false positives should be very unlikely.

Techniques

Sample rules

Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity

source: splunk
technicques:
- T1190
- T1210
- T1059.001
- T1003.001

Description

This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 61514 (Veeam Backup and Replication credential dump attempt) is followed within a 5-minute window by 64795 (Veeam Backup and Replication xp_cmdshell invocation attempt), which detects the use of xp_cmdshell, a common post-exploitation technique. If confirmed malicious, this behavior is highly indicative of a successful exploitation of CVE-2023-27532, followed by remote command execution or credential dumping.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (61514, 64795)

| bin _time span=5m

| fillnull

| stats dc(signature_id) as unique_signature_count 
        values(signature_id) as signature_id 
        values(signature) as signature 
        values(class_desc) as class_desc 
        values(MitreAttackGroups) as MitreAttackGroups 
        values(InlineResult) as InlineResult 
        values(InlineResultReason) as InlineResultReason 
        values(src_ip) as src_ip 
        values(dest_port) as dest_port 
        values(rule) as rule 
        values(transport) as transport 
        values(app) as app 
        min(_time) as firstTime 
        max(_time) as lastTime 
        by dest_ip

| where unique_signature_count = 2

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity_filter`

Cisco Secure Firewall - Lumma Stealer Activity

source: splunk
technicques:
- T1190
- T1210
- T1027
- T1204

Description

This analytic detects Lumma Stealer activity using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host. If confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811)

| bin _time span=15m

| fillnull

| stats dc(signature_id) as unique_signature_count 
        values(signature_id) as signature_id 
        values(signature) as signature 
        values(class_desc) as class_desc 
        values(MitreAttackGroups) as MitreAttackGroups 
        values(InlineResult) as InlineResult 
        values(InlineResultReason) as InlineResultReason 
        values(dest_ip) as dest_ip 
        values(dest_port) as dest_port 
        values(rule) as rule 
        values(transport) as transport 
        values(app) as app 
        min(_time) as firstTime 
        max(_time) as lastTime 
        by src_ip

| where unique_signature_count >= 3

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___lumma_stealer_activity_filter`