Techniques
Sample rules
Cisco NVM - Webserver Download From File Sharing Website
- source: splunk
- technicques:
- T1105
- T1190
Description
This analytic detects unexpected outbound network connections initiated by known webserver processes such as httpd.exe
, nginx.exe
, or tomcat.exe
to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin.
Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise,
where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation.
The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.
Detection logic
`cisco_network_visibility_module_flowdata`
process_name IN (
"http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe", "tomcat*.exe"
)
dest_hostname IN (
"*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
"*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
"*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
"*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
"*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
"*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
"*ufile.io*", "*w3spaces.com*", "*workers.dev*"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___webserver_download_from_file_sharing_website_filter`