Techniques
Sample rules
Cisco Secure Firewall - Binary File Type Download
- source: splunk
- technicques:
- T1203
- T1059
Description
The following analytic detects file downloads involving executable, archive, or scripting-related file types that are commonly used in malware delivery. These file types include formats like PE executables, shell scripts, autorun files, installers, and known testing samples such as EICAR. This detection leverages Cisco Secure Firewall Threat Defense logs and enriches the results using a filetype lookup to provide context. If confirmed malicious, these downloads could indicate the initial infection vector, malware staging, or scripting abuse.
Detection logic
`cisco_secure_firewall` EventType=FileEvent FileDirection="Download"
FileType IN ("ISHIELD_MSI", "BINHEX", "BINARY_DATA", "ELF", "MACHO", "JARPACK", "TORRENT", "AUTORUN", "EICAR", "LNK", "SCR", "UNIX_SCRIPT")
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
values(SHA_Disposition) as SHA_Disposition
by FileDirection FileType src_ip dest app file_name ThreatName dest_port Description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src_ip dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication SHA_Disposition ThreatName
| `cisco_secure_firewall___binary_file_type_download_filter`