From 5cb3a0d56482273a94a0406b08908a6a338d3d4c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Mon, 28 Apr 2025 18:14:05 +0200 Subject: [PATCH 1/6] Intrusion Correlation and Activity Batch --- ...high_priority_intrusion_classification.yml | 96 +++++++++++++++++++ ...cure_firewall___lumma_stealer_activity.yml | 91 ++++++++++++++++++ ...ewall___lumma_stealer_download_attempt.yml | 73 ++++++++++++++ ...ma_stealer_outbound_connection_attempt.yml | 73 ++++++++++++++ ...m_cve_2023_27532_exploitation_activity.yml | 92 ++++++++++++++++++ 5 files changed, 425 insertions(+) create mode 100644 detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml create mode 100644 detections/network/cisco_secure_firewall___lumma_stealer_activity.yml create mode 100644 detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml create mode 100644 detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml create mode 100644 detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml diff --git a/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml new file mode 100644 index 0000000000..3a9ecd80f1 --- /dev/null +++ b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml @@ -0,0 +1,96 @@ +name: Cisco Secure Firewall - High Priority Intrusion Classification +id: ec99bb81-c31b-4837-8c7d-1b32aa70b337 +version: 1 +date: '2025-04-28' +author: Nasreddine Bencherchali, Splunk +status: production +type: TTP +description: | + This analytic identifies high-severity intrusion events based on the classification assigned to Snort rules within Cisco Secure Firewall logs. + It leverages Cisco Secure Firewall Threat Defense logs and focuses on events classified as: + + - A Network Trojan was Detected + - Successful Administrator Privilege Gain + - Successful User Privilege Gain + - Attempt to Login By a Default Username and Password + - Known malware command and control traffic + - Known malicious file or file based exploit + - Known client side exploit attempt + - Large Scale Information Leak" + + These classifications typically represent significant threats such as remote code execution, credential theft, lateral movement, or malware communication. Detection of these classifications should be prioritized for immediate investigation. +data_source: + - Cisco Secure Firewall Threat Defense Intrusion Event +search: | + `cisco_secure_firewall` EventType=IntrusionEvent + class_desc IN ("A Network Trojan was Detected", "Successful Administrator Privilege Gain", "Successful User Privilege Gain", "Attempt to Login By a Default Username and Password", "Known malware command and control traffic", "Known malicious file or file based exploit", "Known client side exploit attempt", "Large Scale Information Leak") + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + values(signature_id) as signature_id + values(MitreAttackGroups) as MitreAttackGroups + values(InlineResult) as InlineResult + values(InlineResultReason) as InlineResultReason + values(src_ip) as src_ip + values(dest_port) as dest_port + values(rule) as rule + values(transport) as transport + values(app) as app + by src_ip, dest_ip, signature, class_desc + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_secure_firewall___high_priority_intrusion_classification_filter` +how_to_implement: | + This search requires Cisco Secure Firewall Threat Defense Logs, which + includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. + The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404). + The intrusion access policy must also be configured. +known_false_positives: Some intrusion events that are linked to these classifications might be noisy in certain environments. Apply a combination of filters for specific snort IDs and other indicators. +references: + - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf +drilldown_searches: +- name: View the detection results for - "$src_ip$" and "$signature_id$" + search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A high priority intrusion event with classification ($class_desc$) was detected from $src_ip$ to $dest_ip$, indicating potential suspicious activity. + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: signature + type: signature +tags: + analytic_story: + - Cisco Secure Firewall Threat Defense Analytics + asset_type: Network + security_domain: network + mitre_attack_id: + - T1203 + - T1003 + - T1071 + - T1190 + - T1078 + product: + - Splunk Enterprise + - Splunk Cloud + - Splunk Enterprise Security +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.log + source: not_applicable + sourcetype: cisco:sfw:estreamer diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml new file mode 100644 index 0000000000..1184bf8ba8 --- /dev/null +++ b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml @@ -0,0 +1,91 @@ +name: Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity +id: 7b7c2e92-f0b2-48d2-9c9b-b8de52b6b2ae +version: 1 +date: '2025-04-14' +author: Nasreddine Bencherchali, Splunk, Talos NTDR +status: production +type: TTP +description: | + This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events. + It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host. + If confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer. +data_source: + - Cisco Secure Firewall Threat Defense Intrusion Event +search: | + `cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811) + | bin _time span=15m + | fillnull + | stats dc(signature_id) as unique_signature_count + values(signature_id) as signature_id + values(signature) as signature + values(class_desc) as class_desc + values(MitreAttackGroups) as MitreAttackGroups + values(InlineResult) as InlineResult + values(InlineResultReason) as InlineResultReason + values(dest_ip) as dest_ip + values(dest_port) as dest_port + values(rule) as rule + values(transport) as transport + values(app) as app + min(_time) as firstTime + max(_time) as lastTime + by src_ip + | where unique_signature_count >= 4 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_secure_firewall___lumma_stealer_activity_filter` +how_to_implement: | + This search requires Cisco Secure Firewall Threat Defense Logs, which + includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. + The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404). + The intrusion access policy must also be configured. +known_false_positives: False positives should be very unlikely. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma +drilldown_searches: +- name: View the detection results for - "$src_ip$" and "$signature_id$" + search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Lumma Stealer Activity on host $scr_ip$. + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: signature + type: signature +tags: + analytic_story: + - Cisco Secure Firewall Threat Defense Analytics + - Lumma Stealer + asset_type: Network + security_domain: network + mitre_attack_id: + - T1190 + - T1210 + - T1027 + - T1204 + product: + - Splunk Enterprise + - Splunk Cloud + - Splunk Enterprise Security +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log + source: not_applicable + sourcetype: cisco:sfw:estreamer diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml new file mode 100644 index 0000000000..ba64a1f99f --- /dev/null +++ b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml @@ -0,0 +1,73 @@ +name: Cisco Secure Firewall - Lumma Stealer Download Attempt +id: 66f22f52-fbae-4be7-a263-561dacb63613 +version: 1 +date: '2025-04-26' +author: Nasreddine Bencherchali, Splunk, Talos NTDR +status: production +type: Anomaly +description: | + This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events. + It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer. +data_source: + - Cisco Secure Firewall Threat Defense Intrusion Event +search: | + `cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64810, 64811) + | fillnull + | stats min(_time) as firstTime max(_time) as lastTime + by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt` +how_to_implement: | + This search requires Cisco Secure Firewall Threat Defense Logs, which + includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. + The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404). + The intrusion access policy must also be configured. +known_false_positives: False positives should be unlikely. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma +drilldown_searches: +- name: View the detection results for - "$src_ip$" and "$signature_id$" + search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Lumma Stealer Download Attempt initiated by $src_ip$ from $dest_ip$. + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: signature + type: signature +tags: + analytic_story: + - Cisco Secure Firewall Threat Defense Analytics + - Lumma Stealer + asset_type: Network + security_domain: network + mitre_attack_id: + - T1041 + - T1573.002 + product: + - Splunk Enterprise + - Splunk Cloud + - Splunk Enterprise Security +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log + source: not_applicable + sourcetype: cisco:sfw:estreamer diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml new file mode 100644 index 0000000000..79fa8faac4 --- /dev/null +++ b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml @@ -0,0 +1,73 @@ +name: Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt +id: 66f22f52-fbae-4be7-a263-561dacb63612 +version: 1 +date: '2025-04-26' +author: Nasreddine Bencherchali, Splunk, Talos NTDR +status: production +type: Anomaly +description: | + This analytic detects Lumma Stealer outbound connection attempts using Cisco Secure Firewall Intrusion Events. + It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer. +data_source: + - Cisco Secure Firewall Threat Defense Intrusion Event +search: | + `cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709) + | fillnull + | stats min(_time) as firstTime max(_time) as lastTime + by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt` +how_to_implement: | + This search requires Cisco Secure Firewall Threat Defense Logs, which + includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. + The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404). + The intrusion access policy must also be configured. +known_false_positives: False positives should be unlikely. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma +drilldown_searches: +- name: View the detection results for - "$src_ip$" and "$signature_id$" + search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Lumma Stealer Outbound Connection Attempt initiated by $src_ip$ to $dest_ip$. + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: signature + type: signature +tags: + analytic_story: + - Cisco Secure Firewall Threat Defense Analytics + - Lumma Stealer + asset_type: Network + security_domain: network + mitre_attack_id: + - T1041 + - T1573.002 + product: + - Splunk Enterprise + - Splunk Cloud + - Splunk Enterprise Security +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log + source: not_applicable + sourcetype: cisco:sfw:estreamer diff --git a/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml new file mode 100644 index 0000000000..d88844cc16 --- /dev/null +++ b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml @@ -0,0 +1,92 @@ +name: Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity +id: 7b7c2e92-f0b2-48d2-9c9b-b8de52b6b2ae +version: 1 +date: '2025-04-14' +author: Nasreddine Bencherchali, Splunk, Talos NTDR +status: production +type: TTP +description: | + This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events. + It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 61514 (Veeam Backup and Replication credential dump attempt) + is followed within a 5-minute window by 64795 (Veeam Backup and Replication xp_cmdshell invocation attempt), which detects the use of `xp_cmdshell`, a common post-exploitation technique. + If confirmed malicious, this behavior is highly indicative of a successful exploitation of CVE-2023-27532, followed by remote command execution or credential dumping. +data_source: + - Cisco Secure Firewall Threat Defense Intrusion Event +search: | + `cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (61514, 64795) + | bin _time span=5m + | fillnull + | stats dc(signature_id) as unique_signature_count + values(signature_id) as signature_id + values(signature) as signature + values(class_desc) as class_desc + values(MitreAttackGroups) as MitreAttackGroups + values(InlineResult) as InlineResult + values(InlineResultReason) as InlineResultReason + values(src_ip) as src_ip + values(dest_port) as dest_port + values(rule) as rule + values(transport) as transport + values(app) as app + min(_time) as firstTime + max(_time) as lastTime + by dest_ip + | where unique_signature_count = 2 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_secure_firewall__veeam_cve_2023_27532_exploitation_activity_filter` +how_to_implement: | + This search requires Cisco Secure Firewall Threat Defense Logs, which + includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. + We strongly recommend that you specify your environment-specific configurations + (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition + with configurations for your Splunk environment. The search also uses a post-filter + macro designed to filter out known false positives. + The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404). + The intrusion access policy must also be configured. +known_false_positives: False positives should be very unlikely. +references: + - https://nvd.nist.gov/vuln/detail/CVE-2023-27532 + - https://www.veeam.com/kb4424 +drilldown_searches: +- name: View the detection results for - "$src_ip$" and "$signature_id$" + search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Exploitation attempt of Veeam CVE-2023-27532 on host $dest_ip$ by $src_ip$. + risk_objects: + - field: src_ip + type: system + score: 25 + threat_objects: + - field: signature + type: signature +tags: + analytic_story: + - Cisco Secure Firewall Threat Defense Analytics + asset_type: Network + security_domain: network + mitre_attack_id: + - T1190 + - T1210 + - T1059.001 + - T1003.001 + product: + - Splunk Enterprise + - Splunk Cloud + - Splunk Enterprise Security +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.log + source: not_applicable + sourcetype: cisco:sfw:estreamer From 4be0e79049829c1517c0466c8a0271e9deb25e3b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 29 Apr 2025 12:59:20 +0200 Subject: [PATCH 2/6] update filter macros --- .../cisco_secure_firewall___lumma_stealer_activity.yml | 6 +++--- ...sco_secure_firewall___lumma_stealer_download_attempt.yml | 2 +- ...irewall___veeam_cve_2023_27532_exploitation_activity.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml index 1184bf8ba8..54a833017c 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml @@ -1,4 +1,4 @@ -name: Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity +name: Cisco Secure Firewall - Lumma Stealer Activity id: 7b7c2e92-f0b2-48d2-9c9b-b8de52b6b2ae version: 1 date: '2025-04-14' @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali, Splunk, Talos NTDR status: production type: TTP description: | - This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events. + This analytic detects Lumma Stealer activity using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host. If confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer. data_source: @@ -30,7 +30,7 @@ search: | min(_time) as firstTime max(_time) as lastTime by src_ip - | where unique_signature_count >= 4 + | where unique_signature_count >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_secure_firewall___lumma_stealer_activity_filter` diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml index ba64a1f99f..0192be0378 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml @@ -17,7 +17,7 @@ search: | by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt` + | `cisco_secure_firewall___lumma_stealer_download_attempt_filter` how_to_implement: | This search requires Cisco Secure Firewall Threat Defense Logs, which includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. diff --git a/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml index d88844cc16..0af0b316c5 100644 --- a/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml +++ b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml @@ -34,7 +34,7 @@ search: | | where unique_signature_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_secure_firewall__veeam_cve_2023_27532_exploitation_activity_filter` + | `cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity_filter` how_to_implement: | This search requires Cisco Secure Firewall Threat Defense Logs, which includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. From 19c74a61da00a5e4ff3d7478570baa2d02f0b841 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 29 Apr 2025 13:08:50 +0200 Subject: [PATCH 3/6] more filter updates --- .../network/cisco_secure_firewall___lumma_stealer_activity.yml | 2 +- ...ure_firewall___lumma_stealer_outbound_connection_attempt.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml index 54a833017c..88f0c22ef2 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml @@ -60,7 +60,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Lumma Stealer Activity on host $scr_ip$. + message: Lumma Stealer Activity on host $src_ip$. risk_objects: - field: src_ip type: system diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml index 79fa8faac4..a110056d61 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml @@ -17,7 +17,7 @@ search: | by src_ip dest_ip dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt` + | `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt_filter` how_to_implement: | This search requires Cisco Secure Firewall Threat Defense Logs, which includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`. From 859eb6bdcbfc8ead2d9618d11523224b0a98583e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 29 Apr 2025 13:10:22 +0200 Subject: [PATCH 4/6] Update cisco_secure_firewall___lumma_stealer_activity.yml --- .../cisco_secure_firewall___lumma_stealer_activity.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml index 88f0c22ef2..a22dbc0cc2 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Lumma Stealer Activity -id: 7b7c2e92-f0b2-48d2-9c9b-b8de52b6b2ae +id: 96bce783-c22e-4e48-8cf1-3eb2794c5083 version: 1 -date: '2025-04-14' +date: '2025-04-28' author: Nasreddine Bencherchali, Splunk, Talos NTDR status: production type: TTP From 6af764bd3d2a64d6de63ad6ecbca2e4c8edf4ee2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 29 Apr 2025 13:39:51 +0200 Subject: [PATCH 5/6] Update cisco_secure_firewall___high_priority_intrusion_classification.yml --- ..._secure_firewall___high_priority_intrusion_classification.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml index 3a9ecd80f1..94f2fc6aec 100644 --- a/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml +++ b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml @@ -30,7 +30,6 @@ search: | values(MitreAttackGroups) as MitreAttackGroups values(InlineResult) as InlineResult values(InlineResultReason) as InlineResultReason - values(src_ip) as src_ip values(dest_port) as dest_port values(rule) as rule values(transport) as transport From 1a23528d7ccd43175f6eb65e4825b0d7918c38cc Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 19 May 2025 12:11:26 -0700 Subject: [PATCH 6/6] updating risk and drilldowns --- ...ll___high_priority_intrusion_classification.yml | 12 +++++++----- ...co_secure_firewall___lumma_stealer_activity.yml | 14 ++++++++------ ...e_firewall___lumma_stealer_download_attempt.yml | 14 ++++++++------ ...__lumma_stealer_outbound_connection_attempt.yml | 14 ++++++++------ ..._veeam_cve_2023_27532_exploitation_activity.yml | 12 +++++++----- 5 files changed, 38 insertions(+), 28 deletions(-) diff --git a/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml index 94f2fc6aec..06f3976c91 100644 --- a/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml +++ b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml @@ -51,12 +51,12 @@ known_false_positives: Some intrusion events that are linked to these classifica references: - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf drilldown_searches: -- name: View the detection results for - "$src_ip$" and "$signature_id$" - search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' +- name: View the detection results for - "$dest_ip$" and "$src_ip$" + search: '%original_detection_search% | search dest_ip = "$dest_ip$" and src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) +- name: View risk events for the last 7 days for - "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" @@ -66,12 +66,14 @@ drilldown_searches: rba: message: A high priority intrusion event with classification ($class_desc$) was detected from $src_ip$ to $dest_ip$, indicating potential suspicious activity. risk_objects: - - field: src_ip + - field: dest_ip type: system score: 25 threat_objects: - field: signature type: signature + - field: src_ip + type: ip_address tags: analytic_story: - Cisco Secure Firewall Threat Defense Analytics diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml index a22dbc0cc2..520ea03e50 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml @@ -47,12 +47,12 @@ known_false_positives: False positives should be very unlikely. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma drilldown_searches: -- name: View the detection results for - "$src_ip$" and "$signature_id$" - search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' +- name: View the detection results for - "$dest_ip$" and "$src_ip$" + search: '%original_detection_search% | search dest_ip = "$dest_ip$" and src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) +- name: View risk events for the last 7 days for - "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" @@ -60,14 +60,16 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Lumma Stealer Activity on host $src_ip$. + message: Lumma Stealer Activity on host $dest_ip$ origniating from $src_ip$ risk_objects: - - field: src_ip + - field: dest_ip type: system score: 25 threat_objects: - field: signature type: signature + - field: src_ip + type: ip_address tags: analytic_story: - Cisco Secure Firewall Threat Defense Analytics diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml index 0192be0378..cc4bfd2b38 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml @@ -31,12 +31,12 @@ known_false_positives: False positives should be unlikely. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma drilldown_searches: -- name: View the detection results for - "$src_ip$" and "$signature_id$" - search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' +- name: View the detection results for - "$dest_ip$" and "$src_ip$" + search: '%original_detection_search% | search dest_ip = "$dest_ip$" and src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) +- name: View risk events for the last 7 days for - "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" @@ -44,14 +44,16 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Lumma Stealer Download Attempt initiated by $src_ip$ from $dest_ip$. + message: Lumma Stealer Download Attempt detected on host $dest_ip$ origniating from $src_ip$ risk_objects: - - field: src_ip + - field: dest_ip type: system score: 25 threat_objects: - field: signature type: signature + - field: src_ip + type: ip_address tags: analytic_story: - Cisco Secure Firewall Threat Defense Analytics diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml index a110056d61..c171246f46 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml @@ -31,12 +31,12 @@ known_false_positives: False positives should be unlikely. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma drilldown_searches: -- name: View the detection results for - "$src_ip$" and "$signature_id$" - search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' +- name: View the detection results for - "$dest_ip$" and "$src_ip$" + search: '%original_detection_search% | search dest_ip = "$dest_ip$" and src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) +- name: View risk events for the last 7 days for - "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" @@ -44,14 +44,16 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Lumma Stealer Outbound Connection Attempt initiated by $src_ip$ to $dest_ip$. + message: Lumma Stealer Outbound Connection Attempt detected on host $dest_ip$ origniating from $src_ip$ risk_objects: - - field: src_ip + - field: dest_ip type: system score: 25 threat_objects: - field: signature type: signature + - field: src_ip + type: ip_address tags: analytic_story: - Cisco Secure Firewall Threat Defense Analytics diff --git a/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml index 0af0b316c5..d675e67ff1 100644 --- a/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml +++ b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml @@ -49,12 +49,12 @@ references: - https://nvd.nist.gov/vuln/detail/CVE-2023-27532 - https://www.veeam.com/kb4424 drilldown_searches: -- name: View the detection results for - "$src_ip$" and "$signature_id$" - search: '%original_detection_search% | search src_ip = "$src_ip$" and signature_id = "$signature_id$"' +- name: View the detection results for - "$dest_ip$" and "$src_ip$" + search: '%original_detection_search% | search dest_ip = "$dest_ip$" and src_ip = "$src_ip$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$src_ip$" and "$signature_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$signature_id$") starthoursago=168 | stats count min(_time) +- name: View risk events for the last 7 days for - "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" @@ -64,12 +64,14 @@ drilldown_searches: rba: message: Exploitation attempt of Veeam CVE-2023-27532 on host $dest_ip$ by $src_ip$. risk_objects: - - field: src_ip + - field: dest_ip type: system score: 25 threat_objects: - field: signature type: signature + - field: src_ip + type: ip_address tags: analytic_story: - Cisco Secure Firewall Threat Defense Analytics