Techniques
Sample rules
Cisco Secure Firewall - File Download Over Uncommon Port
- source: splunk
- technicques:
- T1105
- T1571
Description
The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.
Detection logic
`cisco_secure_firewall` EventType=FileEvent FileDirection="Download" NOT dest_port IN (80, 443)
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
values(file_name) as file_name
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
values(SHA_Disposition) as SHA_Disposition
by FileDirection FileType app ThreatName dest_port Description src_ip dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src_ip dest dest_port FileDirection FileType Description uri ClientApplication file_name file_hash SHA_Disposition ThreatName
| `cisco_secure_firewall___file_download_over_uncommon_port_filter`