LoFP / false positives should be unlikely.

Techniques

• T1041
• T1190
• T1573.002

Sample rules

Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt

• source: splunk
• technicques:
  • T1041
  • T1573.002

Description

This analytic detects Lumma Stealer outbound connection attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709)

| fillnull

| stats min(_time) as firstTime max(_time) as lastTime
        by src dest dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt_filter`

Cisco Secure Firewall - Lumma Stealer Download Attempt

• source: splunk
• technicques:
  • T1041
  • T1573.002

Description

This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64810, 64811)

| fillnull

| stats min(_time) as firstTime max(_time) as lastTime
        by src dest dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___lumma_stealer_download_attempt_filter`

Cisco Secure Firewall - Oracle E-Business Suite Exploitation

• source: splunk
• technicques:
  • T1190

Description

This analytic detects vulnerability exploitation and post-compromise activity associated with Oracle E-Business Suite web-application vulnerabilities, CVE-2025-61882 and CVE-2025-61884. SIDs 65413-65415 detect detect Java.Backdoor.Cl0p variant payload downloads and Java.Backdoor.Cl0p outbound command-and-control connection attempts. SIDs 65456, 65377 and 65378 detect attempts to exploit these vulnerabilities. Security teams should investigate any instances of these signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.

Detection logic

`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id IN (65377, 65378, 65413, 65414, 65415, 65456)

| fillnull

| stats values(signature_id) as signature_id
        values(signature) as signature
        values(class_desc) as class_desc
        values(MitreAttackGroups) as MitreAttackGroups
        values(InlineResult) as InlineResult
        values(InlineResultReason) as InlineResultReason
        values(dest_port) as dest_port
        values(rule) as rule
        values(transport) as transport
        values(app) as app
        min(_time) as firstTime
        max(_time) as lastTime
  by src dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___oracle_e_business_suite_exploitation_filter`