LoFP LoFP / false positives should be unlikely.

Techniques

Sample rules

Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt

Description

This analytic detects Lumma Stealer outbound connection attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709)

| fillnull

| stats min(_time) as firstTime max(_time) as lastTime 
        by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt_filter`

Cisco Secure Firewall - Lumma Stealer Download Attempt

Description

This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64810, 64811)

| fillnull

| stats min(_time) as firstTime max(_time) as lastTime 
        by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___lumma_stealer_download_attempt_filter`