing the network, attempting lateral movement, or testing firewall rules for weaknesses.

Splunk

Cisco Secure Firewall - Repeated Malware Downloads

The following analytic detects repeated malware file downloads initiated by the same internal host (src) within a short time window. It leverages Cisco Secure Firewall Threat Defense logs and identifies `FileEvent` events with a `SHA_Disposition` of "Malware" and `FileDirection` set to "Download". If ten or more such events occur from the same host within five minutes, this analytic will trigger. This activity may indicate the host is compromised and repeatedly retrieving malicious content either due to command-and-control, malware staging, or automation. If confirmed malicious, this behavior may represent an infection in progress, persistence mechanism, or a malicious downloader.

Splunk

Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts

This analytic identifies Snort intrusion signatures that have been triggered by ten or more distinct internal IP addresses within a one-hour window. It leverages Cisco Secure Firewall Threat Defense logs and focuses on the IntrusionEvent event type to detect activity that may indicate broad targeting or mass exploitation attempts. This behavior is often associated with opportunistic scanning, worm propagation, or automated exploitation of known vulnerabilities across multiple systems. If confirmed malicious, this could represent the early phase of a coordinated attack aiming to gain a foothold on several hosts or move laterally across the environment.

Splunk

Cisco Secure Firewall - SSH Connection to Non-Standard Port

This analytic detects inbound SSH connections to non-standard ports on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling SSH servers on high, non-default TCP ports to maintain encrypted remote access to compromised network infrastructure. This detection leverages Snort signature 65369 to identify SSH protocol traffic on unusual ports, which may indicate persistence mechanisms or backdoor access established by threat actors.

Splunk

Cisco Secure Firewall - SSH Connection to sshd_operns

This analytic detects inbound SSH connections to the sshd_operns service on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling sshd_operns and opening it on non-standard ports to maintain encrypted remote access to compromised network infrastructure. This detection leverages Snort signature 65368 to identify connections to this service, which when combined with other indicators may signal persistent access mechanisms established by threat actors.

Splunk

Cisco Secure Firewall - Static Tundra Smart Install Abuse

This analytic detects activity associated with "Static Tundra" threat actor abuse of the Cisco Smart Install (SMI) protocol using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify occurrences of Smart Install exploitation and protocol abuse, including denial-of-service and buffer overflow attempts. The detection triggers when multiple Cisco Smart Install-related Snort signatures are observed in a short period from the same source, which is indicative of active exploitation or reconnaissance against Cisco devices that expose SMI.

Splunk

Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity

This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 61514 (Veeam Backup and Replication credential dump attempt) is followed within a 5-minute window by 64795 (Veeam Backup and Replication xp_cmdshell invocation attempt), which detects the use of `xp_cmdshell`, a common post-exploitation technique. If confirmed malicious, this behavior is highly indicative of a successful exploitation of CVE-2023-27532, followed by remote command execution or credential dumping.

Splunk

Cisco Secure Firewall - Wget or Curl Download

The following analytic detects outbound connections initiated by command-line tools such as curl or wget. It leverages Cisco Secure Firewall Threat Defense logs and identifies allowed connections (action=Allow) where either the EVE_Process or ClientApplication fields indicate use of these utilities. While curl and wget are legitimate tools commonly used for software updates and scripting, adversaries often abuse them to download payloads, retrieve additional tools, or establish staging infrastructure from compromised systems. If confirmed malicious, this behavior may indicate the download phase of an attack chain or a command-and-control utility retrieval.

Splunk

Cisco Smart Install Oversized Packet Detection

This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786 within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance against Cisco devices exposing Smart Install.

Splunk

Cisco Smart Install Port Discovery and Status

This analytic detects network traffic to TCP port 4786, which is used by the Cisco Smart Install protocol. Smart Install is a plug-and-play configuration and image-management feature that helps customers to deploy Cisco switches. This protocol has been exploited via CVE-2018-0171, a vulnerability that allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions. Recently, Cisco Talos reported that a Russian state-sponsored threat actor called "Static Tundra" has been actively exploiting this vulnerability to compromise unpatched and end-of-life network devices. Monitoring for traffic to this port can help identify potential exploitation attempts or unauthorized Smart Install activity.

Splunk

Cisco SNMP Community String Configuration Changes

This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.

Splunk
PreviousPage 12 of 89Next