Techniques
Sample rules
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
- source: splunk
- technicques:
- T1190
Description
This analytic detects vulnerability exploitation and post-compromise activity associated with Oracle E-Business Suite web-application vulnerabilities, CVE-2025-61882 and CVE-2025-61884. SIDs 65413-65415 detect detect Java.Backdoor.Cl0p variant payload downloads and Java.Backdoor.Cl0p outbound command-and-control connection attempts. SIDs 65456, 65377 and 65378 detect attempts to exploit these vulnerabilities. Security teams should investigate any instances of these signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.
Detection logic
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id IN (65377, 65378, 65413, 65414, 65415, 65456)
| fillnull
| stats values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by src_ip dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___oracle_e_business_suite_exploitation_filter`
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
- source: splunk
- technicques:
- T1041
- T1573.002
Description
This analytic detects Lumma Stealer outbound connection attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.
Detection logic
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709)
| fillnull
| stats min(_time) as firstTime max(_time) as lastTime
by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt_filter`
Cisco Secure Firewall - Lumma Stealer Download Attempt
- source: splunk
- technicques:
- T1041
- T1573.002
Description
This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.
Detection logic
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64810, 64811)
| fillnull
| stats min(_time) as firstTime max(_time) as lastTime
by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___lumma_stealer_download_attempt_filter`