| ID | Technique | Tactic |
|---|---|---|
| T1053.003 | Cron | Execution |
| T1059 | Command and Scripting Interpreter | Persistence |
| T1071.001 | Web Protocols | Privilege Escalation |
| T1105 | Ingress Tool Transfer | Execution |
Detection: Cisco Secure Firewall - Wget or Curl Download
Description
The following analytic detects outbound connections initiated by command-line tools such as curl or wget. It leverages Cisco Secure Firewall Threat Defense logs and identifies allowed connections (action=Allow) where either the EVE_Process or ClientApplication fields indicate use of these utilities. While curl and wget are legitimate tools commonly used for software updates and scripting, adversaries often abuse them to download payloads, retrieve additional tools, or establish staging infrastructure from compromised systems. If confirmed malicious, this behavior may indicate the download phase of an attack chain or a command-and-control utility retrieval.
Search
1`cisco_secure_firewall` EventType=ConnectionEvent action=Allow AND ( EVE_Process IN ("*curl*", "*wget*") OR ClientApplication IN ("cURL", "Wget") )
2
3| stats count min(_time) as firstTime max(_time) as lastTime
4 Values(rule) as rule
5 Values(url) as url
6 Values(dest_port) as dest_port
7 Values(ClientApplicationVersion) as ClientApplicationVersion
8 Values(src_port) as src_port
9 by src_ip, dest, transport, EVE_Process, ClientApplication, action
10
11| table src_ip src_port dest dest_port transport url EVE_Process ClientApplication ClientApplicationVersion rule firstTime lastTime
12
13| `security_content_ctime(firstTime)`
14
15| `security_content_ctime(lastTime)`
16
17| `cisco_secure_firewall___wget_or_curl_download_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Secure Firewall Threat Defense Connection Event | N/A | 'cisco:sfw:estreamer' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_secure_firewall | sourcetype="cisco:sfw:estreamer" |
| cisco_secure_firewall___wget_or_curl_download_filter | search * |
cisco_secure_firewall___wget_or_curl_download_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Exploitation
Installation
DE.AE
CIS 13
APT18
APT19
APT28
APT29
APT3
APT32
APT33
APT37
APT38
APT39
APT41
APT42
APT5
Ajax Security Team
Andariel
Aquatic Panda
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
Daggerfly
Dark Caracal
Darkhotel
Dragonfly
Elderwood
Evilnum
FIN13
FIN4
FIN5
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
Gamaredon Group
Gorgon Group
HAFNIUM
HEXANE
Higaisa
INC Ransom
Inception
IndigoZebra
Indrik Spider
Ke3chang
Kimsuky
Lazarus Group
LazyScripter
Leviathan
LuminousMoth
Magic Hound
Metador
Molerats
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
Nomadic Octopus
OilRig
Orangeworm
PLATINUM
Patchwork
Play
Rancor
RedCurl
RedEcho
Rocke
Saint Bear
Sandworm Team
Sea Turtle
SideCopy
Sidewinder
Silence
SilverTerrier
Stealth Falcon
Storm-1811
TA2541
TA505
TA551
TeamTNT
Threat Group-3390
Tonto Team
Tropic Trooper
Turla
Volatile Cedar
Volt Typhoon
WIRTE
Whitefly
Windigo
Windshift
Winnti Group
Winter Vivern
Wizard Spider
ZIRCONIUM
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the ConnectionEvent EventType. This search uses an input macro named cisco_secure_firewall.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The access policy must also enable logging.
Known False Positives
Developers, administrators, or automation tools may use curl or wget for legitimate purposes such as software installation, configuration scripts, or CI/CD tasks.
Security tools or health monitoring scripts may also use these utilities to check service availability or download updates.
Review the destination url, frequency, and process context to validate whether the download activity is authorized.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
The process $EVE_Process$ initiated an allowed connection to download content using a command-line utility ($ClientApplication$) from $url$. This behavior may indicate tool staging or payload retrieval via curl or wget.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src_ip | system | 25 | EVE_Process, url |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2