| ID | Technique | Tactic |
|---|---|---|
| T1105 | Ingress Tool Transfer | Command And Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Cisco NVM - Webserver Download From File Sharing Website
Description
This analytic detects unexpected outbound network connections initiated by known webserver processes such as httpd.exe, nginx.exe, or tomcat.exe to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin.
Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise,
where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation.
The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.
Search
1`cisco_network_visibility_module_flowdata`
2process_name IN (
3 "http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe", "tomcat*.exe"
4 )
5dest_hostname IN (
6 "*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
7 "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
8 "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
9 "*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
10 "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
11 "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
12 "*ufile.io*", "*w3spaces.com*", "*workers.dev*"
13 )
14
15| stats count min(_time) as firstTime max(_time) as lastTime
16 values(parent_process_arguments) as parent_process_arguments
17 values(process_arguments) as process_arguments
18 values(parent_process_hash) as parent_process_hash
19 values(process_hash) as process_hash
20 values(module_name_list) as module_name_list
21 values(module_hash_list) as module_hash_list
22 values(dest_port) as dest_port
23 values(aliul) as additional_logged_in_users_list
24 values(dest_hostname) as dest_hostname
25 by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
26
27| `security_content_ctime(firstTime)`
28
29| `security_content_ctime(lastTime)`
30
31| table
32 parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
33 process_integrity_level process_path process_name process_arguments process_hash process_id
34 additional_logged_in_users_list module_name_list module_hash_list
35 src dest_hostname dest dest_port transport firstTime lastTime
36
37| `cisco_nvm___webserver_download_from_file_sharing_website_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
'cisco:nvm:flowdata' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___webserver_download_from_file_sharing_website_filter | search * |
cisco_nvm___webserver_download_from_file_sharing_website_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Delivery
DE.CM
CIS 10
APT18
APT28
APT29
APT3
APT32
APT33
APT37
APT38
APT39
APT41
APT5
Agrius
Ajax Security Team
Andariel
Aquatic Panda
Axiom
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
Daggerfly
Darkhotel
Dragonfly
Earth Lusca
Elderwood
Ember Bear
Evilnum
FIN13
FIN7
FIN8
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
Gamaredon Group
Gorgon Group
HAFNIUM
HEXANE
INC Ransom
IndigoZebra
Indrik Spider
Ke3chang
Kimsuky
Lazarus Group
LazyScripter
Leviathan
LuminousMoth
Magic Hound
Metador
Molerats
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
Nomadic Octopus
OilRig
PLATINUM
Patchwork
Play
Rancor
Rocke
Salt Typhoon
Sandworm Team
Sea Turtle
SideCopy
Sidewinder
Silence
Storm-1811
TA2541
TA505
TA551
TeamTNT
Threat Group-3390
ToddyCat
Tonto Team
Tropic Trooper
Turla
Volatile Cedar
Volt Typhoon
WIRTE
Whitefly
Windshift
Winnti Group
Winter Vivern
Wizard Spider
ZIRCONIUM
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
Known False Positives
In rare cases, a web server may make outbound connections to pull content for legitimate purposes (e.g., downloading templates or updates from a trusted source). However, communication to anonymous file-sharing or temporary content domains is strongly suspicious. If legitimate use is confirmed, domain- or process-level allowlisting is recommended.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
The host $src$ ran web server process $process_path$ which downloaded content from $dest_hostname$ over port $dest_port$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 40 | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1